Refactor apex data file types.
We ended up with 4 labels for specific APEX files that were all
identical; I've replaced them with a single one
(apex_system_server_data_file).
Additionally I created an attribute to be applied to a "standard" APEX
module data file type that establishes the basics (it can be managed
by vold_prepare_subdirs and apexd), to make it easier to add new such
types - which I'm about to do.
Fix: 189415223
Test: Presubmits
Change-Id: I4406f6680aa8aa0e38afddb2f3ba75f8bfbb8c3c
diff --git a/private/system_server.te b/private/system_server.te
index 5d685c3..0744bec 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1293,14 +1293,9 @@
# Allow the system server to manage relevant apex module data files.
allow system_server apex_module_data_file:dir { getattr search };
-allow system_server apex_appsearch_data_file:dir create_dir_perms;
-allow system_server apex_appsearch_data_file:file create_file_perms;
-allow system_server apex_permission_data_file:dir create_dir_perms;
-allow system_server apex_permission_data_file:file create_file_perms;
-allow system_server apex_scheduling_data_file:dir create_dir_perms;
-allow system_server apex_scheduling_data_file:file create_file_perms;
-allow system_server apex_wifi_data_file:dir create_dir_perms;
-allow system_server apex_wifi_data_file:file create_file_perms;
+# These are modules where the code runs in system_server, so we need full access.
+allow system_server apex_system_server_data_file:dir create_dir_perms;
+allow system_server apex_system_server_data_file:file create_file_perms;
# Allow PasswordSlotManager rw access to /metadata/password_slots, so GSIs and the host image can
# communicate which slots are available for use.