From 74caef3591b61bace706d7a61b10ed593611c570 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 9 Feb 2022 23:28:20 +0900 Subject: [PATCH] Add microdroid sepolicy test support MicrodroidHostTestCases will pull the VM's sepolicy and check it against system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze tool. Bug: 218461215 Test: atest MicrodroidHostTestCases Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477 --- microdroid/Android.bp | 8 ++++++++ microdroid/system/private/adbd.te | 5 +++++ 2 files changed, 13 insertions(+) diff --git a/microdroid/Android.bp b/microdroid/Android.bp index 2e8766c10..060020715 100644 --- a/microdroid/Android.bp +++ b/microdroid/Android.bp @@ -280,3 +280,11 @@ prebuilt_etc { relative_install_path: "selinux", installable: false, } + +// For CTS +se_policy_conf { + name: "microdroid_general_sepolicy.conf", + srcs: system_policy_files, + exclude_build_test: true, + installable: false, +} diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te index 1212840eb..116c74d61 100644 --- a/microdroid/system/private/adbd.te +++ b/microdroid/system/private/adbd.te @@ -48,6 +48,11 @@ set_prop(adbd, shell_prop) # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties set_prop(adbd, adbd_prop) +# Allow pulling the SELinux policy for CTS purposes +allow adbd selinuxfs:dir r_dir_perms; +allow adbd selinuxfs:file r_file_perms; +allow adbd kernel:security read_policy; + # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions. # TODO(b/200902288): patch adb and remove this rule dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;