Add microdroid sepolicy test support

MicrodroidHostTestCases will pull the VM's sepolicy and check it against system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze tool. Bug: 218461215 Test: atest MicrodroidHostTestCases Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
2022-02-09 23:28:20 +09:00 · 2022-02-09 23:28:20 +09:00 · 74caef3591
commit 74caef3591
parent 6c5fa54a8b
2 changed files with 13 additions and 0 deletions
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@ -280,3 +280,11 @@ prebuilt_etc {
    relative_install_path: "selinux",
    installable: false,
 }
+
+// For CTS
+se_policy_conf {
+    name: "microdroid_general_sepolicy.conf",
+    srcs: system_policy_files,
+    exclude_build_test: true,
+    installable: false,
+}
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@ -48,6 +48,11 @@ set_prop(adbd, shell_prop)
 # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
 set_prop(adbd, adbd_prop)

+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;