Merge "microdroid: Add support for extra apk files" am: 04a2389d59

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1903974

Change-Id: I6e6327743cc378123eef7d2d7aec3313f5282bcd
This commit is contained in:
Treehugger Robot 2021-12-08 09:21:34 +00:00 committed by Automerger Merge Worker
commit f8fd79c0d3
6 changed files with 23 additions and 0 deletions

View file

@ -4,6 +4,7 @@ allow cgroup_v2 tmpfs:filesystem associate;
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;

View file

@ -171,3 +171,7 @@
# microdroid doesn't use anr, but tombstoned tries to read this.
# So marking /data/anr as tombstone_data_file
/data/anr(/.*)? u:object_r:tombstone_data_file:s0
#############################
# Directory for extra apks
/mnt/extra-apk u:object_r:extra_apk_file:s0

View file

@ -77,4 +77,11 @@ set_prop(microdroid_manager, powerctl_prop)
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;

View file

@ -39,3 +39,6 @@ allow microdroid_payload vsock_device:chr_file r_file_perms;
allowxperm microdroid_payload vsock_device:chr_file ioctl {
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
# Payload can read extra apks
r_dir_file(microdroid_payload, extra_apk_file)

View file

@ -37,9 +37,16 @@ allow system_file zipfusefs:filesystem associate;
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;
# zipfuse is forked from microdroid_manager
# TODO(inseob): remove this
allow zipfuse microdroid_manager:fd use;
# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
# only zipfuse can mount on extra_apk_file
neverallow { domain -zipfuse } extra_apk_file:dir mounton;

View file

@ -10,6 +10,7 @@ type authfs_data_file, file_type, data_file_type, core_data_file_type;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type hwservice_contexts_file, file_type, system_file_type;
type keystore2_key_contexts_file, file_type, system_file_type;