Merge "Introduce vendor_microdroid_file for microdroid vendor image" into main am: e95f3f5bd3

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2831710 Change-Id: If1708562153d678a7d5a816977a44a0faea368a2 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-11-17 02:42:39 +00:00 · 2023-11-17 02:42:39 +00:00 · a43ef400f7
commit a43ef400f7
parent 6696149be8 e95f3f5bd3
8 changed files with 16 additions and 1 deletions
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@ -538,6 +538,8 @@
 /vendor/framework/test                                            vendor_framework_file
 /system/vendor/framework                                          vendor_framework_file
 /system/vendor/framework/test                                     vendor_framework_file
+/vendor/etc/avf/microdroid                                        vendor_microdroid_file
+/vendor/etc/avf/microdroid/test                                   vendor_microdroid_file

 /vendor/apex                                                      vendor_apex_file
 /vendor/apex/test                                                 vendor_apex_file
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@ -27,4 +27,5 @@
    binderfs_logs_stats
    drm_forcel3_prop
    proc_percpu_pagelist_high_fraction
+    vendor_microdroid_file
  ))
--- a/private/crosvm.te
+++ b/private/crosvm.te
@ -27,7 +27,7 @@ allow crosvm virtualizationmanager:fifo_file write;

 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
 # Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
 # Note that the open permission is not given as the files are passed as file descriptors.
 allow crosvm {
@ -39,6 +39,7 @@ allow crosvm {
  apex_compos_data_file
  apex_virt_data_file
  shell_data_file
+  vendor_microdroid_file
 }:file { getattr read ioctl lock };

 # Allow searching the directory where the composite disk images are.
@ -126,6 +127,7 @@ full_treble_only(`
    # These types are not required for crosvm, but the access is granted to globally in domain.te
    # thus should be exempted here.
    -vendor_configs_file
+    -vendor_microdroid_file
    -vndk_sp_file
    -vendor_task_profiles_file
  }:file *;
--- a/private/domain.te
+++ b/private/domain.te
@ -610,6 +610,7 @@ full_treble_only(`
    -vendor_apex_file
    -vendor_apex_metadata_file
    -vendor_configs_file
+    -vendor_microdroid_file
    -vendor_service_contexts_file
    -vendor_framework_file
    -vendor_idc_file
--- a/private/file_contexts
+++ b/private/file_contexts
@ -412,6 +412,7 @@
 /(vendor|system/vendor)/etc(/.*)?              u:object_r:vendor_configs_file:s0
 /(vendor|system/vendor)/etc/cgroups\.json      u:object_r:vendor_cgroup_desc_file:s0
 /(vendor|system/vendor)/etc/task_profiles\.json    u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)?   u:object_r:vendor_microdroid_file:s0

 /(vendor|system/vendor)/lib(64)?/egl(/.*)?     u:object_r:same_process_hal_file:s0

--- a/private/shell.te
+++ b/private/shell.te
@ -132,6 +132,9 @@ allow shell remount_exec:file rx_file_perms;
 allow shell self:perf_event { open read write kernel };
 neverallow shell self:perf_event ~{ open read write kernel };

+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
 # Allow shell to read /apex/apex-info-list.xml and the vendor apexes
 allow shell apex_info_file:file r_file_perms;
 allow shell vendor_apex_file:file r_file_perms;
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@ -94,6 +94,9 @@ userdebug_or_eng(`
  allow virtualizationmanager shell_data_file:file open;
 ')

+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);

--- a/public/file.te
+++ b/public/file.te
@ -255,6 +255,8 @@ type vendor_public_lib_file, vendor_file_type, file_type;
 # Type for all vendor public libraries for system. These libs should only be exposed to
 # system. ABI stability of these libs is vendor's responsibility.
 type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;

 # Input configuration
 type vendor_keylayout_file, vendor_file_type, file_type;