Allow system_server to read/open apex_mnt_dir PackageManager tries to scan /apex (apex_mnt_dir) for flattened apexes. Previously, because /apex was blindly bind-mounted to /system/apex for "flattened" apexes, the label for /apex is the same as /system/apex, which is oaky for system_server to handle it. But to support flattened apexes from other partitions such as /vendor or /system_ext, every apex should be mounted under /apex individually, which leaves the se-label of /apex unchanged (apex_mnt_dir). Bug: 144732372 Test: boot with flattened apexes see if there are errors "denied system_server with apex_mnt_dir" Change-Id: I81bd6ab152770c3c569b22274a6caa026615303e

commit: 41870be726063219bf99fbe468c6e1e725fcdba8 [log] [tgz]
author: Jooyung Han <jooyung@google.com> Mon Nov 25 20:31:59 2019 +0900
committer: Jooyung Han <jooyung@google.com> Thu Dec 05 08:26:26 2019 +0900
tree: b7df7b789c4e3d6ebf239115bdb2241cbf124e82
parent: d1460a11111ba05808472a133eac37db4bb0eb4e [diff]
diff --git a/private/system_server.te b/private/system_server.te
index 5544279..0055a7d 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1004,6 +1004,9 @@
 allow system_server apex_service:service_manager find;
 allow system_server apexd:binder call;
 
+# Allow system server to scan /apex for flattened APEXes
+allow system_server apex_mnt_dir:dir r_dir_perms;
+
 # Allow system server to communicate to system-suspend's control interface
 allow system_server system_suspend_control_service:service_manager find;
 binder_call(system_server, system_suspend)
commit	41870be726063219bf99fbe468c6e1e725fcdba8	[log] [tgz]
author	Jooyung Han <jooyung@google.com>	Mon Nov 25 20:31:59 2019 +0900
committer	Jooyung Han <jooyung@google.com>	Thu Dec 05 08:26:26 2019 +0900
tree	b7df7b789c4e3d6ebf239115bdb2241cbf124e82
parent	d1460a11111ba05808472a133eac37db4bb0eb4e [diff]