virtualizationservice to use "staged" apexes
Virtualizationservice queries "package_native" service to get staged
apex info and then reads staged apexes to VM.
Bug: 199146189
Test: MicrodroidHostTestCases
Change-Id: Icbfe5b9a05abc08d3e0270d15969f632b3f57c66
diff --git a/private/domain.te b/private/domain.te
index 56e2ef0..85b4228 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -203,7 +203,16 @@
# that these files cannot be accessed by other domains to ensure that the files
# do not change between system_server staging the files and apexd processing
# the files.
-neverallow { domain -init -system_server -apexd -installd -iorap_inode2filename -priv_app } staging_data_file:dir *;
+neverallow {
+ domain
+ -init
+ -system_server
+ -apexd
+ -installd
+ -iorap_inode2filename
+ -priv_app
+ -virtualizationservice
+} staging_data_file:dir *;
neverallow {
domain
-init
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 3b23449..0b02745 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -13,6 +13,8 @@
# Allow calling into the system server so that it can check permissions.
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
+# Allow virtualizationservice to access "package_native" service for staged apex info.
+allow virtualizationservice package_native_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
@@ -51,6 +53,7 @@
allow virtualizationservice apex_info_file:file r_file_perms;
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;
+allow virtualizationservice staging_data_file:dir search;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };