commit ff43be2ca9dcc80711fc14e0bfb847951f677243
author Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree bf5e839c17d58df2298c811dbf18624f24b48133
parent b50e0fabe77f1f16a9d1fd79cd351bef3834c77c

Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

microdroid/sepolicy/system/private/snapuserd.te

diff --git a/microdroid/sepolicy/system/private/snapuserd.te b/microdroid/sepolicy/system/private/snapuserd.te
new file mode 100644
index 0000000..d96b31e
--- /dev/null
+++ b/microdroid/sepolicy/system/private/snapuserd.te
@@ -0,0 +1,26 @@
+# snapuserd - Daemon for servicing dm-user requests for Virtual A/B snapshots.
+type snapuserd, domain;
+type snapuserd_exec, exec_type, file_type, system_file_type;
+
+typeattribute snapuserd coredomain;
+
+init_daemon_domain(snapuserd)
+
+allow snapuserd kmsg_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
+allow snapuserd block_device:dir r_dir_perms;
+allow snapuserd dm_device:chr_file rw_file_perms;
+allow snapuserd dm_device:blk_file rw_file_perms;
+
+# Reading and writing to dm-user control nodes.
+allow snapuserd dm_user_device:dir r_dir_perms;
+allow snapuserd dm_user_device:chr_file rw_file_perms;
+
+# Reading and writing to /dev/socket/snapuserd.
+allow snapuserd snapuserd_socket:unix_stream_socket { accept listen getattr read write };
+
+# This arises due to first-stage init opening /dev/null without F_CLOEXEC
+# (see SetStdioToDevNull in init). When we fork() and execveat() snapuserd
+# again, the descriptor leaks into the new process.
+allow snapuserd kernel:fd use;