Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path
Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases
Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
diff --git a/private/apexd.te b/private/apexd.te
index 2e890a0..9dfe45f 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -158,6 +158,9 @@
# Allow apexd to read apex selection properties.
# These are used to choose between multi-installed APEXes at activation time.
get_prop(apexd, apexd_select_prop)
+#
+# Allow apexd to read apexd_payload_metadata_prop
+get_prop(apexd, apexd_payload_metadata_prop)
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
diff --git a/private/property.te b/private/property.te
index b196a1b..7033a06 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(device_config_lmkd_native_prop)
system_internal_prop(device_config_profcollect_native_boot_prop)
@@ -376,6 +377,15 @@
}:property_service set;
neverallow {
+ # Only allow init to set apexd_payload_metadata_prop
+ domain
+ -init
+} {
+ apexd_payload_metadata_prop
+}:property_service set;
+
+
+neverallow {
# Only allow init and shell to set userspace_reboot_test_prop
domain
-init
diff --git a/private/property_contexts b/private/property_contexts
index 10735a5..3650a44 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -607,6 +607,7 @@
vold.post_fs_data_done u:object_r:vold_post_fs_data_prop:s0 exact int
+apexd.payload_metadata.path u:object_r:apexd_payload_metadata_prop:s0 exact string
apexd.status u:object_r:apexd_prop:s0 exact enum starting activated ready
odsign.key.done u:object_r:odsign_prop:s0 exact bool