From 85091cd806d7cc3f1d48077145d58ca7c0d9e8b9 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 22 Mar 2022 21:50:09 +0900
Subject: [PATCH] Allow init to relabelto console_device

Init will try restorecon /dev/console, together with /dev, at the second
stage boot.

Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ie9796368b54bb0773eabf5ff6feb2b4aa41d0bfa
---
 microdroid/system/private/init.te    | 5 +++--
 microdroid/system/private/ueventd.te | 3 ---
 public/init.te                       | 5 +++--
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index ff75f75b5..708d537ba 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -45,8 +45,9 @@ allow init device:file relabelfrom;
 allow init runtime_event_log_tags_file:file { open write setattr relabelto create };
 # /dev/socket
 allow init { device socket_device dm_user_device }:dir relabelto;
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index c7d9fd61c..a855509d6 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -49,8 +49,5 @@ allow ueventd kernel:key search;
 # ueventd is using bootstrap bionic
 use_bootstrap_libs(ueventd)
 
-# TODO(b/193118220): find out why this happens.
-dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
-
 # ueventd sets ro.cold_boot_done to signal to init that cold boot has completed.
 set_prop(ueventd, cold_boot_done_prop)
diff --git a/public/init.te b/public/init.te
index d1f7d90ad..51390387f 100644
--- a/public/init.te
+++ b/public/init.te
@@ -36,8 +36,9 @@ allow init runtime_event_log_tags_file:file { open write setattr relabelto creat
 allow init { device socket_device dm_user_device }:dir relabelto;
 # allow init to establish connection and communicate with lmkd
 unix_socket_connect(init, lmkd, lmkd)
-# Relabel /dev nodes created in first stage init, /dev/null, /dev/ptmx, /dev/random, /dev/urandom
-allow init { null_device ptmx_device random_device } : chr_file relabelto;
+# Relabel /dev nodes created in first stage init: /dev/console, /dev/null, /dev/ptmx, /dev/random
+# and /dev/urandom
+allow init { console_device null_device ptmx_device random_device } : chr_file relabelto;
 # /dev/device-mapper, /dev/block(/.*)?
 allow init tmpfs:{ chr_file blk_file } relabelfrom;
 allow init tmpfs:blk_file getattr;