Allow apexd to realpath(3) on apex_key_files

apexd uses realpath(3) to ensure that the public key file that will use is under /system/etc/security/apex directory. In order to support it, allow apexd to getattr on apex_key_files. The canonicalization is required because the key name from APEX might be wrong. For example, if the key name from an APEX is '../../some/path' then apexd will use '/system/etc/security/apex/../../some/path' as the public key file, which is incorrect. Bug: 115721587 Test: m apex.test; m /apex/com.android.example.apex@1 exists Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67

Allow apexd to realpath(3) on apex_key_files
apexd uses realpath(3) to ensure that the public key file that will use is under /system/etc/security/apex directory. In order to support it, allow apexd to getattr on apex_key_files. The canonicalization is required because the key name from APEX might be wrong. For example, if the key name from an APEX is '../../some/path' then apexd will use '/system/etc/security/apex/../../some/path' as the public key file, which is incorrect. Bug: 115721587 Test: m apex.test; m /apex/com.android.example.apex@1 exists Change-Id: I6dc5efa0de369f8497e4f6526e0164e2de589c67
ecc09871 · Jiyong Park · a26763ec · ecc09871
Commit ecc09871 authored 6 years ago by Jiyong Park
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -3,7 +3,7 @@ typeattribute apexd coredomain;
 init_daemon_domain(apexd)
 # Read /system/etc/security/apex_debug_key
-allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:dir { search getattr };
 allow apexd apex_key_file:file r_file_perms;
 # Allow reading and writing of APEX files in the APEX data dir