Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/private/logpersist.te b/microdroid/sepolicy/system/private/logpersist.te
new file mode 100644
index 0000000..ab2c9c6
--- /dev/null
+++ b/microdroid/sepolicy/system/private/logpersist.te
@@ -0,0 +1,30 @@
+typeattribute logpersist coredomain;
+
+# android debug log storage in logpersist domains (eng and userdebug only)
+userdebug_or_eng(`
+
+ r_dir_file(logpersist, cgroup)
+ r_dir_file(logpersist, cgroup_v2)
+
+ allow logpersist misc_logd_file:file create_file_perms;
+ allow logpersist misc_logd_file:dir rw_dir_perms;
+
+ allow logpersist self:global_capability_class_set sys_nice;
+ allow logpersist pstorefs:dir search;
+ allow logpersist pstorefs:file r_file_perms;
+
+ control_logd(logpersist)
+ unix_socket_connect(logpersist, logdr, logd)
+ read_runtime_log_tags(logpersist)
+
+')
+
+# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
+neverallow logpersist {
+ file_type
+ userdebug_or_eng(`-misc_logd_file -coredump_file')
+ with_native_coverage(`-method_trace_data_file')
+}:file { create write append };
+neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };