Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/public/radio.te b/microdroid/sepolicy/system/public/radio.te
new file mode 100644
index 0000000..e03b706
--- /dev/null
+++ b/microdroid/sepolicy/system/public/radio.te
@@ -0,0 +1,36 @@
+# phone subsystem
+type radio, domain, mlstrustedsubject;
+
+net_domain(radio)
+bluetooth_domain(radio)
+binder_service(radio)
+
+# Talks to hal_telephony_server via the rild socket only for devices without full treble
+not_full_treble(`unix_socket_connect(radio, rild, hal_telephony_server)')
+
+# Data file accesses.
+allow radio radio_data_file:dir create_dir_perms;
+allow radio radio_data_file:notdevfile_class_set create_file_perms;
+allow radio radio_core_data_file:dir r_dir_perms;
+allow radio radio_core_data_file:file r_file_perms;
+
+allow radio net_data_file:dir search;
+allow radio net_data_file:file r_file_perms;
+
+add_service(radio, radio_service)
+allow radio audioserver_service:service_manager find;
+allow radio cameraserver_service:service_manager find;
+allow radio drmserver_service:service_manager find;
+allow radio mediaserver_service:service_manager find;
+allow radio nfc_service:service_manager find;
+allow radio app_api_service:service_manager find;
+allow radio system_api_service:service_manager find;
+allow radio timedetector_service:service_manager find;
+allow radio timezonedetector_service:service_manager find;
+
+# Perform HwBinder IPC.
+hwbinder_use(radio)
+hal_client_domain(radio, hal_telephony)
+
+# Used by TelephonyManager
+allow radio proc_cmdline:file r_file_perms;