Merge "microdroid: Run apk mount utils from MM"

microdroid/system/private/apkdmverity.te

@@ -3,9 +3,6 @@
 type apkdmverity, domain, coredomain;
 type apkdmverity_exec, exec_type, file_type, system_file_type;
 
-# allow domain transition from init
-init_daemon_domain(apkdmverity)
-
 # apkdmverity is using bootstrap bionic
 allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
 allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
@@ -34,3 +31,13 @@ allowxperm apkdmverity loop_device:blk_file ioctl {
   LOOP_SET_FD
   LOOP_SET_DIRECT_IO
 };
+
+# allow apkdmverity to log to the kernel
+allow apkdmverity kmsg_device:chr_file w_file_perms;
+
+# apkdmverity is forked from microdroid_manager
+# TODO(inseob): remove this
+allow apkdmverity microdroid_manager:fd use;
+
+# Only microdroid_manager can run apkdmverity
+neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };

microdroid/system/private/microdroid_manager.te

@@ -18,6 +18,10 @@ allow microdroid_manager dm_device:blk_file r_file_perms;
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)
 
+# Allow microdroid_manager to start apk verity binaries
+domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
+domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+
 # Let microdroid_manager kernel-log.
 allow microdroid_manager kmsg_device:chr_file w_file_perms;
 

microdroid/system/private/microdroid_payload.te

@@ -27,8 +27,8 @@ allow microdroid_payload microdroid_manager:vsock_socket { read write };
 # Write to /dev/kmsg.
 allow microdroid_payload kmsg_device:chr_file rw_file_perms;
 
-# Only microdroid_payload can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
+neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
 
 # Allow microdroid_payload to open binder servers via vsock.
 allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };

microdroid/system/private/zipfuse.te

@@ -6,9 +6,6 @@
 type zipfuse, domain, coredomain;
 type zipfuse_exec, exec_type, file_type, system_file_type;
 
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
 # zipfuse is using bootstrap bionic
 allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
 allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
@@ -36,3 +33,13 @@ allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
 # allow mounting with context=u:object_r:system_file:s0 so that files provided
 # by zipfuse are treated the same as the other files in /system or /apex
 allow system_file zipfusefs:filesystem associate;
+
+# allow zipfuse to log to the kernel
+allow zipfuse kmsg_device:chr_file w_file_perms;
+
+# zipfuse is forked from microdroid_manager
+# TODO(inseob): remove this
+allow zipfuse microdroid_manager:fd use;
+
+# Only microdroid_manager can run zipfuse
+neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };