Allow PackageManager to communicate to apexd.

This is used for querying the installed packages, as well as coordinating the installations of packages. Test: ran an app that queries PM, that queries apexd. Bug: 117589375 Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c

Allow PackageManager to communicate to apexd.
This is used for querying the installed packages, as well as coordinating the installations of packages. Test: ran an app that queries PM, that queries apexd. Bug: 117589375 Change-Id: I38203ffe6d0d312d6cc38e131a29c14ace0ba10c
7ad743b7 · Dario Freni · 41ddb80c · 7ad743b7 · 7ad743b7
Commit 7ad743b7 authored 6 years ago by Dario Freni
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -941,6 +941,10 @@ allow system_server system_server_startup:fd use;
 allow system_server system_server_startup_tmpfs:file { read write map };
 allow system_server system_server_startup:unix_dgram_socket write;
+# Allow system server to communicate to apexd
+allow system_server apex_service:service_manager find;
+allow system_server apexd:binder call;
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;

--- a/public/apexd.te
+++ b/public/apexd.te
@@ -6,8 +6,8 @@ binder_use(apexd)
 add_service(apexd, apex_service)
 set_prop(apexd, apexd_prop)
-neverallow { domain -init -apexd } apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server } apex_service:service_manager find;
-neverallow { domain -init -apexd } apexd:binder call;
+neverallow { domain -init -apexd -system_server } apexd:binder call;
 neverallow domain apexd:process ptrace;