Allow microdroid_manager to create a /apex/* file
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.
Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index f1d3140..e78d4dc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -37,6 +37,11 @@
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+# microdroid_manager create /apex/vm-payload-metadata for apexd
+# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
+allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
+allow microdroid_manager apex_mnt_dir:file create_file_perms;
+
# Allow microdroid_manager to ioctl /dev/vsock.
# TODO(b/191845268): remove the below rules
allow microdroid_manager device:chr_file r_file_perms;