Merge "Initial sepolicy for composd"
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index f1d3140..e78d4dc 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -37,6 +37,11 @@
allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
+# microdroid_manager create /apex/vm-payload-metadata for apexd
+# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
+allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
+allow microdroid_manager apex_mnt_dir:file create_file_perms;
+
# Allow microdroid_manager to ioctl /dev/vsock.
# TODO(b/191845268): remove the below rules
allow microdroid_manager device:chr_file r_file_perms;
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index fb7527b..351e89e 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -9,6 +9,10 @@
# allow domain transition from init
init_daemon_domain(zipfuse)
+# zipfuse is using bootstrap bionic
+allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
+allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
+
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index bdc3b28..cc3519e 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -34,6 +34,6 @@
type uhid_device, dev_type, mlstrustedobject;
type uio_device, dev_type;
type userdata_sysdev, dev_type;
-type vd_device, dev_type;
+type vd_device, dev_type, bdev_type;
type vndbinder_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
diff --git a/prebuilts/api/30.0/private/system_app.te b/prebuilts/api/30.0/private/system_app.te
index 0b77bb3..06dac78 100644
--- a/prebuilts/api/30.0/private/system_app.te
+++ b/prebuilts/api/30.0/private/system_app.te
@@ -72,12 +72,6 @@
# Settings need to access app name and icon from asec
allow system_app asec_apk_file:file r_file_perms;
-# Allow system_app (adb data loader) to write data to /data/incremental
-allow system_app apk_data_file:file write;
-
-# Allow system app (adb data loader) to read logs
-allow system_app incremental_control_file:file r_file_perms;
-
# Allow system apps (like Settings) to interact with statsd
binder_call(system_app, statsd)
diff --git a/private/adbd.te b/private/adbd.te
index c19630f..c5c5cc2 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -169,6 +169,9 @@
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+# For CTS listening ports test.
+allow adbd proc_net_tcp_udp:file r_file_perms;
+
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
diff --git a/private/system_server.te b/private/system_server.te
index 13d620d..622fd41 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -399,7 +399,7 @@
r_dir_file(system_server, sysfs_android_usb)
allow system_server sysfs_android_usb:file w_file_perms;
-allow system_server sysfs_extcon:dir r_dir_perms;
+r_dir_file(system_server, sysfs_extcon)
r_dir_file(system_server, sysfs_ipv4)
allow system_server sysfs_ipv4:file w_file_perms;
diff --git a/public/crash_dump.te b/public/crash_dump.te
index 472e1dc..45269c3 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -43,6 +43,9 @@
# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
+# Read all /data/local/tests
+r_dir_file(crash_dump, shell_test_data_file)
+
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
diff --git a/public/domain.te b/public/domain.te
index 3643d8c..19562b1 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -474,7 +474,7 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:file_class_set no_w_file_perms;
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
-neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
+neverallow { domain -shell -init -adbd -heapprofd -crash_dump } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;