commit b6211b88cfdab8cffb1a5372caf0a50cf8b10eaf
author Jooyung Han <jooyung@google.com> Wed May 31 17:51:14 2023 +0900
committer Jooyung Han <jooyung@google.com> Mon Jun 05 17:17:51 2023 +0900
tree 73302cc16ba77011866f81a9eb92e93315f624f8
parent 3e592f2eb65209bd147fe5e97b2a0a05eebf5997

Introduce vendor_apex_metadata_file

A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This
is read-allowed by a few system components which need to read "apex" in
general. For example, linkerconfig needs to read apex_manifest.pb from
all apexes including vendor apexes.

Previously, these entries were labelled as system_file even for vendor
apexes.

Bug: 285075529
Test: m && launch_cvd
Test: atest VendorApexHostTestsCases
Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf

private/apexd.te

diff --git a/private/apexd.te b/private/apexd.te
index b74d4ee..f158ef6 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -102,8 +102,8 @@
 allow apexd staging_data_file:file relabelto;
 
 # allow apexd to read files from /vendor/apex
-allow apexd vendor_apex_file:dir r_dir_perms;
-allow apexd vendor_apex_file:file r_file_perms;
+r_dir_file(apexd, vendor_apex_file)
+r_dir_file(apexd, vendor_apex_metadata_file)
 
 # Unmount and mount filesystems
 allow apexd labeledfs:filesystem { mount unmount };

private/compat/33.0/33.0.cil

diff --git a/private/compat/33.0/33.0.cil b/private/compat/33.0/33.0.cil
index 8fa3985..204048e 100644
--- a/private/compat/33.0/33.0.cil
+++ b/private/compat/33.0/33.0.cil
@@ -2544,7 +2544,10 @@
 (typeattributeset vendor_apex_file_33_0 (vendor_apex_file))
 (typeattributeset vendor_app_file_33_0 (vendor_app_file))
 (typeattributeset vendor_cgroup_desc_file_33_0 (vendor_cgroup_desc_file))
-(typeattributeset vendor_configs_file_33_0 (vendor_configs_file))
+(typeattributeset vendor_configs_file_33_0
+  ( vendor_configs_file
+    vendor_apex_metadata_file
+))
 (typeattributeset vendor_data_file_33_0 (vendor_data_file vendor_userdir_file))
 (typeattributeset vendor_default_prop_33_0 (vendor_default_prop))
 (typeattributeset vendor_file_33_0 (vendor_file))

private/derive_classpath.te

diff --git a/private/derive_classpath.te b/private/derive_classpath.te
index 2299ba0..4f15d5a 100644
--- a/private/derive_classpath.te
+++ b/private/derive_classpath.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_classpath apex_mnt_dir:dir r_dir_perms;
+allow derive_classpath vendor_apex_metadata_file:dir r_dir_perms;
 
 # Create /data/system/environ/classpath file
 allow derive_classpath environ_system_data_file:dir rw_dir_perms;

private/derive_sdk.te

diff --git a/private/derive_sdk.te b/private/derive_sdk.te
index f46c614..c47f0a5 100644
--- a/private/derive_sdk.te
+++ b/private/derive_sdk.te
@@ -6,6 +6,7 @@
 
 # Read /apex
 allow derive_sdk apex_mnt_dir:dir r_dir_perms;
+allow derive_sdk vendor_apex_metadata_file:dir r_dir_perms;
 
 # Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
 set_prop(derive_sdk, module_sdkextensions_prop)

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index f98a285..692c962 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -609,6 +609,7 @@
     -same_process_hal_file
     -vendor_app_file
     -vendor_apex_file
+    -vendor_apex_metadata_file
     -vendor_configs_file
     -vendor_service_contexts_file
     -vendor_framework_file

private/linkerconfig.te

diff --git a/private/linkerconfig.te b/private/linkerconfig.te
index 7e78c19..bd46ca4 100644
--- a/private/linkerconfig.te
+++ b/private/linkerconfig.te
@@ -19,6 +19,9 @@
 # Allow linkerconfig to read apex-info-list.xml
 allow linkerconfig apex_info_file:file r_file_perms;
 
+# Allow linkerconfig to read apex_manifest.pb file from vendor apex
+r_dir_file(linkerconfig, vendor_apex_metadata_file)
+
 # Allow linkerconfig to be called in the otapreopt_chroot
 allow linkerconfig otapreopt_chroot:fd use;
 allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 85d09f9..181963c 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -136,6 +136,7 @@
 allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
 allow shell vendor_apex_file:dir r_dir_perms;
+allow shell vendor_apex_metadata_file:dir r_dir_perms;
 
 # Allow shell to read updated APEXes under /data/apex
 allow shell apex_data_file:dir search;

private/zygote.te

diff --git a/private/zygote.te b/private/zygote.te
index d61a431..be94a52 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -258,6 +258,7 @@
 # preinstalled path of APEXes that contain runtime resource overlays for the 'android' package.
 allow zygote vendor_apex_file:dir { getattr search };
 allow zygote vendor_apex_file:file { getattr };
+allow zygote vendor_apex_metadata_file:dir { search };
 
 # Allow zygote to query for compression/features.
 r_dir_file(zygote, sysfs_fs_f2fs)

public/file.te

diff --git a/public/file.te b/public/file.te
index 7aad936..f7fafcb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -381,6 +381,8 @@
 type staging_data_file, file_type, data_file_type, core_data_file_type;
 # /vendor/apex
 type vendor_apex_file, vendor_file_type, file_type;
+# apex_manifest.pb in vendor apex
+type vendor_apex_metadata_file, vendor_file_type, file_type;
 # /data/system/shutdown-checkpoints
 type shutdown_checkpoints_system_data_file, file_type, data_file_type, core_data_file_type;
 

public/te_macros

diff --git a/public/te_macros b/public/te_macros
index 63805de..c4ebc63 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1047,6 +1047,7 @@
 define(`use_apex_info', `
   allow $1 apex_mnt_dir:dir r_dir_perms;
   allow $1 apex_info_file:file r_file_perms;
+  r_dir_file($1, vendor_apex_metadata_file)
 ')
 
 ####################################