Adding vendor_apex_file for /vendor/apex
apexd needs to read /vendor/apex dir and files in it.
Bug: 131190070
Bug: 123378252
Test: 1. Add apex to /vendor/apex
-> see if boot succeeds with new policy
2. Add flattened apex to /vendor/apex
-> see if only root files are labelled as vendor_apex_file
Change-Id: I37795ab6d659ac82639ba5e34d628fe1b5cdb350
diff --git a/private/apexd.te b/private/apexd.te
index b3aabea..d0ec9f4 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -50,6 +50,10 @@
allow apexd staging_data_file:dir r_dir_perms;
allow apexd staging_data_file:file { r_file_perms link };
+# allow apexd to read files from /vendor/apex
+allow apexd vendor_apex_file:dir r_dir_perms;
+allow apexd vendor_apex_file:file r_file_perms;
+
# Unmount and mount filesystems
allow apexd labeledfs:filesystem { mount unmount };
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 45e1dd9..3c6ba08 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -195,6 +195,7 @@
usbd
usbd_exec
usbd_tmpfs
+ vendor_apex_file
vendor_init
vendor_shell
vold_metadata_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 0e830f8..3b9bd52 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -171,6 +171,7 @@
usbd
usbd_exec
usbd_tmpfs
+ vendor_apex_file
vendor_default_prop
vendor_init
vendor_security_patch_level_prop
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 2ea4d2c..f07103d 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -137,6 +137,7 @@
traced_lazy_prop
uri_grants_service
use_memfd_prop
+ vendor_apex_file
vendor_cgroup_desc_file
vendor_idc_file
vendor_keychars_file
diff --git a/private/file_contexts b/private/file_contexts
index 4f0690b..9e7bba7 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -352,6 +352,8 @@
/(vendor|system/vendor)/overlay(/.*)? u:object_r:vendor_overlay_file:s0
/(vendor|system/vendor)/framework(/.*)? u:object_r:vendor_framework_file:s0
+/vendor/apex(/[^/]+){0,2} u:object_r:vendor_apex_file:s0
+
# HAL location
/(vendor|system/vendor)/lib(64)?/hw u:object_r:vendor_hal_file:s0
diff --git a/public/domain.te b/public/domain.te
index 634a5c5..a415646 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1003,6 +1003,7 @@
vendor_file_type
-same_process_hal_file
-vendor_app_file
+ -vendor_apex_file
-vendor_configs_file
-vendor_framework_file
-vendor_idc_file
diff --git a/public/file.te b/public/file.te
index c8953de..d906b7f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -286,6 +286,8 @@
type server_configurable_flags_data_file, file_type, data_file_type, core_data_file_type;
# /data/app-staging
type staging_data_file, file_type, data_file_type, core_data_file_type;
+# /vendor/apex
+type vendor_apex_file, vendor_file_type, file_type;
# Mount locations managed by vold
type mnt_media_rw_file, file_type;
diff --git a/public/kernel.te b/public/kernel.te
index 50e72c2..99ad014 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -85,8 +85,11 @@
# Needed because APEX uses the loopback driver, which issues requests from
# a kernel thread in earlier kernel version.
allow kernel apexd:fd use;
-allow kernel apex_data_file:file read;
-allow kernel staging_data_file:file read;
+allow kernel {
+ apex_data_file
+ staging_data_file
+ vendor_apex_file
+}:file read;
# Allow the first-stage init (which is running in the kernel domain) to execute the
# dynamic linker when it re-executes /init to switch into the second stage.