Merge changes from topic "derive-microdroid-vendor-dice-node" into main

* changes: Allow ueventd to relabel /dev/open-dice0 Add /microdroid_resources to file_contexts
2024-03-14 11:20:06 +00:00 · 2024-03-14 11:20:06 +00:00 · 2300dc5e64
commit 2300dc5e64
parent 43c2a181d0 73282e4d1b
2 changed files with 5 additions and 1 deletions
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@ -15,6 +15,7 @@
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /debug_ramdisk      u:object_r:tmpfs:s0
+/microdroid_resources u:object_r:tmpfs:s0
 /mnt                u:object_r:tmpfs:s0
 /proc               u:object_r:rootfs:s0
 /second_stage_resources u:object_r:tmpfs:s0
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@ -15,7 +15,10 @@ allow ueventd sysfs_type:file w_file_perms;
 r_dir_file(ueventd, sysfs_type)
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
+# the open-dice0 device is now created in first_stage_init, ueventd needs these permissions
+# so that it can relabel it to open_dice_device, so that microdroid_manager can access it.
+allow ueventd tmpfs:chr_file { relabelfrom rw_file_perms setattr };
+allow ueventd open_dice_device:chr_file relabelto;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { getattr create setattr unlink };