allow apexd to mount apex-info-list.xml file
apexd runs in two separate mount namespaces: bootstrap & default.
To support separate apex-info-list.xml for each mount namespaces, apexd
needs to emit separate .xml file according to the mount namespace and
then bind-mount it to apex-info-list.xml file.
Bug: 158964569
Test: m & boot
nsenter -m/proc/1/ns/mnt -- ls -lZ /apex/apex-info-list.xml
nsenter -m/proc/2/ns/mnt -- ls -lZ /apex/apex-info-list.xml
=> shows the label apex_info_file correctly
Change-Id: I25c7445da570755ec489edee38b0c6af5685724b
diff --git a/private/apexd.te b/private/apexd.te
index 4d9f5ac..97e2539 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -65,7 +65,7 @@
# allow apexd to create symlinks in /apex
allow apexd apex_mnt_dir:lnk_file create_file_perms;
# allow apexd to create /apex/apex-info-list.xml and relabel to apex_info_file
-allow apexd apex_mnt_dir:file { create_file_perms relabelfrom };
+allow apexd apex_mnt_dir:file { create_file_perms relabelfrom mounton };
allow apexd apex_info_file:file relabelto;
# allow apexd to unlink apex files in /data/apex/active
# note that apexd won't be able to unlink files in /data/app-staging/session_XXXX,
diff --git a/private/file_contexts b/private/file_contexts
index 9295769..eaefec3 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -33,7 +33,7 @@
/sys u:object_r:sysfs:s0
/apex u:object_r:apex_mnt_dir:s0
-/apex/apex-info-list.xml u:object_r:apex_info_file:s0
+/apex/(\.(bootstrap|default)-)?apex-info-list.xml u:object_r:apex_info_file:s0
# Symlinks
/bin u:object_r:rootfs:s0