Merge changes from topic "microdroid_selinux_denial_fix"

* changes: Add listen/accept permission to MM's vsock Grant kmsg_debug permission to kexec
2022-11-18 12:04:34 +00:00 · 2022-11-18 12:04:34 +00:00 · 29fb4ae40b
commit 29fb4ae40b
parent b1c2e19a71 5df428bea8
2 changed files with 6 additions and 0 deletions
--- a/microdroid/system/private/kexec.te
+++ b/microdroid/system/private/kexec.te
@ -10,3 +10,6 @@ allow kexec microdroid_manager:fd use;

 # allow kexec to have SYS_BOOT
 allow kexec self:capability sys_boot;
+
+# allow kexec to write kmsg_debug
+allow kexec kmsg_debug_device:chr_file w_file_perms;
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@ -48,6 +48,9 @@ allow microdroid_manager kmsg_device:chr_file w_file_perms;
 # Let microdroid_manager to create a vsock connection back to the host VM
 allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };

+# Let microdroid_manager listen/accept from the host for stdio proxy
+allow microdroid_manager self:vsock_socket { listen accept };
+
 # microdroid_manager is using bootstrap bionic
 use_bootstrap_libs(microdroid_manager)