From bab267a88fa553f8e05ad6afef279219f19b74f5 Mon Sep 17 00:00:00 2001
From: Dario Freni <dariofreni@google.com>
Date: Tue, 16 Oct 2018 08:02:49 +0100
Subject: [PATCH] Allow apexd to create symlink in /apex.

Bug: 115710947
Test: on device
Change-Id: Ie712689d80fb829f16de70e865cac4f0ff4e9b35
---
 private/apexd.te      | 4 ++++
 public/domain.te      | 4 ++++
 public/init.te        | 1 +
 public/vendor_init.te | 1 +
 4 files changed, 10 insertions(+)

diff --git a/private/apexd.te b/private/apexd.te
index dcec2487b..adf6c9758 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -29,6 +29,9 @@ allow apexd apex_mnt_dir:dir create_dir_perms;
 # allow apexd to mount in /apex
 allow apexd apex_mnt_dir:filesystem { mount unmount };
 allow apexd apex_mnt_dir:dir mounton;
+# allow apexd to create symlinks in /apex
+allow apexd apex_mnt_dir:lnk_file create_file_perms;
+
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };
 
@@ -40,3 +43,4 @@ dontaudit apexd self:global_capability_class_set { dac_override dac_read_search
 
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
+neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;
diff --git a/public/domain.te b/public/domain.te
index fa21e1f37..680d5e48b 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -343,6 +343,10 @@ with_asan(`allow domain system_data_file:dir getattr;')
 # Under ASAN, /system/asan.options needs to be globally accessible.
 with_asan(`allow domain system_asan_options_file:file r_file_perms;')
 
+# read APEX dir and stat any symlink pointing to APEXs.
+allow domain apex_mnt_dir:dir search;
+allow domain apex_mnt_dir:lnk_file r_file_perms;
+
 ###
 ### neverallow rules
 ###
diff --git a/public/init.te b/public/init.te
index eb27dbd32..430b120ef 100644
--- a/public/init.te
+++ b/public/init.te
@@ -205,6 +205,7 @@ allow init {
 
 allow init {
   file_type
+  -apex_mnt_dir
   -app_data_file
   -exec_type
   -iorapd_data_file
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 8cd9b473e..c5cad47b0 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -78,6 +78,7 @@ allow vendor_init {
 
 allow vendor_init {
   file_type
+  -apex_mnt_dir
   -core_data_file_type
   -exec_type
   -system_file_type
-- 
GitLab