commit 261ea86192679a250231f5ad8290efe01caaf142
author Andreas Gampe <agampe@google.com> Tue Dec 04 16:29:21 2018 -0800
committer Andreas Gampe <agampe@google.com> Thu Jan 24 15:06:17 2019 -0800
tree ec715ae603829b1bd1cddf835a29584060aaf28b
parent 055286fc94b168a963cab6ff1018c5e59dc56d0e

Sepolicy: Initial Apexd pre-/postinstall rules

Give apexd permission to execute sh.

Add userdebug_or_eng domains and rules for the test
APEX for pre- and post-install.

Bug: 119260955
Bug: 119261380
Test: atest apexservice_test
Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267

private/apex_test_prepostinstall.te

diff --git a/private/apex_test_prepostinstall.te b/private/apex_test_prepostinstall.te
new file mode 100644
index 0000000..f1bc214
--- /dev/null
+++ b/private/apex_test_prepostinstall.te
@@ -0,0 +1,20 @@
+# APEX pre- & post-install test.
+#
+# Allow to run pre- and post-install hooks for APEX test modules
+# in debuggable builds.
+
+type apex_test_prepostinstall, domain, coredomain;
+type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  # /dev/zero
+  allow apex_test_prepostinstall apexd:fd use;
+  # Logwrapper.
+  create_pty(apex_test_prepostinstall)
+  # Logwrapper executing sh.
+  allow apex_test_prepostinstall shell_exec:file rx_file_perms;
+  # Logwrapper exec.
+  allow apex_test_prepostinstall system_file:file execute_no_trans;
+  # Ls.
+  allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
+')

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index 5beaa4b..4a496e5 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -70,6 +70,20 @@
 # Allow apexd to log to the kernel.
 allow apexd kmsg_device:chr_file w_file_perms;
 
+# Apex pre- & post-install permission.
+
+# Allow self-execute for the fork mount helper.
+allow apexd apexd_exec:file execute_no_trans;
+
+# Allow to execute shell for pre- and postinstall scripts. A transition
+# rule is required, thus restricted to execute and not execute_no_trans.
+allow apexd shell_exec:file { r_file_perms execute };
+
+# Allow transition to test APEX preinstall domain.
+userdebug_or_eng(`
+  domain_auto_trans(apexd, apex_test_prepostinstall_exec, apex_test_prepostinstall)
+')
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
 neverallow { domain -apexd } apex_mnt_dir:lnk_file no_w_file_perms;