Merge "Add a label for payload accessible devices" into main am: 99ccd0de80

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2812754

Change-Id: Ic5011e08b70c92ef2f458972941620f318d62af5
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

microdroid/system/private/microdroid_payload.te

@@ -57,6 +57,9 @@ unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager)
 allow microdroid_payload encryptedstore_file:dir create_dir_perms;
 allow microdroid_payload encryptedstore_file:file create_file_perms;
 
+# Payload can access devices labeled as payload accessible.
+allow microdroid_payload payload_accessible_device:chr_file rw_file_perms;
+
 # Never allow microdroid_payload to connect to vsock
 neverallow microdroid_payload self:vsock_socket connect;
 

microdroid/system/public/device.te

@@ -12,6 +12,7 @@ type loop_device, dev_type;
 type null_device, dev_type;
 type open_dice_device, dev_type;
 type owntty_device, dev_type;
+type payload_accessible_device, dev_type;
 type properties_device, dev_type;
 type properties_serial, dev_type;
 type property_info, dev_type;