From ecc09871bae469fe8e57f395f8627e391fd6f9a9 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 12 Oct 2018 19:21:12 +0900
Subject: [PATCH] Allow apexd to realpath(3) on apex_key_files

apexd uses realpath(3) to ensure that the public key file that will use
is under /system/etc/security/apex directory. In order to support it,
allow apexd to getattr on apex_key_files.

The canonicalization is required because the key name from APEX might be
wrong. For example, if the key name from an APEX is '../../some/path'
then apexd will use '/system/etc/security/apex/../../some/path' as the
public key file, which is incorrect.

Bug: 115721587
Test: m apex.test; m
/apex/com.android.example.apex@1 exists

Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
---
 private/apexd.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/private/apexd.te b/private/apexd.te
index adf6c9758..32efb9882 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -3,7 +3,7 @@ typeattribute apexd coredomain;
 init_daemon_domain(apexd)
 
 # Read /system/etc/security/apex_debug_key
-allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:dir { search getattr };
 allow apexd apex_key_file:file r_file_perms;
 
 # Allow reading and writing of APEX files in the APEX data dir
-- 
GitLab