Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization. Bug: 189165759 Test: boot device and microdroid Test: atest MicrodroidHostTestCases Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
This commit is contained in:
Inseob Kim
parent
cf6a7e9821
commit
5d269aaa55
8 changed files with 0 additions and 176 deletions
60
Android.bp
60
Android.bp
|
|
@ -927,63 +927,3 @@ se_policy_conf {
|
|||
cts: true,
|
||||
exclude_build_test: true,
|
||||
}
|
||||
|
||||
//////////////////////////////////
|
||||
// modules for microdroid
|
||||
//////////////////////////////////
|
||||
|
||||
// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
|
||||
// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
|
||||
// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
|
||||
// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
|
||||
// host's files.
|
||||
se_versioned_policy {
|
||||
name: "microdroid_plat_pub_versioned.cil",
|
||||
stem: "plat_pub_versioned.cil",
|
||||
base: ":plat_pub_policy.cil",
|
||||
target_policy: ":plat_pub_policy.cil",
|
||||
version: "current",
|
||||
dependent_cils: [
|
||||
":plat_sepolicy.cil",
|
||||
":plat_mapping_file",
|
||||
],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
|
||||
// contains system/sepolicy/public and system/sepolicy/vendor.
|
||||
se_policy_conf {
|
||||
name: "microdroid_vendor_sepolicy.conf",
|
||||
srcs: [":se_build_files{.plat_vendor}"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_policy_cil {
|
||||
name: "microdroid_vendor_sepolicy.cil.raw",
|
||||
src: ":microdroid_vendor_sepolicy.conf",
|
||||
filter_out: [":reqd_policy_mask.cil"],
|
||||
secilc_check: false, // will be done in se_versioned_policy module
|
||||
installable: false,
|
||||
}
|
||||
|
||||
se_versioned_policy {
|
||||
name: "microdroid_vendor_sepolicy.cil",
|
||||
stem: "vendor_sepolicy.cil",
|
||||
base: ":plat_pub_policy.cil",
|
||||
target_policy: ":microdroid_vendor_sepolicy.cil.raw",
|
||||
version: "current", // microdroid is bundled to system
|
||||
dependent_cils: [
|
||||
":plat_sepolicy.cil",
|
||||
":microdroid_plat_pub_versioned.cil",
|
||||
":plat_mapping_file",
|
||||
],
|
||||
filter_out: [":microdroid_plat_pub_versioned.cil"],
|
||||
installable: false,
|
||||
}
|
||||
|
||||
sepolicy_vers {
|
||||
name: "microdroid_plat_sepolicy_vers.txt",
|
||||
version: "platform",
|
||||
stem: "plat_sepolicy_vers.txt",
|
||||
installable: false,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -216,7 +216,6 @@ neverallow {
|
|||
-appdomain # for oemfs
|
||||
-bootanim # for oemfs
|
||||
-recovery # for /tmp/update_binary in tmpfs
|
||||
userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
|
||||
} { fs_type -rootfs }:file execute;
|
||||
|
||||
#
|
||||
|
|
@ -368,7 +367,6 @@ neverallow {
|
|||
-update_engine
|
||||
-vold
|
||||
-zygote
|
||||
-zipfuse
|
||||
} { fs_type
|
||||
-sdcard_type
|
||||
}:filesystem { mount remount relabelfrom relabelto };
|
||||
|
|
|
|||
|
|
@ -3,8 +3,3 @@ typeattribute fsck coredomain;
|
|||
init_daemon_domain(fsck)
|
||||
|
||||
allow fsck metadata_block_device:blk_file rw_file_perms;
|
||||
|
||||
# TODO(b/189165759): move this to microdroid specific sepolicy
|
||||
userdebug_or_eng(`
|
||||
allow fsck vd_device:blk_file rw_file_perms;
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,31 +0,0 @@
|
|||
# microdroid_launcher is a binary that loads a shared library from an apk and
|
||||
# executes it by calling an entry point in the library. This can be considered
|
||||
# as the native counterpart of app_process for Java.
|
||||
|
||||
type microdroid_launcher, domain, coredomain;
|
||||
type microdroid_launcher_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# allow executing files on the zipfuse fs
|
||||
# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
|
||||
# fscontext=u:object_r:zipfusefs:s0
|
||||
# allow microdroid_launcher zipfusefs:dir r_dir_perms;
|
||||
# allow microdroid_launcher zipfusefs:file rx_file_perms;
|
||||
# TODO(b/188400186) remove the below two rules
|
||||
userdebug_or_eng(`
|
||||
allow microdroid_launcher fuse:dir r_dir_perms;
|
||||
allow microdroid_launcher fuse:file rx_file_perms;
|
||||
')
