tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow microdroid_manager to create a /apex/* file

Browse source 
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.

Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
This commit is contained in:
Jooyung Han 2021-09-10 17:21:47 +09:00
parent f19cd64a0e
commit 6e60287a1f
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
microdroid/system/private/microdroid_manager.te
View file

@ -37,6 +37,11 @@ allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms; allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map }; allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
# Allow microdroid_manager to ioctl /dev/vsock. # Allow microdroid_manager to ioctl /dev/vsock.
# TODO(b/191845268): remove the below rules # TODO(b/191845268): remove the below rules
allow microdroid_manager device:chr_file r_file_perms; allow microdroid_manager device:chr_file r_file_perms;