Remove microdroid specific rules and files
These are moved to packages/modules/Virtualization. Bug: 189165759 Test: boot device and microdroid Test: atest MicrodroidHostTestCases Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
This commit is contained in:
parent
cf6a7e9821
commit
5d269aaa55
8 changed files with 0 additions and 176 deletions
60
Android.bp
60
Android.bp
|
@ -927,63 +927,3 @@ se_policy_conf {
|
||||||
cts: true,
|
cts: true,
|
||||||
exclude_build_test: true,
|
exclude_build_test: true,
|
||||||
}
|
}
|
||||||
|
|
||||||
//////////////////////////////////
|
|
||||||
// modules for microdroid
|
|
||||||
//////////////////////////////////
|
|
||||||
|
|
||||||
// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
|
|
||||||
// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
|
|
||||||
// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
|
|
||||||
// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
|
|
||||||
// host's files.
|
|
||||||
se_versioned_policy {
|
|
||||||
name: "microdroid_plat_pub_versioned.cil",
|
|
||||||
stem: "plat_pub_versioned.cil",
|
|
||||||
base: ":plat_pub_policy.cil",
|
|
||||||
target_policy: ":plat_pub_policy.cil",
|
|
||||||
version: "current",
|
|
||||||
dependent_cils: [
|
|
||||||
":plat_sepolicy.cil",
|
|
||||||
":plat_mapping_file",
|
|
||||||
],
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
|
|
||||||
// contains system/sepolicy/public and system/sepolicy/vendor.
|
|
||||||
se_policy_conf {
|
|
||||||
name: "microdroid_vendor_sepolicy.conf",
|
|
||||||
srcs: [":se_build_files{.plat_vendor}"],
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_policy_cil {
|
|
||||||
name: "microdroid_vendor_sepolicy.cil.raw",
|
|
||||||
src: ":microdroid_vendor_sepolicy.conf",
|
|
||||||
filter_out: [":reqd_policy_mask.cil"],
|
|
||||||
secilc_check: false, // will be done in se_versioned_policy module
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
se_versioned_policy {
|
|
||||||
name: "microdroid_vendor_sepolicy.cil",
|
|
||||||
stem: "vendor_sepolicy.cil",
|
|
||||||
base: ":plat_pub_policy.cil",
|
|
||||||
target_policy: ":microdroid_vendor_sepolicy.cil.raw",
|
|
||||||
version: "current", // microdroid is bundled to system
|
|
||||||
dependent_cils: [
|
|
||||||
":plat_sepolicy.cil",
|
|
||||||
":microdroid_plat_pub_versioned.cil",
|
|
||||||
":plat_mapping_file",
|
|
||||||
],
|
|
||||||
filter_out: [":microdroid_plat_pub_versioned.cil"],
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
||||||
sepolicy_vers {
|
|
||||||
name: "microdroid_plat_sepolicy_vers.txt",
|
|
||||||
version: "platform",
|
|
||||||
stem: "plat_sepolicy_vers.txt",
|
|
||||||
installable: false,
|
|
||||||
}
|
|
||||||
|
|
|
@ -216,7 +216,6 @@ neverallow {
|
||||||
-appdomain # for oemfs
|
-appdomain # for oemfs
|
||||||
-bootanim # for oemfs
|
-bootanim # for oemfs
|
||||||
-recovery # for /tmp/update_binary in tmpfs
|
-recovery # for /tmp/update_binary in tmpfs
|
||||||
userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
|
|
||||||
} { fs_type -rootfs }:file execute;
|
} { fs_type -rootfs }:file execute;
|
||||||
|
|
||||||
#
|
#
|
||||||
|
@ -368,7 +367,6 @@ neverallow {
|
||||||
-update_engine
|
-update_engine
|
||||||
-vold
|
-vold
|
||||||
-zygote
|
-zygote
|
||||||
-zipfuse
|
|
||||||
} { fs_type
|
} { fs_type
|
||||||
-sdcard_type
|
-sdcard_type
|
||||||
}:filesystem { mount remount relabelfrom relabelto };
|
}:filesystem { mount remount relabelfrom relabelto };
|
||||||
|
|
|
@ -3,8 +3,3 @@ typeattribute fsck coredomain;
|
||||||
init_daemon_domain(fsck)
|
init_daemon_domain(fsck)
|
||||||
|
|
||||||
allow fsck metadata_block_device:blk_file rw_file_perms;
|
allow fsck metadata_block_device:blk_file rw_file_perms;
|
||||||
|
|
||||||
# TODO(b/189165759): move this to microdroid specific sepolicy
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow fsck vd_device:blk_file rw_file_perms;
|
|
||||||
')
