Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/public/device.te b/microdroid/sepolicy/system/public/device.te
new file mode 100644
index 0000000..686f955
--- /dev/null
+++ b/microdroid/sepolicy/system/public/device.te
@@ -0,0 +1,123 @@
+# Device types
+type device, dev_type, fs_type;
+type ashmem_device, dev_type, mlstrustedobject;
+type ashmem_libcutils_device, dev_type, mlstrustedobject;
+type audio_device, dev_type;
+type binder_device, dev_type, mlstrustedobject;
+type hwbinder_device, dev_type, mlstrustedobject;
+type vndbinder_device, dev_type;
+type block_device, dev_type;
+type camera_device, dev_type;
+type dm_device, dev_type;
+type dm_user_device, dev_type;
+type keychord_device, dev_type;
+type loop_control_device, dev_type;
+type loop_device, dev_type;
+type pmsg_device, dev_type, mlstrustedobject;
+type radio_device, dev_type;
+type ram_device, dev_type;
+type rtc_device, dev_type;
+type vd_device, dev_type;
+type vold_device, dev_type;
+type console_device, dev_type;
+type fscklogs, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
+type graphics_device, dev_type;
+type hw_random_device, dev_type;
+type input_device, dev_type;
+type port_device, dev_type;
+type lowpan_device, dev_type;
+type mtp_device, dev_type, mlstrustedobject;
+type nfc_device, dev_type;
+type ptmx_device, dev_type, mlstrustedobject;
+type kmsg_device, dev_type, mlstrustedobject;
+type kmsg_debug_device, dev_type;
+type null_device, dev_type, mlstrustedobject;
+type random_device, dev_type, mlstrustedobject;
+type secure_element_device, dev_type;
+type sensors_device, dev_type;
+type serial_device, dev_type;
+type socket_device, dev_type;
+type owntty_device, dev_type, mlstrustedobject;
+type tty_device, dev_type;
+type video_device, dev_type;
+type zero_device, dev_type, mlstrustedobject;
+type fuse_device, dev_type, mlstrustedobject;
+type iio_device, dev_type;
+type ion_device, dev_type, mlstrustedobject;
+type dmabuf_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type dmabuf_system_secure_heap_device, dmabuf_heap_device_type, dev_type, mlstrustedobject;
+type qtaguid_device, dev_type;
+type watchdog_device, dev_type;
+type uhid_device, dev_type, mlstrustedobject;
+type uio_device, dev_type;
+type tun_device, dev_type, mlstrustedobject;
+type usbaccessory_device, dev_type, mlstrustedobject;
+type usb_device, dev_type, mlstrustedobject;
+type usb_serial_device, dev_type;
+type gnss_device, dev_type;
+type properties_device, dev_type;
+type properties_serial, dev_type;
+type property_info, dev_type;
+
+# All devices have a uart for the hci
+# attach service. The uart dev node
+# varies per device. This type
+# is used in per device policy
+type hci_attach_dev, dev_type;
+
+# All devices have a rpmsg device for
+# achieving remoteproc and rpmsg modules
+type rpmsg_device, dev_type;
+
+# Partition layout block device
+type root_block_device, dev_type;
+
+# factory reset protection block device
+type frp_block_device, dev_type;
+
+# System block device mounted on /system.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type system_block_device, dev_type;
+
+# Recovery block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type recovery_block_device, dev_type;
+
+# boot block device.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type boot_block_device, dev_type;
+
+# Userdata block device mounted on /data.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type userdata_block_device, dev_type;
+
+# Cache block device mounted on /cache.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type cache_block_device, dev_type;
+
+# Block device for any swap partition.
+type swap_block_device, dev_type;
+
+# Metadata block device used for encryption metadata.
+# Assign this type to the partition specified by the encryptable=
+# mount option in your fstab file in the entry for userdata.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type metadata_block_device, dev_type;
+
+# The 'misc' partition used by recovery and A/B.
+# Documented at https://source.android.com/devices/bootloader/partitions-images
+type misc_block_device, dev_type;
+
+# 'super' partition to be used for logical partitioning.
+type super_block_device, super_block_device_type, dev_type;
+
+# sdcard devices; normally vold uses the vold_block_device label and creates a
+# separate device node. gsid, however, accesses the original devide node
+# created through uevents, so we use a separate label.
+type sdcard_block_device, dev_type;
+
+# Userdata device file for filesystem tunables
+type userdata_sysdev, dev_type;