Add policy for apexd.

apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".

Bug: 112455435
Test: builds, binder service can be registered,
      apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
diff --git a/private/apexd.te b/private/apexd.te
new file mode 100644
index 0000000..dcec248
--- /dev/null
+++ b/private/apexd.te
@@ -0,0 +1,42 @@
+typeattribute apexd coredomain;
+
+init_daemon_domain(apexd)
+
+# Read /system/etc/security/apex_debug_key
+allow apexd apex_key_file:dir search;
+allow apexd apex_key_file:file r_file_perms;
+
+# Allow reading and writing of APEX files in the APEX data dir
+allow apexd apex_data_file:dir rw_dir_perms;
+allow apexd apex_data_file:file rw_file_perms;
+
+# allow apexd to create loop devices with /dev/loop-control
+allow apexd loop_control_device:chr_file rw_file_perms;
+# allow apexd to access loop devices
+allow apexd loop_device:blk_file rw_file_perms;
+# allow apexd to access /dev/block
+allow apexd block_device:dir r_dir_perms;
+
+# allow apexd to access /dev/block/dm-* (device-mapper entries)
+allow apexd dm_device:chr_file rw_file_perms;
+allow apexd dm_device:blk_file rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow apexd self:global_capability_class_set sys_admin;
+
+# allow apexd to create a mount point in /apex
+allow apexd apex_mnt_dir:dir create_dir_perms;
+# allow apexd to mount in /apex
+allow apexd apex_mnt_dir:filesystem { mount unmount };
+allow apexd apex_mnt_dir:dir mounton;
+# Unmount and mount filesystems
+allow apexd labeledfs:filesystem { mount unmount };
+
+# Spawning a libbinder thread results in a dac_override deny,
+# /dev/cpuset/tasks is owned by system.
+#
+# See b/35323867#comment3
+dontaudit apexd self:global_capability_class_set { dac_override dac_read_search };
+
+neverallow { domain -apexd -init } apex_data_file:dir no_w_dir_perms;
+neverallow { domain -apexd -init } apex_data_file:file no_rw_file_perms;
diff --git a/private/atrace.te b/private/atrace.te
index 2a7ccd0..37e9702 100644
--- a/private/atrace.te
+++ b/private/atrace.te
@@ -31,6 +31,7 @@
 
 allow atrace {
   service_manager_type
+  -apex_service
   -incident_service
   -netd_service
   -stats_service
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 7e3fdbc..f985d95 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -9,6 +9,13 @@
     adb_service
     adbd_exec
     app_binding_service
+    apex_data_file
+    apex_mnt_dir
+    apex_key_file
+    apex_service
+    apexd
+    apexd_exec
+    apexd_tmpfs
     atrace
     binder_calls_stats_service
     biometric_service
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 7d5017d..df3f95a 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -8,6 +8,13 @@
     activity_task_service
     adb_service
     app_binding_service
+    apex_data_file
+    apex_mnt_dir
+    apex_key_file
+    apex_service
+    apexd
+    apexd_exec
+    apexd_tmpfs
     atrace
     binder_calls_stats_service
     biometric_service
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 63cfcb8..c1b126b 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -8,6 +8,13 @@
     activity_task_service
     adb_service
     app_binding_service
+    apex_data_file
+    apex_mnt_dir
+    apex_key_file
+    apex_service
+    apexd
+    apexd_exec
+    apexd_tmpfs
     biometric_service
     ;; TODO(b/116344577): remove after the issue is resolved
     buffer_hub_service
diff --git a/private/crash_dump.te b/private/crash_dump.te
index 831ff04..fe25bad 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -2,6 +2,7 @@
 
 allow crash_dump {
   domain
+  -apexd
   -bpfloader
   -crash_dump
   -init
diff --git a/private/file_contexts b/private/file_contexts
index 991f75b..2e78b80 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -30,6 +30,7 @@
 /postinstall        u:object_r:postinstall_mnt_dir:s0
 /proc               u:object_r:rootfs:s0
 /sys                u:object_r:sysfs:s0
+/apex               u:object_r:apex_mnt_dir:s0
 
 # Symlinks
 /bin                u:object_r:rootfs:s0
@@ -287,6 +288,7 @@
 /system/etc/ld\.config.*                u:object_r:system_linker_config_file:s0
 /system/etc/seccomp_policy(/.*)?        u:object_r:system_seccomp_policy_file:s0
 /system/etc/security/cacerts(/.*)?      u:object_r:system_security_cacerts_file:s0
+/system/etc/security/apex(/.*)?     u:object_r:apex_key_file:s0
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
@@ -305,6 +307,7 @@
 /system/bin/bpfloader            u:object_r:bpfloader_exec:s0
 /system/bin/wait_for_keymaster   u:object_r:wait_for_keymaster_exec:s0
 /system/bin/watchdogd            u:object_r:watchdogd_exec:s0
+/system/bin/apexd                u:object_r:apexd_exec:s0
 
 #############################
 # Vendor files
@@ -387,6 +390,7 @@
 /data/ota_package(/.*)? u:object_r:ota_package_file:s0
 /data/adb(/.*)?		u:object_r:adb_data_file:s0
 /data/anr(/.*)?		u:object_r:anr_data_file:s0
+/data/apex(/.*)?		u:object_r:apex_data_file:s0
 /data/app(/.*)?                       u:object_r:apk_data_file:s0
 /data/app/[^/]+/oat(/.*)?                u:object_r:dalvikcache_data_file:s0
 /data/app/vmdl[^/]+\.tmp(/.*)?           u:object_r:apk_tmp_file:s0
diff --git a/private/llkd.te b/private/llkd.te
index 3f84eb6..385f930 100644
--- a/private/llkd.te
+++ b/private/llkd.te
@@ -22,6 +22,7 @@
 userdebug_or_eng(`
   allow llkd {
     domain
+    -apexd
     -kernel
     -keystore
     -init
diff --git a/private/service_contexts b/private/service_contexts
index e04227b..b68ab8e 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -8,6 +8,7 @@
 android.security.keystore                 u:object_r:keystore_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 app_binding                               u:object_r:app_binding_service:s0
+apexservice                               u:object_r:apex_service:s0
 appops                                    u:object_r:appops_service:s0
 appwidget                                 u:object_r:appwidget_service:s0
 assetatlas                                u:object_r:assetatlas_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 4ed1982..245496f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -70,6 +70,7 @@
 # TODO: scope this down? Too broad?
 allow system_app {
   service_manager_type
+  -apex_service
   -dumpstate_service
   -installd_service
   -netd_service