|
|
||||||
|
|
|
@ -1,31 +0,0 @@
|
||||||
# microdroid_launcher is a binary that loads a shared library from an apk and
|
|
||||||
# executes it by calling an entry point in the library. This can be considered
|
|
||||||
# as the native counterpart of app_process for Java.
|
|
||||||
|
|
||||||
type microdroid_launcher, domain, coredomain;
|
|
||||||
type microdroid_launcher_exec, exec_type, file_type, system_file_type;
|
|
||||||
|
|
||||||
# allow executing files on the zipfuse fs
|
|
||||||
# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
|
|
||||||
# fscontext=u:object_r:zipfusefs:s0
|
|
||||||
# allow microdroid_launcher zipfusefs:dir r_dir_perms;
|
|
||||||
# allow microdroid_launcher zipfusefs:file rx_file_perms;
|
|
||||||
# TODO(b/188400186) remove the below two rules
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow microdroid_launcher fuse:dir r_dir_perms;
|
|
||||||
allow microdroid_launcher fuse:file rx_file_perms;
|
|
||||||
')
|
|
||||||
|
|
||||||
# Allow to communicate use, read and write over the adb connection.
|
|
||||||
allow microdroid_launcher adbd:fd use;
|
|
||||||
allow microdroid_launcher adbd:unix_stream_socket { read write };
|
|
||||||
|
|
||||||
# Allow to use FDs inherited from the shell. This includes the FD opened for
|
|
||||||
# the microdroid_launcher executable itself and the FD for adb connection.
|
|
||||||
# TODO(b/186396070) remove this when this is executed from microdroid_manager
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow microdroid_launcher shell:fd use;
|
|
||||||
')
|
|
||||||
|
|
||||||
# Allow to use terminal
|
|
||||||
allow microdroid_launcher devpts:chr_file rw_file_perms;
|
|
|
@ -1,30 +0,0 @@
|
||||||
# TODO(b/189165759) for moving this to packages/modules/Virtualization
|
|
||||||
# microdroid_manager is a daemon running in the microdroid.
|
|
||||||
|
|
||||||
type microdroid_manager, domain, coredomain;
|
|
||||||
type microdroid_manager_exec, exec_type, file_type, system_file_type;
|
|
||||||
|
|
||||||
# allow domain transition from init
|
|
||||||
init_daemon_domain(microdroid_manager)
|
|
||||||
|
|
||||||
# microdroid_manager accesses /dev/block/by-name/signature which points to
|
|
||||||
# a /dev/vd* block device file.
|
|
||||||
allow microdroid_manager block_device:dir r_dir_perms;
|
|
||||||
allow microdroid_manager block_device:lnk_file r_file_perms;
|
|
||||||
allow microdroid_manager vd_device:blk_file r_file_perms;
|
|
||||||
|
|
||||||
# microdroid_manager start payload task via microdroid_launcher
|
|
||||||
domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
|
|
||||||
|
|
||||||
# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
|
|
||||||
# TODO(b/189706019) we need to a domain for the app process.
|
|
||||||
allow microdroid_manager system_file:file execute_no_trans;
