Merge changes from topic "diced" * changes: Allow microdroid_manager to talk to diced Make servicemanager and diced bootstrap processes

commit: 0120813598113eba690bc6fefc0efa705f13622f [log] [tgz]
author: Jiyong Park <jiyong@google.com> Mon Jan 24 10:24:03 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Jan 24 10:24:03 2022 +0000
tree: 09c74087da155e57a3b6caf8d7169e0b044e9ca4
parent: cbc95ea5e2db60d3a5efd89aeffc47189d2b36a2 [diff]
parent: f252d81ec9fd509e63ab0ce06cbf046650120d1c [diff]
diff --git a/microdroid/system/private/diced.te b/microdroid/system/private/diced.te
index 4c3a890..5cf06bd 100644
--- a/microdroid/system/private/diced.te
+++ b/microdroid/system/private/diced.te

@@ -15,3 +15,7 @@
 
 # diced can check SELinux permissions.
 selinux_check_access(diced)
+
+# diced is using bootstrap bionic
+allow diced system_bootstrap_lib_file:dir r_dir_perms;
+allow diced system_bootstrap_lib_file:file { execute read open getattr map };

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index b6fb2ba..c1f69b0 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -106,8 +106,8 @@
 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
-/system/bin/diced		u:object_r:diced_exec:s0
-/system/bin/servicemanager	u:object_r:servicemanager_exec:s0
+/system/bin/diced.microdroid		u:object_r:diced_exec:s0
+/system/bin/servicemanager.microdroid	u:object_r:servicemanager_exec:s0
 /system/bin/hwservicemanager	u:object_r:hwservicemanager_exec:s0
 /system/bin/init		u:object_r:init_exec:s0
 /system/bin/keystore2	u:object_r:keystore_exec:s0

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 736a135..442b091 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -41,6 +41,12 @@
 allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
 allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
 
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
+
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;

diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 5dad3c1..8e0f13c 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te

@@ -25,3 +25,7 @@
 add_service(servicemanager, service_manager_service)
 
 set_prop(servicemanager, ctl_interface_start_prop)
+
+# servicemanager is using bootstrap bionic
+allow servicemanager system_bootstrap_lib_file:dir r_dir_perms;
+allow servicemanager system_bootstrap_lib_file:file { execute read open getattr map };
commit	0120813598113eba690bc6fefc0efa705f13622f	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Mon Jan 24 10:24:03 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Jan 24 10:24:03 2022 +0000
tree	09c74087da155e57a3b6caf8d7169e0b044e9ca4
parent	cbc95ea5e2db60d3a5efd89aeffc47189d2b36a2 [diff]
parent	f252d81ec9fd509e63ab0ce06cbf046650120d1c [diff]