| # microdroid_payload is an attribute for microdroid payload processes. |
| # Domains should have microdroid_payload to be run from microdroid_manager. |
| |
| # Allow to communicate use, read and write over the adb connection. |
| allow microdroid_payload adbd:fd use; |
| allow microdroid_payload adbd:unix_stream_socket { read write }; |
| |
| # microdroid_launcher is launched by microdroid_manager with fork/execvp. |
| allow microdroid_payload microdroid_manager:fd use; |
| |
| # Allow to use FDs inherited from the shell. This includes the FD opened for |
| # the microdroid_launcher executable itself and the FD for adb connection. |
| # TODO(b/186396070) remove this when this is executed from microdroid_manager |
| userdebug_or_eng(` |
| allow microdroid_payload shell:fd use; |
| ') |
| |
| # Allow to use terminal |
| allow microdroid_payload devpts:chr_file rw_file_perms; |
| |
| # Allow to set debug prop |
| set_prop(microdroid_payload, debug_prop) |
| |
| # Allow microdroid_payload to use vsock inherited from microdroid_manager |
| allow microdroid_payload microdroid_manager:vsock_socket { read write }; |
| |
| # Write to /dev/kmsg. |
| allow microdroid_payload kmsg_device:chr_file rw_file_perms; |
| |
| # Allow microdroid_payload to host binder servers via vsock. Listening |
| # for connections from the host is permitted, but connecting out to |
| # the host is not. Inbound connections are mediated by |
| # virtualiationservice which ensures a process can only connect to a |
| # VM that it owns. |
| allow microdroid_payload self:vsock_socket { |
| create listen accept read getattr write setattr lock append bind |
| getopt setopt shutdown map |
| }; |
| neverallow microdroid_payload self:vsock_socket connect; |
| |
| # Payload can read extra apks |
| r_dir_file(microdroid_payload, extra_apk_file) |
| |
| # Payload can read /proc/meminfo. |
| allow microdroid_payload proc_meminfo:file r_file_perms; |
| |
| # Allow use of authfs. |
| binder_use(microdroid_payload); |
| allow microdroid_payload authfs_binder_service:service_manager find; |
| binder_call(microdroid_payload, authfs_service); |
| |
| # Allow payload to communicate with authfs_service |
| unix_socket_connect(microdroid_payload, authfs_service, authfs_service) |
| |
| # Allow locating the authfs mount directory. |
| allow microdroid_payload authfs_data_file:dir search; |
| |
| # Read and write files authfs-proxied files. |
| allow microdroid_payload authfs_fuse:dir rw_dir_perms; |
| allow microdroid_payload authfs_fuse:file create_file_perms; |
| |
| # Allow payload to communicate with microdroid manager |
| unix_socket_connect(microdroid_payload, vm_payload_service, microdroid_manager) |