Rename microdroid_launcher domain to microdroid_app
As the payload is in a shared library, microdroid_launcher domain is
used as-is when running microdroid app. This changes the domain name to
microdroid_app, because microdroid_launcher does nothing but just launch
the microdroid app.
Bug: 189706019
Test: atest MicrodroidHostTestCases
Change-Id: Id30b4a85cc1b9023a93546d33b6071863e9268ee
diff --git a/microdroid/sepolicy/system/private/domain.te b/microdroid/sepolicy/system/private/domain.te
index 4a59f73..e979f3e 100644
--- a/microdroid/sepolicy/system/private/domain.te
+++ b/microdroid/sepolicy/system/private/domain.te
@@ -216,7 +216,7 @@
-appdomain # for oemfs
-bootanim # for oemfs
-recovery # for /tmp/update_binary in tmpfs
- -microdroid_launcher -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
+ -microdroid_app -microdroid_manager # for executing shared libs on /mnt/apk in Microdroid
} { fs_type -rootfs }:file execute;
#
diff --git a/microdroid/sepolicy/system/private/file_contexts b/microdroid/sepolicy/system/private/file_contexts
index 7e6048e..4318bb0 100644
--- a/microdroid/sepolicy/system/private/file_contexts
+++ b/microdroid/sepolicy/system/private/file_contexts
@@ -114,7 +114,7 @@
/system/bin/toolbox -- u:object_r:toolbox_exec:s0
/system/bin/toybox -- u:object_r:toolbox_exec:s0
/system/bin/zipfuse u:object_r:zipfuse_exec:s0
-/system/bin/microdroid_launcher u:object_r:microdroid_launcher_exec:s0
+/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
diff --git a/microdroid/sepolicy/system/private/microdroid_app.te b/microdroid/sepolicy/system/private/microdroid_app.te
new file mode 100644
index 0000000..eff9120
--- /dev/null
+++ b/microdroid/sepolicy/system/private/microdroid_app.te
@@ -0,0 +1,45 @@
+# microdroid_app is a domain for microdroid_launcher, which is a binary that
+# loads a shared library from an apk and executes it by calling an entry point
+# in the library. This can be considered as the native counterpart of
+# app_process for Java.
+#
+# Both microdroid_launcher and payload from the shared library run in the
+# context of microdroid_app.
+
+type microdroid_app, domain, coredomain;
+type microdroid_app_exec, exec_type, file_type, system_file_type;
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_app adbd:fd use;
+allow microdroid_app adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_app microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+ allow microdroid_app shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_app devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_app, debug_prop)
+
+# Talk to binder services (for keystore)
+binder_use(microdroid_app);
+
+# Allow payloads to use keystore
+use_keystore(microdroid_app);
+
+# Allow payloads to use and manage their keys
+allow microdroid_app vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
deleted file mode 100644
index 6bcd4f1..0000000
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ /dev/null
@@ -1,41 +0,0 @@
-# microdroid_launcher is a binary that loads a shared library from an apk and
-# executes it by calling an entry point in the library. This can be considered
-# as the native counterpart of app_process for Java.
-
-type microdroid_launcher, domain, coredomain;
-type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_launcher adbd:fd use;
-allow microdroid_launcher adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_launcher microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_launcher shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_launcher devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_launcher, debug_prop)
-
-# Talk to binder services (for keystore)
-binder_use(microdroid_launcher);
-
-# Allow payloads to use keystore
-use_keystore(microdroid_launcher);
-
-# Allow payloads to use and manage their keys
-allow microdroid_launcher vm_payload_key:keystore2_key {
- delete
- get_info
- manage_blob
- rebind
- use
-};
diff --git a/microdroid/sepolicy/system/private/microdroid_manager.te b/microdroid/sepolicy/system/private/microdroid_manager.te
index deb969c..fba3e71 100644
--- a/microdroid/sepolicy/system/private/microdroid_manager.te
+++ b/microdroid/sepolicy/system/private/microdroid_manager.te
@@ -13,7 +13,7 @@
allow microdroid_manager vd_device:blk_file r_file_perms;
# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
# TODO(b/189706019) we need to a domain for the app process.
diff --git a/microdroid/sepolicy/system/private/shell.te b/microdroid/sepolicy/system/private/shell.te
index 7c786c9..03490b0 100644
--- a/microdroid/sepolicy/system/private/shell.te
+++ b/microdroid/sepolicy/system/private/shell.te
@@ -193,7 +193,7 @@
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
-domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
# Never allow others to set or get the perf.drop_caches property.