Merge "Introduce apex_info_file type"
diff --git a/private/apexd.te b/private/apexd.te
index c03790c..4d9f5ac 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -64,6 +64,9 @@
allow apexd apex_mnt_dir:dir mounton;
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
+# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd apex_info_file:file relabelto;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
# because it doesn't have write permission for staging_data_file object.
@@ -159,3 +162,6 @@
# only apexd can set apexd sysprop
set_prop(apexd, apexd_prop)
neverallow { domain -apexd -init } apexd_prop:property_service set;
+
+# only apexd can write apex-info-list.xml
+neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
diff --git a/private/compat/30.0/30.0.ignore.cil b/private/compat/30.0/30.0.ignore.cil
index 3bc59e1..4c444d3 100644
--- a/private/compat/30.0/30.0.ignore.cil
+++ b/private/compat/30.0/30.0.ignore.cil
@@ -5,4 +5,5 @@
(typeattribute new_objects)
(typeattributeset new_objects
( new_objects
+ apex_info_file
gnss_device))
diff --git a/private/file_contexts b/private/file_contexts
index 218bb51..dd64d57 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -33,6 +33,8 @@
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
+/apex/apex-info-list.xml u:object_r:apex_info_file:s0
+
# Symlinks
/bin u:object_r:rootfs:s0
/bugreports u:object_r:rootfs:s0
diff --git a/private/system_server.te b/private/system_server.te
index bd87ead..4a3a538 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1094,6 +1094,9 @@
# Allow system server to scan /apex for flattened APEXes
allow system_server apex_mnt_dir:dir r_dir_perms;
+# Allow system server to read /apex/apex-info-list.xml
+allow system_server apex_info_file:file r_file_perms;
+
# Allow system server to communicate to system-suspend's control interface
allow system_server system_suspend_control_service:service_manager find;
binder_call(system_server, system_suspend)
diff --git a/private/zygote.te b/private/zygote.te
index 5f08f8d..b1e2378 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -200,6 +200,9 @@
# Allow zygote to access media_variant_prop for static initialization
get_prop(zygote, media_variant_prop)
+# Allow zygote to read /apex/apex-info-list.xml
+allow zygote apex_info_file:file r_file_perms;
+
###
### neverallow rules
###
diff --git a/public/file.te b/public/file.te
index 462e71d..8f6b8eb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -336,6 +336,9 @@
# Mount point used for APEX images
type apex_mnt_dir, file_type;
+# /apex/apex-info-list.xml created by apexd
+type apex_info_file, file_type;
+
# /postinstall: Mount point used by update_engine to run postinstall.
type postinstall_mnt_dir, file_type;
# Files inside the /postinstall mountpoint are all labeled as postinstall_file.
diff --git a/public/init.te b/public/init.te
index 403b4c5..1390e9e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -203,6 +203,7 @@
allow init {
file_type
+ -apex_info_file
-app_data_file
-exec_type
-gsi_data_file
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5cf085d..47db1cf 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -74,6 +74,7 @@
-vold_metadata_file
-gsi_metadata_file
-apex_metadata_file
+ -apex_info_file
}:file { create getattr open read write setattr relabelfrom unlink map };
allow vendor_init {
