Leave minimal sepolicy for microdroid
Steps taken:
1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
index 686f955..8d286a6 100644
--- a/microdroid/sepolicy/system/public/device.te
+++ b/microdroid/sepolicy/system/public/device.te
@@ -1,123 +1,39 @@
-# Device types
-type device, dev_type, fs_type;
type ashmem_device, dev_type, mlstrustedobject;
type ashmem_libcutils_device, dev_type, mlstrustedobject;
-type audio_device, dev_type;
type binder_device, dev_type, mlstrustedobject;
-type hwbinder_device, dev_type, mlstrustedobject;
-type vndbinder_device, dev_type;
type block_device, dev_type;
-type camera_device, dev_type;
+type console_device, dev_type;
+type device, dev_type, fs_type;
type dm_device, dev_type;
type dm_user_device, dev_type;
-type keychord_device, dev_type;
+type dmabuf_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type dmabuf_system_secure_heap_device, dev_type, mlstrustedobject, dmabuf_heap_device_type;
+type fuse_device, dev_type, mlstrustedobject;
+type hw_random_device, dev_type;
+type hwbinder_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type kmsg_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type;
type loop_control_device, dev_type;
type loop_device, dev_type;
-type pmsg_device, dev_type, mlstrustedobject;
-type radio_device, dev_type;
-type ram_device, dev_type;
-type rtc_device, dev_type;
-type vd_device, dev_type;
-type vold_device, dev_type;
-type console_device, dev_type;
-type fscklogs, dev_type;
-# GPU (used by most UI apps)
-type gpu_device, dev_type, mlstrustedobject;
-type graphics_device, dev_type;
-type hw_random_device, dev_type;
-type input_device, dev_type;
-type port_device, dev_type;
-type lowpan_device, dev_type;
-type mtp_device, dev_type, mlstrustedobject;
-type nfc_device, dev_type;
-type ptmx_device, dev_type, mlstrustedobject;
-type kmsg_device, dev_type, mlstrustedobject;
-type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
-type random_device, dev_type, mlstrustedobject;
-type secure_element_device, dev_type;
-type sensors_device, dev_type;
-type serial_device, dev_type;
-type socket_device, dev_type;
type owntty_device, dev_type, mlstrustedobject;
-type tty_device, dev_type;
-type video_device, dev_type;
-type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type, mlstrustedobject;
-type iio_device, dev_type;
-type ion_device, dev_type, mlstrustedobject;
-type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
-type qtaguid_device, dev_type;
-type watchdog_device, dev_type;
-type uhid_device, dev_type, mlstrustedobject;
-type uio_device, dev_type;
-type tun_device, dev_type, mlstrustedobject;
-type usbaccessory_device, dev_type, mlstrustedobject;
-type usb_device, dev_type, mlstrustedobject;
-type usb_serial_device, dev_type;
-type gnss_device, dev_type;
+type ppp_device, dev_type;
type properties_device, dev_type;
type properties_serial, dev_type;
type property_info, dev_type;
-
-# All devices have a uart for the hci
-# attach service. The uart dev node
-# varies per device. This type
-# is used in per device policy
-type hci_attach_dev, dev_type;
-
-# All devices have a rpmsg device for
-# achieving remoteproc and rpmsg modules
-type rpmsg_device, dev_type;
-
-# Partition layout block device
-type root_block_device, dev_type;
-
-# factory reset protection block device
-type frp_block_device, dev_type;
-
-# System block device mounted on /system.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type system_block_device, dev_type;
-
-# Recovery block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type recovery_block_device, dev_type;
-
-# boot block device.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type boot_block_device, dev_type;
-
-# Userdata block device mounted on /data.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type userdata_block_device, dev_type;
-
-# Cache block device mounted on /cache.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type cache_block_device, dev_type;
-
-# Block device for any swap partition.
-type swap_block_device, dev_type;
-
-# Metadata block device used for encryption metadata.
-# Assign this type to the partition specified by the encryptable=
-# mount option in your fstab file in the entry for userdata.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type metadata_block_device, dev_type;
-
-# The 'misc' partition used by recovery and A/B.
-# Documented at https://source.android.com/devices/bootloader/partitions-images
-type misc_block_device, dev_type;
-
-# 'super' partition to be used for logical partitioning.
-type super_block_device, super_block_device_type, dev_type;
-
-# sdcard devices; normally vold uses the vold_block_device label and creates a
-# separate device node. gsid, however, accesses the original devide node
-# created through uevents, so we use a separate label.
-type sdcard_block_device, dev_type;
-
-# Userdata device file for filesystem tunables
+type ptmx_device, dev_type, mlstrustedobject;
+type ram_device, dev_type;
+type random_device, dev_type, mlstrustedobject;
+type rtc_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type tty_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
type userdata_sysdev, dev_type;
+type vd_device, dev_type;
+type vndbinder_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;