Allow apexd to rename files in /data/apex/decompressed
This is needed to rename the .ota.apex file to .decompressed.apex.
Bug: 369042459
Test: atest ApexCompressionTests
Change-Id: I82ef87cd1e08018677f40baacb0e6d7a621ad75c
(cherry picked from commit a4fddc0bae38c598cc20ffecca46354b328a25ae)
diff --git a/private/apexd.te b/private/apexd.te
index e7ad3b9..c87c5ef 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -95,6 +95,8 @@
allow apexd staging_data_file:file { r_file_perms link };
# # Allow relabeling file created in /data/apex/decompressed
allow apexd staging_data_file:file relabelto;
+# Allow renaming files in /data/apex/decompressed (from .ota.apex to .decompressed.apex)
+allow apexd staging_data_file:file rename;
# allow apexd to read files from /vendor/apex
r_dir_file(apexd, vendor_apex_file)
diff --git a/private/domain.te b/private/domain.te
index 4cf9138..3f02206 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1769,10 +1769,14 @@
-crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
-# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
-# except for `link` and `unlink`.
-neverallow { domain -init -system_server } staging_data_file:file
- { append create relabelfrom rename setattr write no_x_file_perms };
+# apexd needs the link/unlink/rename permissions
+neverallow { domain -init -system_server -installd -apexd } staging_data_file:file {
+ no_w_file_perms no_x_file_perms
+};
+neverallow apexd staging_data_file:file {
+ append create relabelfrom setattr write # no_w_file_perms -link -unlink -rename
+ no_x_file_perms
+};
neverallow {
domain