commit ff43be2ca9dcc80711fc14e0bfb847951f677243
author Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree bf5e839c17d58df2298c811dbf18624f24b48133
parent b50e0fabe77f1f16a9d1fd79cd351bef3834c77c

Add microdroid specific sepolicy

Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.

Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

microdroid/sepolicy/system/public/fastbootd.te

diff --git a/microdroid/sepolicy/system/public/fastbootd.te b/microdroid/sepolicy/system/public/fastbootd.te
new file mode 100644
index 0000000..e167a5e
--- /dev/null
+++ b/microdroid/sepolicy/system/public/fastbootd.te
@@ -0,0 +1,118 @@
+# fastbootd (used in recovery init.rc for /sbin/fastbootd)
+
+# Declare the domain unconditionally so we can always reference it
+# in neverallow rules.
+type fastbootd, domain;
+
+# But the allow rules are only included in the recovery policy.
+# Otherwise fastbootd is only allowed the domain rules.
+recovery_only(`
+  # fastbootd can only use HALs in passthrough mode
+  passthrough_hal_client_domain(fastbootd, hal_bootctl)
+
+  # Access /dev/usb-ffs/fastbootd/ep0
+  allow fastbootd functionfs:dir search;
+  allow fastbootd functionfs:file rw_file_perms;
+
+  allowxperm fastbootd functionfs:file ioctl { FUNCTIONFS_ENDPOINT_DESC };
+  # Log to serial
+  allow fastbootd kmsg_device:chr_file { open getattr write };
+
+  # battery info
+  allow fastbootd sysfs_batteryinfo:file r_file_perms;
+
+  allow fastbootd device:dir r_dir_perms;
+
+  # For dev/block/by-name dir
+  allow fastbootd block_device:dir r_dir_perms;
+
+  # Needed for DM_DEV_CREATE ioctl call
+  allow fastbootd self:capability sys_admin;
+
+  unix_socket_connect(fastbootd, recovery, recovery)
+
+  # Required for flashing
+  allow fastbootd dm_device:chr_file rw_file_perms;
+  allow fastbootd dm_device:blk_file rw_file_perms;
+
+  allow fastbootd cache_block_device:blk_file rw_file_perms;
+  allow fastbootd super_block_device_type:blk_file rw_file_perms;
+  allow fastbootd {
+    boot_block_device
+    metadata_block_device
+    system_block_device
+    userdata_block_device
+  }:blk_file { w_file_perms getattr ioctl };
+
+  # For disabling/wiping GSI, and for modifying/deleting files created via
+  # libfiemap.
+  allow fastbootd metadata_block_device:blk_file r_file_perms;
+  allow fastbootd {rootfs tmpfs}:dir mounton;
+  allow fastbootd metadata_file:dir { search getattr mounton };
+  allow fastbootd gsi_metadata_file_type:dir rw_dir_perms;
+  allow fastbootd gsi_metadata_file_type:file create_file_perms;
+
+  allowxperm fastbootd super_block_device_type:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+  allowxperm fastbootd {
+    metadata_block_device
+    userdata_block_device
+    dm_device
+    cache_block_device
+  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
+
+  allow fastbootd misc_block_device:blk_file rw_file_perms;
+
+  allow fastbootd proc_cmdline:file r_file_perms;
+  allow fastbootd rootfs:dir r_dir_perms;
+
+  # Needed to read fstab node from device tree.
+  allow fastbootd sysfs_dt_firmware_android:file r_file_perms;
+  allow fastbootd sysfs_dt_firmware_android:dir r_dir_perms;
+
+  # Needed because libdm reads sysfs to validate when a dm path is ready.
+  r_dir_file(fastbootd, sysfs_dm)
+
+  # Needed for realpath() call to resolve symlinks.
+  allow fastbootd block_device:dir getattr;
+  userdebug_or_eng(`
+    # Refined manipulation of /mnt/scratch, without these perms resorts
+    # to deleting scratch partition when partition(s) are flashed.
+    allow fastbootd self:process setfscreate;
+    allow fastbootd cache_file:dir search;
+    allow fastbootd proc_filesystems:file { getattr open read };
+    allow fastbootd self:capability sys_rawio;
+    dontaudit fastbootd kernel:system module_request;
+    allowxperm fastbootd dev_type:blk_file ioctl BLKROSET;
+    allow fastbootd overlayfs_file:dir { create_dir_perms mounton };
+    allow fastbootd {
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:dir { remove_name rmdir search write };
+    allow fastbootd {
+      overlayfs_file
+      system_file_type
+      unlabeled
+      vendor_file_type
+    }:{ file lnk_file } unlink;
+    allow fastbootd tmpfs:dir rw_dir_perms;
+    # Fetch vendor_boot partition
+    allow fastbootd boot_block_device:blk_file r_file_perms;
+  ')
+
+  # Allow using libfiemap/gsid directly (no binder in recovery).
+  allow fastbootd gsi_metadata_file_type:dir search;
+  allow fastbootd ota_metadata_file:dir rw_dir_perms;
+  allow fastbootd ota_metadata_file:file create_file_perms;
+')
+
+###
+### neverallow rules
+###
+
+# Write permission is required to wipe userdata
+# until recovery supports vold.
+neverallow fastbootd {
+   data_file_type
+}:file { no_x_file_perms };