Allow keystore to monitor and read APEX info
Test: logcat
Bug: 369375199
Change-Id: Ib4a267e50f59367ca7426009ff7cc0559ce5c771
diff --git a/private/apexd.te b/private/apexd.te
index 58a3658..3205b02 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -229,8 +229,8 @@
# The update_provider performs APEX updates. To do this, it needs to be able to find apex_service
# and make binder calls to apexd.
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -update_engine -update_provider } apex_service:service_manager find;
+neverallow { domain -init -apexd -keystore -system_server -update_engine -update_provider } apex_service:service_manager find;
# WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
-neverallow { domain -init -apexd -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
+neverallow { domain -init -apexd -keystore -system_server -servicemanager -update_engine -update_provider } apexd:binder call;
neverallow { domain userdebug_or_eng(`-crash_dump') } apexd:process ptrace;
diff --git a/private/keystore.te b/private/keystore.te
index 50542b0..014903e 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -41,6 +41,9 @@
set_prop(keystore, keystore_crash_prop)
+# Allow keystore to monitor the `apexd.status` property.
+get_prop(keystore, apexd_prop)
+
# keystore is using apex_info via libvintf
use_apex_info(keystore)
@@ -61,6 +64,10 @@
allow keystore remote_provisioning_service:service_manager find;
allow keystore rkp_cert_processor_service:service_manager find;
+# Allow keystore to communicate to apexd
+allow keystore apex_service:service_manager find;
+allow keystore apexd:binder call;
+
add_service(keystore, apc_service)
add_service(keystore, keystore_compat_hal_service)
add_service(keystore, authorization_service)