Add policy for apexd.
apexd is a new daemon for managing APEX packages installed
on the device. It hosts a single binder service, "apexservice".
Bug: 112455435
Test: builds, binder service can be registered,
apexes can be accessed, verified and mounted
Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
diff --git a/private/file_contexts b/private/file_contexts
index 991f75b..2e78b80 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -30,6 +30,7 @@
/postinstall u:object_r:postinstall_mnt_dir:s0
/proc u:object_r:rootfs:s0
/sys u:object_r:sysfs:s0
+/apex u:object_r:apex_mnt_dir:s0
# Symlinks
/bin u:object_r:rootfs:s0
@@ -287,6 +288,7 @@
/system/etc/ld\.config.* u:object_r:system_linker_config_file:s0
/system/etc/seccomp_policy(/.*)? u:object_r:system_seccomp_policy_file:s0
/system/etc/security/cacerts(/.*)? u:object_r:system_security_cacerts_file:s0
+/system/etc/security/apex(/.*)? u:object_r:apex_key_file:s0
/system/etc/selinux/mapping/[0-9]+\.[0-9]+\.cil u:object_r:sepolicy_file:s0
/system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
/system/etc/selinux/plat_property_contexts u:object_r:property_contexts_file:s0
@@ -305,6 +307,7 @@
/system/bin/bpfloader u:object_r:bpfloader_exec:s0
/system/bin/wait_for_keymaster u:object_r:wait_for_keymaster_exec:s0
/system/bin/watchdogd u:object_r:watchdogd_exec:s0
+/system/bin/apexd u:object_r:apexd_exec:s0
#############################
# Vendor files
@@ -387,6 +390,7 @@
/data/ota_package(/.*)? u:object_r:ota_package_file:s0
/data/adb(/.*)? u:object_r:adb_data_file:s0
/data/anr(/.*)? u:object_r:anr_data_file:s0
+/data/apex(/.*)? u:object_r:apex_data_file:s0
/data/app(/.*)? u:object_r:apk_data_file:s0
/data/app/[^/]+/oat(/.*)? u:object_r:dalvikcache_data_file:s0
/data/app/vmdl[^/]+\.tmp(/.*)? u:object_r:apk_tmp_file:s0