|
||||
|
||||
# Allow to communicate use, read and write over the adb connection.
|
||||
allow microdroid_launcher adbd:fd use;
|
||||
allow microdroid_launcher adbd:unix_stream_socket { read write };
|
||||
|
||||
# Allow to use FDs inherited from the shell. This includes the FD opened for
|
||||
# the microdroid_launcher executable itself and the FD for adb connection.
|
||||
# TODO(b/186396070) remove this when this is executed from microdroid_manager
|
||||
userdebug_or_eng(`
|
||||
allow microdroid_launcher shell:fd use;
|
||||
')
|
||||
|
||||
# Allow to use terminal
|
||||
allow microdroid_launcher devpts:chr_file rw_file_perms;
|
||||
|
|
@ -1,30 +0,0 @@
|
|||
# TODO(b/189165759) for moving this to packages/modules/Virtualization
|
||||
# microdroid_manager is a daemon running in the microdroid.
|
||||
|
||||
type microdroid_manager, domain, coredomain;
|
||||
type microdroid_manager_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# allow domain transition from init
|
||||
init_daemon_domain(microdroid_manager)
|
||||
|
||||
# microdroid_manager accesses /dev/block/by-name/signature which points to
|
||||
# a /dev/vd* block device file.
|
||||
allow microdroid_manager block_device:dir r_dir_perms;
|
||||
allow microdroid_manager block_device:lnk_file r_file_perms;
|
||||
allow microdroid_manager vd_device:blk_file r_file_perms;
|
||||
|
||||
# microdroid_manager start payload task via microdroid_launcher
|
||||
domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
|
||||
|
||||
# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
|
||||
# TODO(b/189706019) we need to a domain for the app process.
|
||||
allow microdroid_manager system_file:file execute_no_trans;
|
||||
# Until then, allow microdroid_manager to execute the shell or other system executables.
|
||||
allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
|
||||
|
||||
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
|
||||
# TODO(b/188400186) remove the below two rules
|
||||
userdebug_or_eng(`
|
||||
allow microdroid_manager fuse:dir r_dir_perms;
|
||||
allow microdroid_manager fuse:file rx_file_perms;
|
||||
')
|
||||
|
|
@ -191,11 +191,6 @@ get_prop(shell, verity_status_prop)
|
|||
# Allow shell to read Virtual A/B related properties
|
||||
get_prop(shell, virtual_ab_prop)
|
||||
|
||||
# Allow shell to launch microdroid_launcher in its own domain
|
||||
# TODO(b/186396070) remove this when microdroid_manager can do this
|
||||
domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
|
||||
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
|
||||
|
||||
# Never allow others to set or get the perf.drop_caches property.
|
||||
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
|
||||
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
|
||||
|
|
|
|||
|
|
@ -1,34 +0,0 @@
|
|||
# zipfuse is a FUSE daemon running in the microdroid. It mounts
|
||||
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
|
||||
# /mnt/apk so that the entries in the apk file are seen as regular files. See
|
||||
# packages/modules/Virtualization/zipfuse.
|
||||
|
||||
type zipfuse, domain, coredomain;
|
||||
type zipfuse_exec, exec_type, file_type, system_file_type;
|
||||
|
||||
# allow domain transition from init
|
||||
init_daemon_domain(zipfuse)
|
||||
|
||||
# allow basic rules to implement FUSE
|
||||
allow zipfuse fuse_device:chr_file rw_file_perms;
|
||||
allow zipfuse self:global_capability_class_set sys_admin;
|
||||
|
||||
# allow access to /dev/vd* block device files and also access to the symlinks
|
||||
# /dev/block/by-name/*
|
||||
allow zipfuse block_device:dir r_dir_perms;
|
||||
allow zipfuse block_device:lnk_file r_file_perms;
|
||||
allow zipfuse vd_device:blk_file r_file_perms;
|
||||
|
||||
# allow mounting on /mnt/apk
|
||||
allow zipfuse tmpfs:dir mounton;
|
||||
|
||||
# TODO(b/188400186) uncomment the following when this filesystem is mounted with
|
||||
# fscontext=u:object_r:zipfusefs:s0
|
||||
# type zipfusefs, fs_type, contextmount_type;
|
||||
# allow zipfuse fuse:filesystem relabelfrom;
|
||||
# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
|
||||
|
||||
# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
|
||||
userdebug_or_eng(`
|
||||
allow zipfuse fuse:filesystem mount;
|
||||
')
|
||||
|
|
@ -12,15 +12,6 @@ allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_fi
|
|||
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
||||
};
|
||||
|
||||
# Allow e2fs to format /dev/block/vd*
|
||||
# TODO(b/189165759) move this rule to packages/modules/Virtualization
|
||||
userdebug_or_eng(`
|
||||
allow e2fs vd_device:blk_file rw_file_perms;
|
||||
allowxperm e2fs vd_device:blk_file ioctl {
|
||||
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
||||
};
|
||||
')
|
||||
|
||||
allow e2fs {
|
||||
proc_filesystems
|
||||
proc_mounts
|
||||
|
|
|
|||
Loading…
Reference in a new issue