Merge changes I179c05b3,Ia529ede4 * changes: Add dac_read_search to apexd to prevent spurious denials. Allow apexd to execute toybox for snapshot & restore.

commit: 2b44078cacf34e2c31ba3df672af90243a5eceed [log] [tgz]
author: Oli Lan <olilan@google.com> Fri Jan 31 10:05:21 2020 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Fri Jan 31 10:05:21 2020 +0000
tree: 84891f795693cb42d3d605307375d026544d0a2d
parent: 89946d7e1ba3f31a5e38e1ed16b43fea72d6a689 [diff]
parent: 7e346c98fc9624d903b618140ebfd531c59853ff [diff]
diff --git a/private/apexd.te b/private/apexd.te
index 7f1d099..36b7999 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -45,7 +45,7 @@
 
 # sys_admin is required to access the device-mapper and mount
 # dac_override, chown, and fowner are needed for snapshot and restore
-allow apexd self:global_capability_class_set { sys_admin chown dac_override fowner };
+allow apexd self:global_capability_class_set { sys_admin chown dac_override dac_read_search fowner };
 
 # Note: fsetid is deliberately not included above. fsetid checks are
 # triggered by chmod on a directory or file owned by a group other
@@ -139,6 +139,9 @@
 # Allow apexd to read file contexts when performing restorecon of snapshots.
 allow apexd file_contexts_file:file r_file_perms;
 
+# Allow apexd to execute toybox for snapshot & restore
+allow apexd toolbox_exec:file rx_file_perms;
+
 neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init } apex_metadata_file:dir no_w_dir_perms;
 neverallow { domain -apexd -init -kernel } apex_data_file:file no_w_file_perms;
commit	2b44078cacf34e2c31ba3df672af90243a5eceed	[log] [tgz]
author	Oli Lan <olilan@google.com>	Fri Jan 31 10:05:21 2020 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Fri Jan 31 10:05:21 2020 +0000
tree	84891f795693cb42d3d605307375d026544d0a2d
parent	89946d7e1ba3f31a5e38e1ed16b43fea72d6a689 [diff]
parent	7e346c98fc9624d903b618140ebfd531c59853ff [diff]