From 9f343b32be0a15139b0a9f51d864cc4f9b7eeed4 Mon Sep 17 00:00:00 2001
From: Narayan Kamath <narayan@google.com>
Date: Fri, 4 Jan 2019 16:22:19 +0000
Subject: [PATCH] Allow system_server to read apex_data_file.

For consistency with APKs, signature verification is performed
in the system_server. This includes checking that the signature of
an updated install matches the signature of the active package that
it updates. For this, it requires search access to /data/apex and
read access to the files under that directory.

Test: m
Change-Id: Ia073adb8892886e4767fa5529e95c110b9cbff1b
---
 private/apexd.te         | 2 +-
 private/system_server.te | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/private/apexd.te b/private/apexd.te
index bed895306..4850d617d 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -68,5 +68,5 @@ allow apexd sysfs_loop:file rw_file_perms;
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/private/system_server.te b/private/system_server.te
index f3d2ffd99..4581417a5 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -963,6 +963,13 @@ allow system_server system_server_startup:unix_dgram_socket write;
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
 
+# Allow the system server to read files under /data/apex. The system_server
+# needs these privileges to compare file signatures while processing installs.
+#
+# Only apexd is allowed to create new entries or write to any file under /data/apex.
+allow system_server apex_data_file:dir search;
+allow system_server apex_data_file:file r_file_perms;
+
 # dexoptanalyzer is currently used only for secondary dex files which
 # system_server should never access.
 neverallow system_server dexoptanalyzer_exec:file no_x_file_perms;
-- 
GitLab