Microdroid: Allow apexd again to access block device information
This patch is the Microdroid equivalent of
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850655
Bug: 202520796
Tests: Treehugger
Change-Id: I3428934115a62f64390738b144fbb801fc595561
Signed-off-by: Bart Van Assche <bvanassche@google.com>
diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index bf67e4c..5ec418c 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -16,8 +16,9 @@
BLKFLSBUF
LOOP_CONFIGURE
};
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
#allow apexd to access virtual disks
allow apexd vd_device:blk_file r_file_perms;
@@ -56,6 +57,9 @@
# /sys directory tree traversal
allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
# Configure read-ahead of dm-verity and loop devices
# for dm-X
allow apexd sysfs_dm:dir r_dir_perms;