Allow the microdroid app to use vm payload service

Bug: 243512047 Test: atest MicrodroidTestApp Change-Id: I651781a7cf87b3fa31828a1b46d33dc7f381614c
2022-10-05 13:47:32 +00:00 · 2022-10-05 13:47:32 +00:00 · 34c9f94938
commit 34c9f94938
parent 33e03e09b4
4 changed files with 9 additions and 0 deletions
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@ -51,6 +51,9 @@ binder_call(microdroid_manager, dice_service)
 allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
 allow microdroid_manager dice_service:diced { derive demote_self };

+# microdroid_manager can add virtual_machine_payload_service
+add_service(microdroid_manager, vm_payload_binder_service)
+
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@ -47,3 +47,7 @@ allow microdroid_payload authfs_data_file:dir search;
 # Read and write files authfs-proxied files.
 allow microdroid_payload authfs_fuse:dir rw_dir_perms;
 allow microdroid_payload authfs_fuse:file create_file_perms;
+
+# Allow use of virtual_machine_payload_service.
+allow microdroid_payload vm_payload_binder_service:service_manager find;
+binder_call(microdroid_payload, microdroid_manager)
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@ -1,6 +1,7 @@
 adb                                       u:object_r:adb_service:s0
 android.security.dice.IDiceMaintenance    u:object_r:dice_maintenance_service:s0
 android.security.dice.IDiceNode           u:object_r:dice_node_service:s0
+virtual_machine_payload_service           u:object_r:vm_payload_binder_service:s0
 apexservice                               u:object_r:apex_service:s0
 authfs_service                            u:object_r:authfs_binder_service:s0
 manager                                   u:object_r:service_manager_service:s0
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@ -6,6 +6,7 @@ type default_android_service, service_manager_type;
 type dice_maintenance_service,  service_manager_type;
 type dice_node_service,         service_manager_type;
 type hal_dice_service, service_manager_type;
+type vm_payload_binder_service, service_manager_type;
 type service_manager_service, service_manager_type;
 type system_linker;
 type vm_payload_key;