Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/private/linkerconfig.te b/microdroid/sepolicy/system/private/linkerconfig.te
new file mode 100644
index 0000000..2688102
--- /dev/null
+++ b/microdroid/sepolicy/system/private/linkerconfig.te
@@ -0,0 +1,27 @@
+type linkerconfig, domain, coredomain;
+type linkerconfig_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(linkerconfig)
+
+## Read and write linkerconfig subdirectory.
+allow linkerconfig linkerconfig_file:dir create_dir_perms;
+allow linkerconfig linkerconfig_file:file create_file_perms;
+
+# Allow linkerconfig to log to the kernel.
+allow linkerconfig kmsg_device:chr_file w_file_perms;
+
+# Allow linkerconfig to be invoked with logwrapper from init.
+allow linkerconfig devpts:chr_file { read write };
+
+# Allow linkerconfig to scan for apex modules
+allow linkerconfig apex_mnt_dir:dir r_dir_perms;
+
+# Allow linkerconfig to read apex-info-list.xml
+allow linkerconfig apex_info_file:file r_file_perms;
+
+# Allow linkerconfig to be called in the otapreopt_chroot
+allow linkerconfig otapreopt_chroot:fd use;
+allow linkerconfig postinstall_apex_mnt_dir:dir r_dir_perms;
+allow linkerconfig postinstall_apex_mnt_dir:file r_file_perms;
+
+neverallow { domain -init -linkerconfig -otapreopt_chroot } linkerconfig_exec:file no_x_file_perms;