Allow apexd to create symlink in /apex.

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35

private/apexd.te

@@ -29,6 +29,9 @@ allow apexd apex_mnt_dir:dir create_dir_perms;
 # allow apexd to mount in /apex
 allow apexd apex_mnt_dir:filesystem { mount unmount };
 allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
@@ -40,3 +43,4 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;

public/domain.te

@@ -343,6 +343,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 # Under ASAN, /system/asan.options needs to be globally accessible.
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
 ###
 ### neverallow rules
 ###

public/init.te

@@ -205,6 +205,7 @@ allow init {
 
 allow init {
   file_type
+  -apex_mnt_dir
   -app_data_file
   -exec_type
   -iorapd_data_file

public/vendor_init.te

@@ -78,6 +78,7 @@ allow vendor_init {
 
 allow vendor_init {
   file_type
+  -apex_mnt_dir
   -core_data_file_type
   -exec_type
   -system_file_type