Sepolicy: Initial Apexd pre-/postinstall rules Give apexd permission to execute sh. Add userdebug_or_eng domains and rules for the test APEX for pre- and post-install. Bug: 119260955 Bug: 119261380 Test: atest apexservice_test Change-Id: I0c4a5e35e096101a53c9d1f212d2db2e63728267

commit: 261ea86192679a250231f5ad8290efe01caaf142 [log] [tgz]
author: Andreas Gampe <agampe@google.com> Tue Dec 04 16:29:21 2018 -0800
committer: Andreas Gampe <agampe@google.com> Thu Jan 24 15:06:17 2019 -0800
tree: ec715ae603829b1bd1cddf835a29584060aaf28b
parent: 055286fc94b168a963cab6ff1018c5e59dc56d0e [diff] [blame]
diff --git a/private/apex_test_prepostinstall.te b/private/apex_test_prepostinstall.te
new file mode 100644
index 0000000..f1bc214
--- /dev/null
+++ b/private/apex_test_prepostinstall.te

@@ -0,0 +1,20 @@
+# APEX pre- & post-install test.
+#
+# Allow to run pre- and post-install hooks for APEX test modules
+# in debuggable builds.
+
+type apex_test_prepostinstall, domain, coredomain;
+type apex_test_prepostinstall_exec, system_file_type, exec_type, file_type;
+
+userdebug_or_eng(`
+  # /dev/zero
+  allow apex_test_prepostinstall apexd:fd use;
+  # Logwrapper.
+  create_pty(apex_test_prepostinstall)
+  # Logwrapper executing sh.
+  allow apex_test_prepostinstall shell_exec:file rx_file_perms;
+  # Logwrapper exec.
+  allow apex_test_prepostinstall system_file:file execute_no_trans;
+  # Ls.
+  allow apex_test_prepostinstall toolbox_exec:file rx_file_perms;
+')
commit	261ea86192679a250231f5ad8290efe01caaf142	[log] [tgz]
author	Andreas Gampe <agampe@google.com>	Tue Dec 04 16:29:21 2018 -0800
committer	Andreas Gampe <agampe@google.com>	Thu Jan 24 15:06:17 2019 -0800
tree	ec715ae603829b1bd1cddf835a29584060aaf28b
parent	055286fc94b168a963cab6ff1018c5e59dc56d0e [diff] [blame]