Use /proc/device-tree for reading AVF DT

Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.

Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378

microdroid/system/private/genfs_contexts

@@ -7,6 +7,9 @@ genfscon proc /bootconfig u:object_r:proc_bootconfig:s0
 genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
 genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0

microdroid/system/private/init_debug_policy.te

@@ -27,6 +27,5 @@ get_prop(init_debug_policy, bootloader_prop)
 set_prop(init_debug_policy, init_debug_policy_prop)
 
 # Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file r_file_perms;
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)

microdroid/system/private/microdroid_manager.te

@@ -18,10 +18,8 @@ allow microdroid_manager vd_device:blk_file rw_file_perms;
 allow microdroid_manager dm_device:blk_file r_file_perms;
 
 # microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
-
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
 
 # Read config from the open-dice driver.
 allow microdroid_manager open_dice_device:chr_file rw_file_perms;

microdroid/system/public/file.te

@@ -84,6 +84,7 @@ type proc_cpuinfo, fs_type, proc_type;
 type proc_dirty, fs_type, proc_type;
 type proc_diskstats, fs_type, proc_type;
 type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
 type proc_extra_free_kbytes, fs_type, proc_type;
 type proc_filesystems, fs_type, proc_type;
 type proc_hostname, fs_type, proc_type;

private/file.te

@@ -136,8 +136,9 @@ type art_exec_exec, system_file_type, exec_type, file_type;
 # in to satisfy MLS constraints for trusted domains.
 type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
 
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
 type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
 
 # Type for /system/fonts/font_fallback.xm
 type system_font_fallback_file, system_file_type, file_type;

private/genfs_contexts

@@ -8,6 +8,7 @@ genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
 genfscon proc /cmdline u:object_r:proc_cmdline:s0
 genfscon proc /config.gz u:object_r:config_gz:s0
 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
 genfscon proc /diskstats u:object_r:proc_diskstats:s0
 genfscon proc /filesystems u:object_r:proc_filesystems:s0
 genfscon proc /interrupts u:object_r:proc_interrupts:s0

private/virtualizationmanager.te

@@ -83,9 +83,9 @@ unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
 allow virtualizationmanager tombstone_data_file:file { append getattr };
 allow virtualizationmanager tombstoned:fd use;
 
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
 
 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
 # from pVM to HAL.