commit 7848d3a437c902f0b082cbb0c4f2f58bcc2780e1
author Deyao Ren <deyaoren@google.com> Thu Sep 01 22:20:10 2022 +0000
committer Deyao Ren <deyaoren@google.com> Thu Sep 01 22:20:10 2022 +0000
tree 044194c152d4c7ed1fc6a9fe241b79c17708954c
parent 3fab00fab2607801c82a81be47967696a7d82470

Modifed sepolicy for new apex ready prop

Bug: 232172382
Test: atest ApexTestCases
Change-Id: I2947b2c9b1d983bdbc410e67509508f73efff1f4

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index 886aec1..b74d4ee 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -209,3 +209,6 @@
 
 # Allow calling derive_classpath to gather BCP information for staged sessions
 domain_auto_trans(apexd, derive_classpath_exec, apexd_derive_classpath);
+
+# Allow set apex ready property
+set_prop(apexd, apex_ready_prop)

private/coredomain.te

diff --git a/private/coredomain.te b/private/coredomain.te
index 69367b8..de8daaa 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -1,3 +1,4 @@
+get_prop(coredomain, apex_ready_prop)
 get_prop(coredomain, boot_status_prop)
 get_prop(coredomain, camera_config_prop)
 get_prop(coredomain, dalvik_config_prop)

private/property.te

diff --git a/private/property.te b/private/property.te
index 2b3d362..ba5f4ec 100644
--- a/private/property.te
+++ b/private/property.te
@@ -46,6 +46,7 @@
 system_internal_prop(ctl_odsign_prop)
 system_internal_prop(virtualizationservice_prop)
 system_internal_prop(ctl_apex_load_prop)
+system_internal_prop(apex_ready_prop)
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
@@ -643,6 +644,19 @@
 } ctl_apex_load_prop:file no_rw_file_perms;
 
 neverallow {
+  domain
+  -init
+  -apexd
+} apex_ready_prop:property_service set;
+
+neverallow {
+  domain
+  -coredomain
+  -dumpstate
+  -apexd
+} apex_ready_prop:file no_rw_file_perms;
+
+neverallow {
   # Only allow init and profcollectd to access profcollectd_node_id_prop
   domain
   -init

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index 5bc2f4e..fdb8d36 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -284,6 +284,9 @@
 persist.vendor.apex.    u:object_r:apexd_select_prop:s0
 ro.boot.vendor.apex.    u:object_r:apexd_select_prop:s0
 
+# Property that indicates if an apex is ready: apex.<apex-name>.ready
+apex.                   u:object_r:apex_ready_prop:s0 prefix bool
+
 bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0 exact bool
 
 gsid.                   u:object_r:gsid_prop:s0