Leave minimal sepolicy for microdroid
Steps taken:
1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0
diff --git a/microdroid/sepolicy/system/private/mls b/microdroid/sepolicy/system/private/mls
index 955c27b..303df81 100644
--- a/microdroid/sepolicy/system/private/mls
+++ b/microdroid/sepolicy/system/private/mls
@@ -48,52 +48,25 @@
(l2 eq h2 and (l1 eq l2 or t1 == mlstrustedsubject));
#
-# Userfaultfd constraints
-#
-# To enforce that anonymous inodes are self contained in the application's process.
-mlsconstrain anon_inode { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute open execmod }
- (l1 eq l2);
-
-#
-# Constraints for app data files only.
-#
-
-# Only constrain open, not read/write, so already open fds can be used.
-# Also constrain other forms of manipulation, e.g. chmod/chown, unlink, rename, etc.
-# Subject must dominate object unless the subject is trusted.
-mlsconstrain dir { open search getattr setattr rename add_name remove_name reparent rmdir }
- (t2 != app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject);
-mlsconstrain { file sock_file } { open setattr unlink link rename }
- ( (t2 != app_data_file_type and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-# For symlinks in app data files, require equivalence in order to manipulate or follow (read).
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != app_data_file_type or t2 == privapp_data_file) or l1 eq l2 or t1 == mlstrustedsubject);
-# But for priv_app_data_file, continue to use dominance for symlinks because dynamite relies on this.
-# TODO: Migrate to equivalence when it's no longer needed.
-mlsconstrain { lnk_file } { open setattr unlink link rename read }
- ( (t2 != privapp_data_file and t2 != appdomain_tmpfs) or l1 dom l2 or t1 == mlstrustedsubject);
-
-#
# Constraints for file types other than app data files.
#
# Read operations: Subject must dominate object unless the subject
# or the object is trusted.
mlsconstrain dir { read getattr search }
- (t2 == app_data_file_type or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
- or (t1 == mlsvendorcompat and (t2 == system_data_file or t2 == user_profile_root_file) ) );
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject
+ or (t1 == mlsvendorcompat and t2 == system_data_file) );
mlsconstrain { file lnk_file sock_file chr_file blk_file } { read getattr execute }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 dom l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Write operations: Subject must be equivalent to the object unless the
# subject or the object is trusted.
mlsconstrain dir { write setattr rename add_name remove_name reparent rmdir }
- (t2 == app_data_file_type or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
mlsconstrain { file lnk_file sock_file chr_file blk_file } { write setattr append unlink link rename }
- (t2 == app_data_file_type or t2 == appdomain_tmpfs or l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
+ (l1 eq l2 or t1 == mlstrustedsubject or t2 == mlstrustedobject);
# Special case for FIFOs.
# These can be unnamed pipes, in which case they will be labeled with the