Merge "Define sepolicy for compos and dex2oat"

microdroid/system/private/compos.te

@@ -4,11 +4,11 @@ type compos_exec, exec_type, file_type, system_file_type;
 
 allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
-# Talk to binder services (for keystore)
+# Allow using keystore and authfs_service binder services
 binder_use(compos);
-
-# Allow payloads to use keystore
 use_keystore(compos);
+allow compos authfs_binder_service:service_manager find;
+binder_call(compos, authfs_service);
 
 # Allow payloads to use and manage their keys
 allow compos vm_payload_key:keystore2_key {
@@ -18,3 +18,11 @@ allow compos vm_payload_key:keystore2_key {
     rebind
     use
 };
+
+# Although the compos should not really read/write the FD on authfs_fuse, this
+# is apparently required for the binder driver to pass the FDs to compos from
+# authfs_service.
+allow compos authfs_fuse:file { read write };
+
+# Allow domain transition into dex2oat.
+domain_auto_trans(compos, dex2oat_exec, dex2oat)

microdroid/system/private/dex2oat.te

@@ -3,3 +3,22 @@ type dex2oat, domain, coredomain;
 type dex2oat_exec, system_file_type, exec_type, file_type;
 
 allow dex2oat tmpfs:file { read getattr map };
+
+# Allow dex2oat to use FDs from authfs_service via compos.
+allow dex2oat authfs_service:fd use;
+allow dex2oat compos:fd use;
+
+# Allow dex2oat to read/write FDs on authfs_fuse filesystem.
+allow dex2oat authfs_fuse:file rw_file_perms;
+
+# Minijail uses pipe for the parent process to signal the child (as a fallback
+# mechanism, since Android does not support minijail's preload).
+# TODO(196109647): We can probably remove this once the minijail preload is
+# supported on Android.
+allow dex2oat compos:fifo_file read;
+
+# Allow acquiring advisory lock on /system/framework/<arch>/*
+allow dex2oat system_file:file lock;
+
+# Allow dex2oat to read /apex/apex-info-list.xml
+allow dex2oat apex_info_file:file r_file_perms;