Merge "Initial sepolicy for composd"
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index ecec6b5..0502084 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/compsvc u:object_r:compos_exec:s0
/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
+/bin/composd u:object_r:composd_exec:s0
diff --git a/private/compos.te b/private/compos.te
index f4cdc17..ffbb33e 100644
--- a/private/compos.te
+++ b/private/compos.te
@@ -1,3 +1 @@
-# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
type compos_exec, exec_type, file_type, system_file_type;
diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..725e79e
--- /dev/null
+++ b/private/composd.te
@@ -0,0 +1,15 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host a dynamic AIDL service
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
diff --git a/private/service.te b/private/service.te
index 7f692f3..2ab6335 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,4 +1,5 @@
type attention_service, system_server_service, service_manager_type;
+type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index df03915..7901db9 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -48,6 +48,8 @@
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
+android.system.composd u:object_r:compos_service:s0
+android.system.virtualizationservice u:object_r:virtualization_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
app_integrity u:object_r:app_integrity_service:s0
@@ -78,7 +80,6 @@
carrier_config u:object_r:radio_service:s0
clipboard u:object_r:clipboard_service:s0
com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtualizationservice u:object_r:virtualization_service:s0
companiondevice u:object_r:companion_device_service:s0
platform_compat u:object_r:platform_compat_service:s0
platform_compat_native u:object_r:platform_compat_service:s0