Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / c7596c4e619ea8f77a1ec818df453dbbda22709e / . / microdroid / system / private / microdroid_manager.te
blob: 3510e2fcdcc03d030c4fcb4177e4cbbf47ea4674 [file] [log] [blame]
# microdroid_manager is a daemon running in the microdroid.
type microdroid_manager, domain, coredomain;
type microdroid_manager_exec, exec_type, file_type, system_file_type;
# allow domain transition from init
init_daemon_domain(microdroid_manager)
# microdroid_manager accesses a virtual disk block device to read VM payload
# It needs write access as it updates the instance image
allow microdroid_manager block_device:dir r_dir_perms;
allow microdroid_manager block_device:lnk_file r_file_perms;
allow microdroid_manager vd_device:blk_file rw_file_perms;
# microdroid_manager verifies DM-verity mounted APK payload
allow microdroid_manager dm_device:blk_file r_file_perms;
# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
# requires sys_admin cap as well.
allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
allow microdroid_manager self:global_capability_class_set sys_admin;
# Allow microdroid_manager to start payload tasks
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
# Allow microdroid_manager to start apk verity binaries
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below rule
userdebug_or_eng(`
r_dir_file(microdroid_manager, fuse)
')
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
# microdroid_manager can talk to diced over binder
binder_use(microdroid_manager)
binder_call(microdroid_manager, diced)
allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
allow microdroid_manager diced:diced { derive demote_self };
# microdroid_manager create /apex/vm-payload-metadata for apexd
# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
allow microdroid_manager apex_mnt_dir:file create_file_perms;
# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
get_prop(microdroid_manager, apex_config_prop)
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
# Allow microdroid_manager to shutdown the device when verification fails
set_prop(microdroid_manager, powerctl_prop)
# Allow microdroid_manager to read bootconfig so that it can reject a bootconfig
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
# Allow microdroid_manager to handle extra_apks
allow microdroid_manager extra_apk_file:dir create_dir_perms;
# Domains other than microdroid can't write extra_apks
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;