Sepolicy: Give apexd permission for mounton

To not propagate any changes by APEX hooks, apexd remounts / private. Bug: 119260955 Bug: 119261380 Test: atest apexservice_test Change-Id: I19aebc9c1562d8c4e4fedf36eb79826291b6ee61
2019-02-08 13:12:18 -08:00 · 2019-02-08 13:12:18 -08:00 · 742ac5561c
commit 742ac5561c
parent db90b91ea0
1 changed files with 4 additions and 0 deletions
--- a/private/apexd.te
+++ b/private/apexd.te
@ -81,6 +81,10 @@ allow apexd kmsg_device:chr_file w_file_perms;
 # Allow self-execute for the fork mount helper.
 allow apexd apexd_exec:file execute_no_trans;

+# Unshare and make / private so that hooks cannot influence the
+# running system.
+allow apexd rootfs:dir mounton;
+
 # Allow to execute shell for pre- and postinstall scripts. A transition
 # rule is required, thus restricted to execute and not execute_no_trans.
 allow apexd shell_exec:file { r_file_perms execute };