Allow apexd to talk to vold. To query filesystem checkpointing state. Bug: 126740531 Test: no denials Change-Id: I28a68b9899d7cb42d7e557fb904a2bf8fa4ecf66

commit: 1f1c4c3fa55bf2e8237d68f870d42804d4816093 [log] [tgz]
author: Martijn Coenen <maco@google.com> Tue Mar 12 13:31:15 2019 +0100
committer: Martijn Coenen <maco@google.com> Thu Mar 14 07:23:40 2019 +0000
tree: 8f42c9af624f8bc8e11442d4969b361ed1523187
parent: 1795d0bcfd0f98369167f9a77972b3f8ebf1f34d [diff]
diff --git a/private/apexd.te b/private/apexd.te
index 3282cfc..4f2a093 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -80,6 +80,10 @@
 # not covered by rollback manager.
 set_prop(apexd, powerctl_prop)
 
+# Find the vold service, and call into vold to manage FS checkpoints
+allow apexd vold_service:service_manager find;
+binder_call(apexd, vold)
+
 # Apex pre- & post-install permission.
 
 # Allow self-execute for the fork mount helper.

diff --git a/public/vold.te b/public/vold.te
index cb21b83..c7d69be 100644
--- a/public/vold.te
+++ b/public/vold.te

@@ -290,8 +290,15 @@
 
 neverallow { domain -vold -init } restorecon_prop:property_service set;
 
-# Only system_server and vdc can interact with vold over binder
-neverallow { domain -system_server -vdc -vold -update_verifier } vold_service:service_manager find;
+neverallow {
+    domain
+    -system_server
+    -vdc
+    -vold
+    -update_verifier
+    -apexd
+} vold_service:service_manager find;
+
 neverallow vold {
   domain
   -ashmemd
commit	1f1c4c3fa55bf2e8237d68f870d42804d4816093	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Tue Mar 12 13:31:15 2019 +0100
committer	Martijn Coenen <maco@google.com>	Thu Mar 14 07:23:40 2019 +0000
tree	8f42c9af624f8bc8e11442d4969b361ed1523187
parent	1795d0bcfd0f98369167f9a77972b3f8ebf1f34d [diff]