Merge "microdroid: Add support for extra apk files" am: 04a2389d59
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903974 Change-Id: I6e6327743cc378123eef7d2d7aec3313f5282bcd
This commit is contained in:
commit
f8fd79c0d3
6 changed files with 23 additions and 0 deletions
|
@ -4,6 +4,7 @@ allow cgroup_v2 tmpfs:filesystem associate;
|
|||
allow cgroup_rc_file tmpfs:filesystem associate;
|
||||
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
|
||||
allow dev_type tmpfs:filesystem associate;
|
||||
allow extra_apk_file zipfusefs:filesystem associate;
|
||||
allow file_type labeledfs:filesystem associate;
|
||||
allow file_type tmpfs:filesystem associate;
|
||||
allow file_type rootfs:filesystem associate;
|
||||
|
|
|
@ -171,3 +171,7 @@
|
|||
# microdroid doesn't use anr, but tombstoned tries to read this.
|
||||
# So marking /data/anr as tombstone_data_file
|
||||
/data/anr(/.*)? u:object_r:tombstone_data_file:s0
|
||||
|
||||
#############################
|
||||
# Directory for extra apks
|
||||
/mnt/extra-apk u:object_r:extra_apk_file:s0
|
||||
|
|
|
@ -77,4 +77,11 @@ set_prop(microdroid_manager, powerctl_prop)
|
|||
# that is different from what is recorded in the instance.img file.
|
||||
allow microdroid_manager proc_bootconfig:file r_file_perms;
|
||||
|
||||
# Allow microdroid_manager to handle extra_apks
|
||||
allow microdroid_manager extra_apk_file:dir create_dir_perms;
|
||||
|
||||
# Domains other than microdroid can't write extra_apks
|
||||
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
|
||||
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
|
||||
|
||||
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
|
||||
|
|
|
@ -39,3 +39,6 @@ allow microdroid_payload vsock_device:chr_file r_file_perms;
|
|||
allowxperm microdroid_payload vsock_device:chr_file ioctl {
|
||||
IOCTL_VM_SOCKETS_GET_LOCAL_CID
|
||||
};
|
||||
|
||||
# Payload can read extra apks
|
||||
r_dir_file(microdroid_payload, extra_apk_file)
|
||||
|
|
|
@ -37,9 +37,16 @@ allow system_file zipfusefs:filesystem associate;
|
|||
# allow zipfuse to log to the kernel
|
||||
allow zipfuse kmsg_device:chr_file w_file_perms;
|
||||
|
||||
# allow zipfuse to handle extra apks
|
||||
r_dir_file(zipfuse, extra_apk_file)
|
||||
allow zipfuse extra_apk_file:dir mounton;
|
||||
|
||||
# zipfuse is forked from microdroid_manager
|
||||
# TODO(inseob): remove this
|
||||
allow zipfuse microdroid_manager:fd use;
|
||||
|
||||
# Only microdroid_manager can run zipfuse
|
||||
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
|
||||
|
||||
# only zipfuse can mount on extra_apk_file
|
||||
neverallow { domain -zipfuse } extra_apk_file:dir mounton;
|
||||
|
|
|
@ -10,6 +10,7 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
|
|||
type cgroup_desc_api_file, file_type, system_file_type;
|
||||
type cgroup_desc_file, file_type, system_file_type;
|
||||
type cgroup_rc_file, file_type;
|
||||
type extra_apk_file, file_type;
|
||||
type file_contexts_file, file_type, system_file_type;
|
||||
type hwservice_contexts_file, file_type, system_file_type;
|
||||
type keystore2_key_contexts_file, file_type, system_file_type;
|
||||
|
|
Loading…
Reference in a new issue