From 7ad743b7ed5e4905316fd7d6afb2d9220538a3fb Mon Sep 17 00:00:00 2001
From: Dario Freni <dariofreni@google.com>
Date: Thu, 18 Oct 2018 12:50:06 +0100
Subject: [PATCH] Allow PackageManager to communicate to apexd.

This is used for querying the installed packages, as well as
coordinating the installations of packages.

Test: ran an app that queries PM, that queries apexd.
Bug: 117589375
Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
---
 private/system_server.te | 4 ++++
 public/apexd.te          | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 49bba86a5..710413579 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -941,6 +941,10 @@ allow system_server system_server_startup:fd use;
 allow system_server system_server_startup_tmpfs:file { read write map };
 allow system_server system_server_startup:unix_dgram_socket write;
 
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
diff --git a/public/apexd.te b/public/apexd.te
index 0f0f5ac56..f99087921 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@ binder_use(apexd)
 add_service(apexd, apex_service)
 set_prop(apexd, apexd_prop)
 
-neverallow { domain -init -apexd } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
 
 neverallow domain apexd:process ptrace;
 
-- 
GitLab