Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6e823dd5972f0423b19d739e74d81bb0e5412ebd^! / . / private
commit6e823dd5972f0423b19d739e74d81bb0e5412ebd[log] [tgz]
authorJiyong Park <jiyong@google.com>Thu Jun 13 09:45:05 2019 +0900
committerJiyong Park <jiyong@google.com>Thu Jun 13 09:45:05 2019 +0900
tree6d13b5b635ef6d06c90e45c6d574a4ad9f11f37c
parent4afae9483654bed53c6314fbe395863b21233f3f [diff]
Allow apexd to stop itself

apexd stops itself when it finds that it is running on a device with
flattened APEXes (i.e. ro.apex.updatable = false).

Bug: 133907211
Test: launch sdk_phone_x86_64
adb logcat -d | grep apexd | wc -l
returns 3

Change-Id: I7fa161b069aa34adb028194b55f367fe740a0cfc

diff --git a/private/apexd.te b/private/apexd.te
index d0ec9f4..14778b2 100644
--- a/private/apexd.te
+++ b/private/apexd.te

@@ -80,6 +80,9 @@
 # not covered by rollback manager.
 set_prop(apexd, powerctl_prop)
 
+# Allow apexd to stop itself
+set_prop(apexd, ctl_apexd_prop)
+
 # Find the vold service, and call into vold to manage FS checkpoints
 allow apexd vold_service:service_manager find;
 binder_call(apexd, vold)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 293d97d..c005a14 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil

@@ -34,6 +34,7 @@
     color_display_service
     content_capture_service
     crossprofileapps_service
+    ctl_apexd_prop
     ctl_interface_restart_prop
     ctl_interface_start_prop
     ctl_interface_stop_prop

diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index fbc241a..7d2f8dd 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil

@@ -32,6 +32,7 @@
     color_display_service
     content_capture_service
     crossprofileapps_service
+    ctl_apexd_prop
     ctl_interface_restart_prop
     ctl_interface_start_prop
     ctl_interface_stop_prop

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 4d32997..0994389 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil

@@ -33,6 +33,7 @@
     content_capture_service
     content_suggestions_service
     cpu_variant_prop
+    ctl_apexd_prop
     ctl_gsid_prop
     dev_cpu_variant
     device_config_activity_manager_native_boot_prop

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 56457a6..8fc3155 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -5,6 +5,7 @@
 (typeattribute new_objects)
 (typeattributeset new_objects
   ( new_objects
+    ctl_apexd_prop
     device_config_sys_traced_prop
     runtime_apex_dir
     system_ashmem_hwservice

diff --git a/private/property_contexts b/private/property_contexts
index dd08c32..2473cdb 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -135,6 +135,9 @@
 ctl.stop$gsid           u:object_r:ctl_gsid_prop:s0
 ctl.restart$gsid        u:object_r:ctl_gsid_prop:s0
 
+# Restrict access to stopping apexd.
+ctl.stop$apexd          u:object_r:ctl_apexd_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0