Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/private/zipfuse.te b/microdroid/sepolicy/system/private/zipfuse.te
new file mode 100644
index 0000000..9d5faad
--- /dev/null
+++ b/microdroid/sepolicy/system/private/zipfuse.te
@@ -0,0 +1,34 @@
+# zipfuse is a FUSE daemon running in the microdroid. It mounts
+# /dev/block/by-name/microdroid-apk whose content is from an apk file on
+# /mnt/apk so that the entries in the apk file are seen as regular files. See
+# packages/modules/Virtualization/zipfuse.
+
+type zipfuse, domain, coredomain;
+type zipfuse_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(zipfuse)
+
+# allow basic rules to implement FUSE
+allow zipfuse fuse_device:chr_file rw_file_perms;
+allow zipfuse self:global_capability_class_set sys_admin;
+
+# allow access to /dev/vd* block device files and also access to the symlinks
+# /dev/block/by-name/*
+allow zipfuse block_device:dir r_dir_perms;
+allow zipfuse block_device:lnk_file r_file_perms;
+allow zipfuse vd_device:blk_file r_file_perms;
+
+# allow mounting on /mnt/apk
+allow zipfuse tmpfs:dir mounton;
+
+# TODO(b/188400186) uncomment the following when this filesystem is mounted with
+# fscontext=u:object_r:zipfusefs:s0
+# type zipfusefs, fs_type, contextmount_type;
+# allow zipfuse fuse:filesystem relabelfrom;
+# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+
+# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
+userdebug_or_eng(`
+ allow zipfuse fuse:filesystem mount;
+')