Leave minimal sepolicy for microdroid
Steps taken:
1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.
Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0
diff --git a/microdroid/sepolicy/system/public/servicemanager.te b/microdroid/sepolicy/system/public/servicemanager.te
index 63fc227..41a1096 100644
--- a/microdroid/sepolicy/system/public/servicemanager.te
+++ b/microdroid/sepolicy/system/public/servicemanager.te
@@ -1,32 +1,2 @@
-# servicemanager - the Binder context manager
-type servicemanager, domain, mlstrustedsubject;
-type servicemanager_exec, system_file_type, exec_type, file_type;
-
-# Note that we do not use the binder_* macros here.
-# servicemanager is unique in that it only provides
-# name service (aka context manager) for Binder.
-# As such, it only ever receives and transfers other references
-# created by other domains. It never passes its own references
-# or initiates a Binder IPC.
-allow servicemanager self:binder set_context_mgr;
-allow servicemanager {
- domain
- -init
- -vendor_init
- -hwservicemanager
- -vndservicemanager
-}:binder transfer;
-
-allow servicemanager service_contexts_file:file r_file_perms;
-
-allow servicemanager vendor_service_contexts_file:file r_file_perms;
-
-# nonplat_service_contexts only accessible on non full-treble devices
-not_full_treble(`allow servicemanager nonplat_service_contexts_file:file r_file_perms;')
-
-add_service(servicemanager, service_manager_service)
-allow servicemanager dumpstate:fd use;
-allow servicemanager dumpstate:fifo_file write;
-
-# Check SELinux permissions.
-selinux_check_access(servicemanager)
+type servicemanager, domain;
+type servicemanager_exec, file_type, exec_type, system_file_type;