commit 6d4179a66ee5231c1cfa63109e573013b480e1eb
author Jooyung Han <jooyung@google.com> Fri Jul 16 13:05:40 2021 +0900
committer Jooyung Han <jooyung@google.com> Fri Jul 16 13:58:03 2021 +0900
tree 3459cfd9e4ff96545b13df5a4c019ca72cfcbd0f
parent 6b4f91cbf0f1eeb3f6247eb7c3da03bb849364b9

Fix virtualizationservice rules

Virtualizationservice should be able to read
* /apex/apex-info-list.xml: apex_info_file
* /data/apex/{active, uncompressed}: staging_data_file,
apex_data_file

and pass them to guest OS.

Bug: n/a
Test: atest MicrodroidHostTestCases
  (see logcat for denials)
Change-Id: Ia9dab957a6f912aa193d58e2817a00d4a39b4536

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 5bb4831..7f4401d 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -204,7 +204,19 @@
 # do not change between system_server staging the files and apexd processing
 # the files.
 neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
-neverallow { domain -init -system_app -system_server -apexd -adbd -kernel -installd -iorap_inode2filename -priv_app } staging_data_file:file *;
+neverallow {
+  domain
+  -init
+  -system_app
+  -system_server
+  -apexd
+  -adbd
+  -kernel
+  -installd
+  -iorap_inode2filename
+  -priv_app
+  -virtualizationservice
+} staging_data_file:file *;
 neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
 # apexd needs the link and unlink permissions, so list every `no_w_file_perms`
 # except for `link` and `unlink`.

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1bf14d8..4efe355 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -42,5 +42,12 @@
 # shell_data_file is used for automated tests and manual debugging.
 allow virtualizationservice shell_data_file:file { getattr read write };
 
+# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
+allow virtualizationservice apex_data_file:dir search;
+allow virtualizationservice staging_data_file:file r_file_perms;
+
+# Allow virtualizationservice to read apex-info-list.xml
+allow virtualizationservice apex_info_file:file r_file_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };