Allow system server to read /vendor/apex. PackageManager needs to access these data to inspect APK signatures. Test: installed apex.test under /vendor/apex and verified it is recognized. Change-Id: I657958631939d67ee04c0836001f52c212a0a35d

commit: 4d3e9e7571227824354c182308b8cbf7316bae10 [log] [tgz]
author: Dario Freni <dariofreni@google.com> Tue Oct 15 12:44:04 2019 +0100
committer: Dario Freni <dariofreni@google.com> Wed Oct 16 12:45:38 2019 +0000
tree: a9f9d74e3c0f20db3bc08ac4e11846aaa781ffc6
parent: 2a6c860a94365704ad62fb4eadd9e24657233a3e [diff]
diff --git a/private/system_server.te b/private/system_server.te
index a7f9b13..3713d56 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1002,6 +1002,12 @@
 allow system_server apex_data_file:dir { getattr search };
 allow system_server apex_data_file:file r_file_perms;
 
+# Allow the system server to read files under /vendor/apex. This is where
+# vendor APEX packages might be installed and system_server needs to parse
+# these packages to inspect the signatures and other metadata.
+allow system_server vendor_apex_file:dir { getattr search };
+allow system_server vendor_apex_file:file r_file_perms;
+
 # Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
 # communicate which slots are available for use.
 allow system_server metadata_file:dir search;
commit	4d3e9e7571227824354c182308b8cbf7316bae10	[log] [tgz]
author	Dario Freni <dariofreni@google.com>	Tue Oct 15 12:44:04 2019 +0100
committer	Dario Freni <dariofreni@google.com>	Wed Oct 16 12:45:38 2019 +0000
tree	a9f9d74e3c0f20db3bc08ac4e11846aaa781ffc6
parent	2a6c860a94365704ad62fb4eadd9e24657233a3e [diff]