The denial is correct, but is causing test failures. However it
appears to be harmless and VMs are operating just fine.
Suppress it until the correct policy is ready.
Bug: 306516077
Test: atest MicrodroidHostTests
Change-Id: I5d8545add4927c2521c3d4e9dc2b5bedb91c0f45
This is in host sepolicy, looked like we pruned it because we didn't
need it - but now we do.
Bug: 297019386
Test: Run VM with encrypted storage, no denials
Change-Id: I6cd5f6bf98e9089ef7c3945c29242daea527592f
Allow Microdroid Manager to setuid/setgid when spawning Microdroid
Launcher.
Allow encryptedstore binary to chmod the root directory.
Also added some neverallow rules, because I was surprised that I
didn't trigger one.
Bug: 296393106
Test: atest MicrodroidTests
Change-Id: I1f224d59548162d0b36c2c9f32710db2c2da5869
While searching the policy I came across some ancient TODOs, which can
now be done.
Bug: 186396070
Test: atest MicrodroidTests MicrodroidHostTests
Test: Manually run vm_shell start-microdroid
Change-Id: I21b9f992394b637399cc074dca8339e3167cf5af
The first serial device of the VM can be made bi-directional. When it is
used as an output device, it's via /dev/kmsg. microdroid_payload already
has a write access to it. When it is used as an input device, it's via
/dev/console. Grant microdroid_payload read access to the device.
Bug: 263360203
Test: atest MicrodroidTestApp:com.android.microdroid.test.MicrodroidTests#testConsoleInputSupported
Change-Id: Ief039d06ffbddee1e254d662a6c1f321a607d5f5
The main motivation is to reduce log spams.
Bug: 268333203
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Idffdcd7d543590d8c580b2282098d3abd8214f86
These were unnecessarily lax. Some additional places
additionally exclude only the generic proc type, but
we don't care about those places.
Bug: 281877578
Test: boot
Change-Id: I9ebf410c12a41888ab1f5ecc21c95c34fc36c0d0
ueventd needs access to device-mapper to fix a race condition in symlink
creation. When device-mapper uevents are received, we historically read
the uuid and name from sysfs. However it turns out sysfs may not be
fully populated at that time. It is more reliable to read this
information directly from device-mapper.
Bug: 270183812
Test: libdm_test, treehugger
Change-Id: I36b9b460a0fa76a37950d3672bd21b1c885a5069
Commit 22fb5c7d24 migrated from property
types to attributes in some Microdroid rules, but omitted to
associated the attribute with the relevant types. So we fix that.
Bug: 274530433
Bug: 275469579
Bug: 276895565
Test: Will schedule a test run
Change-Id: I11194be9d1e352fa456c24a3b5784c18ccc03a69
This change gives a new type (dalvik_dynamic_config_prop) to some ART
properties such as dalvik.vm.dex2oat-cpu-set and adds a new rule to
allow system server to set them.
Bug: 274530433
Test: Locally added some code to set those properties and saw it being
successfull.
Change-Id: Ie28602e9039b7647656594ce5c184d29778fa089
We still had policy for devices which do not currently exist in
Microdroid. Remove the unused types and all references to them in the
policy, since they have no effect and just bloat the policy.
While I'm here, delete all the bug_map entries. We don't use the
bug_map in Microdroid, and this is just an outdated snapshot from host
policy.
Bug: 274752167
Test: atest MicrodroidTests
Test: composd-cmd test-compile
Change-Id: I3ab90f8e3517c41eff0052a0c8f6610fa35ccdcb
Note: this is a somewhat minimal set of rules required to be able to
capture traces on Microdroid. After the trace is captured I still see a
bunch of SELinux denials. We might need to add more allow rules in the
follow up changes.
Bug: 249050813
Test: boot Microdroid VM, capture traces with record_android_traces
Change-Id: I62098fb79a8db65706a5bb28c8acce7ff3821f15
Change1# Add property export_tombstones.enabled - This is set by
microdroid_manager to indicate that tombstones in Microdroid be exported
out to host. This read by crash_dump (specifically tombstone_handler).
Change2# allow crash_dump to create/connect/write on vsock.
Change3# Deleting rules/domain related to tombstoned &
tombstone_transmit in Microdroid.
Test: atest MicrodroidHostTests#testTombstonesAreGeneratedUponUserspaceCrash
Test: Look for selinux denials in log
Bug: 243494912
Change-Id: Ibd607eb11202d492bcb0c4ba40a6888683420fb9
I noticed a bunch of denials in the logs like this:
avc: denied { read } for pid=187 comm="dex2oat64"
name="u:object_r:device_config_runtime_native_boot_prop:s0"
dev="tmpfs" ino=76 scontext=u:r:dex2oat:s0
tcontext=u:object_r:device_config_runtime_native_boot_prop:s0
tclass=file permissive=0
But we actually want to be able to access these properties.
Bug: 264496291
Test: atest android.compos.test.ComposTestCase#testOdrefreshSpeed
Change-Id: I6ce8ee74a1024a9ddd6ef91e73111d68da878899
This type doesn't exist in Microdroid.
Bug: 266871002
Test: m SANITIZE_TARGET=address com.android.virt
Change-Id: I2ca6db9669eafc4037bbf87bdcff60935893d93f
Microdroid Manager needs these permissions to sync the encryptedstore
filesystem.
Test: Builds
Test: Check selinux denials in logs
Change-Id: Iee020ae653f5d42af086ca91068e3df52c992305
