Allow vold_prepare_subdirs to use apex_service
to get the list of active APEXes.
Bug: 293949266
Bug: 293546778
Test: CtsPackageSettingHostTestCases
Change-Id: I86f58158b97463206fb76a0c31f29b78874f4c35
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index ddb2828..0dcbe50 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -53,6 +53,12 @@
allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+# vold_prepare_subdirs asks apex_service for the list of APEXes
+# to prepapre apexdata dirs.
+binder_use(vold_prepare_subdirs)
+binder_call(vold_prepare_subdirs, apexd)
+allow vold_prepare_subdirs apex_service:service_manager find;
+
# Migrate legacy labels to apex_system_server_data_file (b/217581286)
allow vold_prepare_subdirs {
apex_appsearch_data_file
diff --git a/public/apexd.te b/public/apexd.te
index 53bc569..0b8073e 100644
--- a/public/apexd.te
+++ b/public/apexd.te
@@ -5,7 +5,7 @@
binder_use(apexd)
add_service(apexd, apex_service)
-neverallow { domain -init -apexd -system_server -update_engine } apex_service:service_manager find;
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine } apexd:binder call;
+neverallow { domain -init -apexd -system_server -update_engine -vold_prepare_subdirs} apex_service:service_manager find;
+neverallow { domain -init -apexd -system_server -servicemanager -update_engine -vold_prepare_subdirs} apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;