From ac2b2d44b313ecd226d1bce022f2e11725e99492 Mon Sep 17 00:00:00 2001
From: Martijn Coenen <maco@google.com>
Date: Thu, 8 Nov 2018 10:37:36 +0100
Subject: [PATCH] Allow the kernel to access apexd file descriptors.

In earlier kernel versions (<4.0), the loopback driver issues
requests from a kernel thread. Therefore, the kernel needs access
to APEX file descriptors and data files (which are loopback
mounted).

Bug: 119220815
Test: mounting works on sailfish
Change-Id: I75b2bade41c64cf6fa6040d9c2f5489a206e04c6
---
 private/apexd.te | 2 +-
 public/kernel.te | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/private/apexd.te b/private/apexd.te
index d7a31732f..ab136eb3a 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -50,5 +50,5 @@ allow apexd labeledfs:filesystem { mount unmount };
 dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
-neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd -init -kernel } apex_data_file:file no_rw_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/public/kernel.te b/public/kernel.te
index d20bc4710..d3a60790b 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -81,6 +81,12 @@ allow kernel media_rw_data_file:file create_file_perms;
 # Access to /data/misc/vold/virtual_disk.
 allow kernel vold_data_file:file { read write };
 
+# Allow the kernel to read APEX file descriptors and data files;
+# Needed because APEX uses the loopback driver, which issues requests from
+# a kernel thread in earlier kernel version.
+allow kernel apexd:fd use;
+allow kernel apex_data_file:file read;
+
 # Allow the first-stage init (which is running in the kernel domain) to execute the
 # dynamic linker when it re-executes /init to switch into the second stage.
 # Until Linux 4.8, the program interpreter (dynamic linker in this case) is executed
-- 
GitLab