Allow service managers access to apex data.
VintfObject will monitor for /apex directory for VINTF data.
Add permissions for service managers to read this data.
Bug: 239055387
Test: m && boot
Change-Id: I179e008dadfcb323cde58a8a460bcfa2825a7b4f
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 91a8ad2..a9d025c 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -28,3 +28,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 6db0d70..ec7969b 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -995,3 +995,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')
diff --git a/private/binderservicedomain.te b/private/binderservicedomain.te
index 7275954..fa9dd7d 100644
--- a/private/binderservicedomain.te
+++ b/private/binderservicedomain.te
@@ -22,3 +22,5 @@
allow binderservicedomain keystore:keystore2_key { delete get_info rebind use };
use_keystore(binderservicedomain)
+# binderservicedomain is using apex_info via libvintf
+use_apex_info(binderservicedomain)
diff --git a/private/hwservicemanager.te b/private/hwservicemanager.te
index 5982ecf..ecc8a40 100644
--- a/private/hwservicemanager.te
+++ b/private/hwservicemanager.te
@@ -10,3 +10,6 @@
# hwservicemanager is using bootstrap bionic
use_bootstrap_libs(hwservicemanager)
+
+# hwservicemanager is using apex_info via libvintf
+use_apex_info(hwservicemanager)
diff --git a/private/keystore.te b/private/keystore.te
index 8e681b1..3b4cc37 100644
--- a/private/keystore.te
+++ b/private/keystore.te
@@ -37,3 +37,6 @@
# system property, an exception is added for init as well.
set_prop(keystore, keystore_crash_prop)
neverallow { domain -keystore -init } keystore_crash_prop:property_service set;
+
+# keystore is using apex_info via libvintf
+use_apex_info(keystore)
diff --git a/private/servicemanager.te b/private/servicemanager.te
index 95a9496..5a69a43 100644
--- a/private/servicemanager.te
+++ b/private/servicemanager.te
@@ -9,3 +9,6 @@
# servicemanager is using bootstrap bionic
use_bootstrap_libs(servicemanager)
+
+# servicemanager is using apex_info via libvintf
+use_apex_info(servicemanager)
diff --git a/public/te_macros b/public/te_macros
index 551f4f3..8a8b473 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -1036,3 +1036,11 @@
allow $1 system_bootstrap_lib_file:dir r_dir_perms;
allow $1 system_bootstrap_lib_file:file { execute read open getattr map };
')
+
+######################################
+# use_apex_info(domain)
+# Allow access to apex information
+define(`use_apex_info', `
+ allow $1 apex_mnt_dir:dir r_dir_perms;
+ allow $1 apex_info_file:file r_file_perms;
+')