Leave minimal sepolicy for microdroid Steps taken: 1) Grab remaining types in contexts files. 2) Leave such types and remove all other types. 3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil. 4) Repeat booting and adding missing types, rules, and attributes. 5) Organize types and allow rules. Bug: 191131624 Test: atest MicrodroidHostTestCases Change-Id: I1302701f67e61795474c667e8e6094d67912eea0

commit: 4eb5660c52a5966374c9d810550e3ae0069bd50f [log] [tgz]
author: Inseob Kim <inseob@google.com> Fri Jul 09 15:51:12 2021 +0900
committer: Inseob Kim <inseob@google.com> Tue Jul 13 14:06:58 2021 +0900
tree: 11a87447d96b7949e5da2a64cd76aa1271f897b1
parent: 32ea89af9e9846a9865d85389bed271423b173a7 [diff] [blame]
diff --git a/microdroid/sepolicy/system/private/net.te b/microdroid/sepolicy/system/private/net.te
new file mode 100644
index 0000000..1b2fd41
--- /dev/null
+++ b/microdroid/sepolicy/system/private/net.te

@@ -0,0 +1,16 @@
+## Network types
+type node, node_type;
+type netif, netif_type;
+type port, port_type;
+
+###
+### Domain with network access
+###
+
+allow netdomain self:tcp_socket create_stream_socket_perms;
+allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms;
+
+allow netdomain port_type:tcp_socket name_connect;
+allow netdomain node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
+allow netdomain port_type:udp_socket name_bind;
+allow netdomain port_type:tcp_socket name_bind;
commit	4eb5660c52a5966374c9d810550e3ae0069bd50f	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Fri Jul 09 15:51:12 2021 +0900
committer	Inseob Kim <inseob@google.com>	Tue Jul 13 14:06:58 2021 +0900
tree	11a87447d96b7949e5da2a64cd76aa1271f897b1
parent	32ea89af9e9846a9865d85389bed271423b173a7 [diff] [blame]