Merge "Add policies for permission APEX data directory."
diff --git a/private/apexd.te b/private/apexd.te
index 1e1ccc5..62a3eff 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -12,6 +12,8 @@
allow apexd apex_metadata_file:file create_file_perms;
# Allow apexd to create directories for snapshots of apex data
+allow apexd apex_permission_data_file:dir create_dir_perms;
+allow apexd apex_permission_data_file:file create_file_perms;
allow apexd apex_rollback_data_file:dir create_dir_perms;
allow apexd apex_rollback_data_file:file create_file_perms;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index e96ded9..3a5be19 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -9,6 +9,7 @@
aidl_lazy_test_server_exec
aidl_lazy_test_service
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
app_integrity_service
app_search_service
diff --git a/private/file_contexts b/private/file_contexts
index 96fd35b..c98909e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -506,6 +506,7 @@
# Misc data
/data/misc/adb(/.*)? u:object_r:adb_keys_file:s0
/data/misc/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
/data/misc/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
/data/misc/apns(/.*)? u:object_r:radio_data_file:s0
/data/misc/audio(/.*)? u:object_r:audio_data_file:s0
@@ -593,6 +594,8 @@
# Apex data directories
/data/misc_de/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
/data/misc_ce/[0-9]+/apexdata(/.*)? u:object_r:apex_module_data_file:s0
+/data/misc_de/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
+/data/misc_ce/[0-9]+/apexdata/com.android.permission(/.*)? u:object_r:apex_permission_data_file:s0
# Apex rollback directories
/data/misc_de/[0-9]+/apexrollback(/.*)? u:object_r:apex_rollback_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 64419fe..5c50fa4 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1071,6 +1071,11 @@
allow system_server vendor_apex_file:dir { getattr search };
allow system_server vendor_apex_file:file r_file_perms;
+# Allow the system server to manage relevant apex module data files.
+allow system_server apex_module_data_file:dir { getattr search };
+allow system_server apex_permission_data_file:dir create_dir_perms;
+allow system_server apex_permission_data_file:file create_file_perms;
+
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.
allow system_server metadata_file:dir search;
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index b287bdc..157ee55 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -15,6 +15,7 @@
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
@@ -26,6 +27,7 @@
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
apex_module_data_file
+ apex_permission_data_file
apex_rollback_data_file
backup_data_file
face_vendor_data_file
diff --git a/public/file.te b/public/file.te
index 8cd5157..ef30fc7 100644
--- a/public/file.te
+++ b/public/file.te
@@ -345,6 +345,7 @@
# /data/misc subdirectories
type adb_keys_file, file_type, data_file_type, core_data_file_type;
type apex_module_data_file, file_type, data_file_type, core_data_file_type;
+type apex_permission_data_file, file_type, data_file_type, core_data_file_type;
type apex_rollback_data_file, file_type, data_file_type, core_data_file_type;
type audio_data_file, file_type, data_file_type, core_data_file_type;
type audioserver_data_file, file_type, data_file_type, core_data_file_type;