Add sepolicy rules for microdroid_resources_file

Bug: 287593065 Test: run microdroid with vendor VM Test: builds Change-Id: I8c8fe90a0ed14d6af430206fe947a0f4ce4f68e5
2024-03-12 23:02:37 +00:00 · 2024-03-12 23:02:37 +00:00 · f1d47f78d2
commit f1d47f78d2
parent dfc018f886
4 changed files with 23 additions and 1 deletions
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@ -20,6 +20,8 @@ type e2fs_exec, system_file_type, exec_type, file_type;
 type encryptedstore_file, file_type;
 type encryptedstore_fs, fs_type, contextmount_type;

+type microdroid_resources_file, file_type;
+
 # Filesystem entry for for PRNG seeder socket.
 type prng_seeder_socket, file_type, coredomain_socket;

--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@ -15,7 +15,7 @@
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /debug_ramdisk      u:object_r:tmpfs:s0
-/microdroid_resources u:object_r:tmpfs:s0
+/microdroid_resources(/.*)? u:object_r:microdroid_resources_file:s0
 /mnt                u:object_r:tmpfs:s0
 /proc               u:object_r:rootfs:s0
 /second_stage_resources u:object_r:tmpfs:s0
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@ -81,3 +81,10 @@ allow kernel apexd:fd use;

 #-----------------------------------------
 allow kernel apkdmverity:fd use;
+
+# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
+# kernel domain. This is to avoid granting init weird capabilities like
+# `allow init tmpfs:file relabelfrom;`
+allow kernel microdroid_resources_file:dir { read open search relabelto};
+allow kernel microdroid_resources_file:file relabelto;
+allow kernel tmpfs:file { getattr relabelfrom };
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@ -24,6 +24,19 @@ r_dir_file(microdroid_manager, sysfs_dt_avf)
 # Read config from the open-dice driver.
 allow microdroid_manager open_dice_device:chr_file rw_file_perms;

+# In case Microdroid VM is started with microdroid vendor partition, the first_stage_init
+# will derive a microdroid vendor dice node, and write a resulting dice chain into file
+# with dice_chain_file type, microdroid_manager will need to read it to derive the next chain.
+allow microdroid_manager microdroid_resources_file:file { rw_file_perms unlink };
+# In case dice chain is stored in dice_chain_file microdroid_manager will delete it after deriving
+# the next dice chain.
+allow microdroid_manager microdroid_resources_file:dir { remove_name search write };
+
+# Microdroid manager unmounts /microdroid_resources before starting the payload.
+# This is a defence-in-depth measure to ensure that payload can't read the dice chain stored
+# on /microdroid_resources/dice_chain.raw
+allow microdroid_manager tmpfs:filesystem unmount;
+
 # Block crash dumps to ensure the DICE secrets are not leaked.
 typeattribute microdroid_manager no_crash_dump_domain;