Remove microdroid specific rules and files

These are moved to packages/modules/Virtualization.

Bug: 189165759
Test: boot device and microdroid
Test: atest MicrodroidHostTestCases
Change-Id: I050add7fef56ced4787117f338e7b5d1fda1c193
This commit is contained in:
Inseob Kim 2021-06-04 23:15:44 +09:00
parent cf6a7e9821
commit 5d269aaa55
8 changed files with 0 additions and 176 deletions

View file

@ -927,63 +927,3 @@ se_policy_conf {
cts: true, cts: true,
exclude_build_test: true, exclude_build_test: true,
} }
//////////////////////////////////
// modules for microdroid
//////////////////////////////////
// microdroid's system sepolicy is almost identical to host's system sepolicy, except that
// microdroid doesn't have system_ext and product. So microdroid's plat_pub_versioned.cil is
// generated with plat_pub_policy.cil (exported system), not pub_policy.cil (exported system +
// system_ext + product). Other two files, plat_sepolicy.cil and plat_mapping_file, are copied from
// host's files.
se_versioned_policy {
name: "microdroid_plat_pub_versioned.cil",
stem: "plat_pub_versioned.cil",
base: ":plat_pub_policy.cil",
target_policy: ":plat_pub_policy.cil",
version: "current",
dependent_cils: [
":plat_sepolicy.cil",
":plat_mapping_file",
],
installable: false,
}
// microdroid's vendor sepolicy is a minimalized sepolicy needed for microdroid to boot. It just
// contains system/sepolicy/public and system/sepolicy/vendor.
se_policy_conf {
name: "microdroid_vendor_sepolicy.conf",
srcs: [":se_build_files{.plat_vendor}"],
installable: false,
}
se_policy_cil {
name: "microdroid_vendor_sepolicy.cil.raw",
src: ":microdroid_vendor_sepolicy.conf",
filter_out: [":reqd_policy_mask.cil"],
secilc_check: false, // will be done in se_versioned_policy module
installable: false,
}
se_versioned_policy {
name: "microdroid_vendor_sepolicy.cil",
stem: "vendor_sepolicy.cil",
base: ":plat_pub_policy.cil",
target_policy: ":microdroid_vendor_sepolicy.cil.raw",
version: "current", // microdroid is bundled to system
dependent_cils: [
":plat_sepolicy.cil",
":microdroid_plat_pub_versioned.cil",
":plat_mapping_file",
],
filter_out: [":microdroid_plat_pub_versioned.cil"],
installable: false,
}
sepolicy_vers {
name: "microdroid_plat_sepolicy_vers.txt",
version: "platform",
stem: "plat_sepolicy_vers.txt",
installable: false,
}

View file

@ -216,7 +216,6 @@ neverallow {
-appdomain # for oemfs -appdomain # for oemfs
-bootanim # for oemfs -bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs -recovery # for /tmp/update_binary in tmpfs
userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute; } { fs_type -rootfs }:file execute;
# #
@ -368,7 +367,6 @@ neverallow {
-update_engine -update_engine
-vold -vold
-zygote -zygote
-zipfuse
} { fs_type } { fs_type
-sdcard_type -sdcard_type
}:filesystem { mount remount relabelfrom relabelto }; }:filesystem { mount remount relabelfrom relabelto };

View file

@ -3,8 +3,3 @@ typeattribute fsck coredomain;
init_daemon_domain(fsck) init_daemon_domain(fsck)
allow fsck metadata_block_device:blk_file rw_file_perms; allow fsck metadata_block_device:blk_file rw_file_perms;
# TODO(b/189165759): move this to microdroid specific sepolicy
userdebug_or_eng(`
allow fsck vd_device:blk_file rw_file_perms;
')

View file

@ -1,31 +0,0 @@
# microdroid_launcher is a binary that loads a shared library from an apk and
# executes it by calling an entry point in the library. This can be considered
# as the native counterpart of app_process for Java.
type microdroid_launcher, domain, coredomain;
type microdroid_launcher_exec, exec_type, file_type, system_file_type;
# allow executing files on the zipfuse fs
# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
# fscontext=u:object_r:zipfusefs:s0
# allow microdroid_launcher zipfusefs:dir r_dir_perms;
# allow microdroid_launcher zipfusefs:file rx_file_perms;
# TODO(b/188400186) remove the below two rules
userdebug_or_eng(`
allow microdroid_launcher fuse:dir r_dir_perms;
allow microdroid_launcher fuse:file rx_file_perms;
')
# Allow to communicate use, read and write over the adb connection.
allow microdroid_launcher adbd:fd use;
allow microdroid_launcher adbd:unix_stream_socket { read write };
# Allow to use FDs inherited from the shell. This includes the FD opened for
# the microdroid_launcher executable itself and the FD for adb connection.
# TODO(b/186396070) remove this when this is executed from microdroid_manager
userdebug_or_eng(`
allow microdroid_launcher shell:fd use;
')
# Allow to use terminal
allow microdroid_launcher devpts:chr_file rw_file_perms;

View file

@ -1,30 +0,0 @@
# TODO(b/189165759) for moving this to packages/modules/Virtualization
# microdroid_manager is a daemon running in the microdroid.
type microdroid_manager, domain, coredomain;
type microdroid_manager_exec, exec_type, file_type, system_file_type;
# allow domain transition from init
init_daemon_domain(microdroid_manager)
# microdroid_manager accesses /dev/block/by-name/signature which points to
# a /dev/vd* block device file.
allow microdroid_manager block_device:dir r_dir_perms;
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file r_file_perms;
# microdroid_manager start payload task via microdroid_launcher
domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
# TODO(b/189706019) we need to a domain for the app process.
allow microdroid_manager system_file:file execute_no_trans;
# Until then, allow microdroid_manager to execute the shell or other system executables.
allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below two rules
userdebug_or_eng(`
allow microdroid_manager fuse:dir r_dir_perms;
allow microdroid_manager fuse:file rx_file_perms;
')

View file

@ -191,11 +191,6 @@ get_prop(shell, verity_status_prop)
# Allow shell to read Virtual A/B related properties # Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop) get_prop(shell, virtual_ab_prop)
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
# Never allow others to set or get the perf.drop_caches property. # Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set; neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read; neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;

View file

@ -1,34 +0,0 @@
# zipfuse is a FUSE daemon running in the microdroid. It mounts
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
# /mnt/apk so that the entries in the apk file are seen as regular files. See
# packages/modules/Virtualization/zipfuse.
type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;
# allow domain transition from init
init_daemon_domain(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
# allow access to /dev/vd* block device files and also access to the symlinks
# /dev/block/by-name/*
allow zipfuse block_device:dir r_dir_perms;
allow zipfuse block_device:lnk_file r_file_perms;
allow zipfuse vd_device:blk_file r_file_perms;
# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;
# TODO(b/188400186) uncomment the following when this filesystem is mounted with
# fscontext=u:object_r:zipfusefs:s0
# type zipfusefs, fs_type, contextmount_type;
# allow zipfuse fuse:filesystem relabelfrom;
# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
userdebug_or_eng(`
allow zipfuse fuse:filesystem mount;
')

View file

@ -12,15 +12,6 @@ allowxperm e2fs { userdata_block_device metadata_block_device dm_device }:blk_fi
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
}; };
# Allow e2fs to format /dev/block/vd*
# TODO(b/189165759) move this rule to packages/modules/Virtualization
userdebug_or_eng(`
allow e2fs vd_device:blk_file rw_file_perms;
allowxperm e2fs vd_device:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
')
allow e2fs { allow e2fs {
proc_filesystems proc_filesystems
proc_mounts proc_mounts