From e475c8f1b556646a9c64ab5f0cf99dc503c4fc48 Mon Sep 17 00:00:00 2001
From: Bart Van Assche <bvanassche@google.com>
Date: Thu, 14 Oct 2021 15:36:05 -0700
Subject: [PATCH] Microdroid: Allow apexd again to access block device
 information

This patch is the Microdroid equivalent of
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850655

Bug: 202520796
Tests: Treehugger
Change-Id: I3428934115a62f64390738b144fbb801fc595561
Signed-off-by: Bart Van Assche <bvanassche@google.com>
---
 microdroid/system/private/apexd.te | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/microdroid/system/private/apexd.te b/microdroid/system/private/apexd.te
index bf67e4cca..5ec418cbe 100644
--- a/microdroid/system/private/apexd.te
+++ b/microdroid/system/private/apexd.te
@@ -16,8 +16,9 @@ allowxperm apexd loop_device:blk_file ioctl {
   BLKFLSBUF
   LOOP_CONFIGURE
 };
-# allow apexd to access /dev/block
-allow apexd block_device:dir r_dir_perms;
+# Allow apexd to access /dev/block
+allow apexd dev_type:dir r_dir_perms;
+allow apexd dev_type:blk_file getattr;
 
 #allow apexd to access virtual disks
 allow apexd vd_device:blk_file r_file_perms;
@@ -56,6 +57,9 @@ allow apexd labeledfs:filesystem { mount unmount };
 
 # /sys directory tree traversal
 allow apexd sysfs_type:dir search;
+# Access to /sys/class/block
+allow apexd sysfs_type:dir r_dir_perms;
+allow apexd sysfs_type:file r_file_perms;
 # Configure read-ahead of dm-verity and loop devices
 # for dm-X
 allow apexd sysfs_dm:dir r_dir_perms;