Add neverallow rules around who can mount/unmount /apex Test: m Bug: 188002184 Change-Id: I8f46896edbee7b68df6f1e3008ff4141df164e4c

commit: 4274f98522dee7cc1e23f31c68249bfa49314210 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Thu May 13 13:05:58 2021 +0100
committer: Nikita Ioffe <ioffe@google.com> Thu May 13 13:05:58 2021 +0100
tree: e8a7a36407ddf996a32d7ab797c1a8aa30a2be3e
parent: 965cad962631851a069b8db601fd885021a16675 [diff]
diff --git a/private/apexd.te b/private/apexd.te
index 862bab9..48fbcb8 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -187,6 +187,13 @@
 # only apexd can write apex-info-list.xml
 neverallow { domain -apexd } apex_info_file:file no_w_file_perms;
 
+# Only apexd and init should be allowed to manage /apex mounts
+# A note on otapreopt_chroot. It used to mount APEXes during postainstall stage of A/B OTAs,
+# but starting from S it just calls into apexd to prepare /apex for otapreoprt. Once the sepolicies
+# around otapreopt_chroot are cleaned up we should be able to remove it from the lists below.
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:filesystem { mount unmount };
+neverallow { domain -apexd -init -otapreopt_chroot } apex_mnt_dir:dir { mounton };
+
 # Allow for use in postinstall
 allow apexd otapreopt_chroot:fd use;
 allow apexd postinstall_apex_mnt_dir:dir { create_dir_perms mounton };
commit	4274f98522dee7cc1e23f31c68249bfa49314210	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Thu May 13 13:05:58 2021 +0100
committer	Nikita Ioffe <ioffe@google.com>	Thu May 13 13:05:58 2021 +0100
tree	e8a7a36407ddf996a32d7ab797c1a8aa30a2be3e
parent	965cad962631851a069b8db601fd885021a16675 [diff]