platform_system_sepolicy/microdroid/system/private/microdroid_manager.te

# microdroid_manager is a daemon running in the microdroid.

type microdroid_manager, domain, coredomain;
type microdroid_manager_exec, exec_type, file_type, system_file_type;

# allow domain transition from init
init_daemon_domain(microdroid_manager)

# microdroid_manager accesses a virtual disk block device to read VM payload
allow microdroid_manager block_device:dir r_dir_perms;
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file r_file_perms;
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;

# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)

# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;

# Let microdroid_manager initialize the derived VM secrets.
set_prop(microdroid_manager, vmsecret_keymint_prop);

# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
  r_dir_file(microdroid_manager, fuse)
')

# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };

# microdroid_manager is using bootstrap bionic
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };

neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;