|
|
||||||
# Until then, allow microdroid_manager to execute the shell or other system executables.
|
|
||||||
allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
|
|
||||||
|
|
||||||
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
|
|
||||||
# TODO(b/188400186) remove the below two rules
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow microdroid_manager fuse:dir r_dir_perms;
|
|
||||||
allow microdroid_manager fuse:file rx_file_perms;
|
|
||||||
')
|
|
|
@ -191,11 +191,6 @@ get_prop(shell, verity_status_prop)
|
||||||
# Allow shell to read Virtual A/B related properties
|
# Allow shell to read Virtual A/B related properties
|
||||||
get_prop(shell, virtual_ab_prop)
|
get_prop(shell, virtual_ab_prop)
|
||||||
|
|
||||||
# Allow shell to launch microdroid_launcher in its own domain
|
|
||||||
# TODO(b/186396070) remove this when microdroid_manager can do this
|
|
||||||
domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
|
|
||||||
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
|
|
||||||
|
|
||||||
# Never allow others to set or get the perf.drop_caches property.
|
# Never allow others to set or get the perf.drop_caches property.
|
||||||
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
|
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
|
||||||
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
|
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
|
||||||
|
|
|
@ -1,34 +0,0 @@
|
||||||
# zipfuse is a FUSE daemon running in the microdroid. It mounts
|
|
||||||
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
|
|
||||||
# /mnt/apk so that the entries in the apk file are seen as regular files. See
|
|
||||||
# packages/modules/Virtualization/zipfuse.
|
|
||||||
|
|
||||||
type zipfuse, domain, coredomain;
|
|
||||||
type zipfuse_exec, exec_type, file_type, system_file_type;
|
|
||||||
|
|
||||||
# allow domain transition from init
|
|
||||||
init_daemon_domain(zipfuse)
|
|
||||||
|
|
||||||
# allow basic rules to implement FUSE
|
|
||||||
allow zipfuse fuse_device:chr_file rw_file_perms;
|
|
||||||
allow zipfuse self:global_capability_class_set sys_admin;
|
|
||||||
|
|
||||||
# allow access to /dev/vd* block device files and also access to the symlinks
|
|
||||||
# /dev/block/by-name/*
|
|
||||||
allow zipfuse block_device:dir r_dir_perms;
|
|
||||||
allow zipfuse block_device:lnk_file r_file_perms;
|
|
||||||
allow zipfuse vd_device:blk_file r_file_perms;
|
|
||||||
|
|
||||||
# allow mounting on /mnt/apk
|
|
||||||
allow zipfuse tmpfs:dir mounton;
|
|
||||||
|
|
||||||
# TODO(b/188400186) uncomment the following when this filesystem is mounted with
|
|
||||||
# fscontext=u:object_r:zipfusefs:s0
|
|
||||||
# type zipfusefs, fs_type, contextmount_type;
|
|
||||||
# allow zipfuse fuse:filesystem relabelfrom;
|
|
||||||
# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
|
|
||||||
|
|
||||||
# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow zipfuse fuse:filesystem mount;
|
|
||||||
')
|
|
|
@ -12,15 +12,6 @@ allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_fi
|
||||||
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
||||||
};
|
};
|
||||||
|
|
||||||
# Allow e2fs to format /dev/block/vd*
|
|
||||||
# TODO(b/189165759) move this rule to packages/modules/Virtualization
|
|
||||||
userdebug_or_eng(`
|
|
||||||
allow e2fs vd_device:blk_file rw_file_perms;
|
|
||||||
allowxperm e2fs vd_device:blk_file ioctl {
|
|
||||||
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
|
|
||||||
};
|
|
||||||
')
|
|
||||||
|
|
||||||
allow e2fs {
|
allow e2fs {
|
||||||
proc_filesystems
|
proc_filesystems
|
||||||
proc_mounts
|
proc_mounts
|
||||||
|
|
Loading…
Reference in a new issue