Add microdroid specific sepolicy Microdroid will have a separate sepolicy, apart from the core policy. This is the first step; For now it's a simple copy of system/sepolicy. For the future work, it will be stripped. Bug: 189165759 Test: boot microdroid and see selinux enforced Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938

commit: ff43be2ca9dcc80711fc14e0bfb847951f677243 [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Jun 07 16:56:56 2021 +0900
committer: Inseob Kim <inseob@google.com> Mon Jun 07 18:44:35 2021 +0900
tree: bf5e839c17d58df2298c811dbf18624f24b48133
parent: b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]
diff --git a/microdroid/sepolicy/vendor/vndservicemanager.te b/microdroid/sepolicy/vendor/vndservicemanager.te
new file mode 100644
index 0000000..497e027
--- /dev/null
+++ b/microdroid/sepolicy/vendor/vndservicemanager.te

@@ -0,0 +1,22 @@
+# vndservicemanager - the Binder context manager for vendor processes
+type vndservicemanager_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(vndservicemanager);
+
+allow vndservicemanager self:binder set_context_mgr;
+
+# transfer binder objects to other processes (TODO b/35870313 limit this to vendor-only)
+allow vndservicemanager { domain -coredomain -init -vendor_init }:binder transfer;
+
+allow vndservicemanager vndbinder_device:chr_file rw_file_perms;
+
+# Read vndservice_contexts
+allow vndservicemanager vndservice_contexts_file:file r_file_perms;
+
+add_service(vndservicemanager, service_manager_vndservice)
+
+# Start lazy services
+set_prop(vndservicemanager, ctl_interface_start_prop)
+
+# Check SELinux permissions.
+selinux_check_access(vndservicemanager)
commit	ff43be2ca9dcc80711fc14e0bfb847951f677243	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Jun 07 16:56:56 2021 +0900
committer	Inseob Kim <inseob@google.com>	Mon Jun 07 18:44:35 2021 +0900
tree	bf5e839c17d58df2298c811dbf18624f24b48133
parent	b50e0fabe77f1f16a9d1fd79cd351bef3834c77c [diff] [blame]