Allow apexd to execute toybox for snapshot & restore.
This allows apexd to execute "cp" to perform snapshot and
restore operations.
Other rules for this were added in aosp/1217340, but this one was
missed.
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia529ede468578bfadc87e049a2c0ab4f87e1c43d
diff --git a/private/apexd.te b/private/apexd.te
index 7f1d099..faff8c6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -139,6 +139,9 @@
# Allow apexd to read file contexts when performing restorecon of snapshots.
allow apexd file_contexts_file:file r_file_perms;
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;