commit 4eb5660c52a5966374c9d810550e3ae0069bd50f
author Inseob Kim <inseob@google.com> Fri Jul 09 15:51:12 2021 +0900
committer Inseob Kim <inseob@google.com> Tue Jul 13 14:06:58 2021 +0900
tree 11a87447d96b7949e5da2a64cd76aa1271f897b1
parent 32ea89af9e9846a9865d85389bed271423b173a7

Leave minimal sepolicy for microdroid

Steps taken:

1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.

Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0

microdroid/sepolicy/system/private/tombstoned.te

diff --git a/microdroid/sepolicy/system/private/tombstoned.te b/microdroid/sepolicy/system/private/tombstoned.te
index b6dfd1e..2567a23 100644
--- a/microdroid/sepolicy/system/private/tombstoned.te
+++ b/microdroid/sepolicy/system/private/tombstoned.te
@@ -2,12 +2,11 @@
 
 init_daemon_domain(tombstoned)
 
-get_prop(tombstoned, tombstone_config_prop)
+# Write to arbitrary pipes given to us.
+allow tombstoned domain:fd use;
+allow tombstoned domain:fifo_file write;
 
-neverallow {
-    domain
-    -init
-    -vendor_init
-    -dumpstate
-    -tombstoned
-} tombstone_config_prop:file no_rw_file_perms;
+allow tombstoned domain:dir r_dir_perms;
+allow tombstoned domain:file r_file_perms;
+allow tombstoned tombstone_data_file:dir rw_dir_perms;
+allow tombstoned tombstone_data_file:file { create_file_perms link };