Merge changes from topic "microdroid_selinux_denial_test" * changes: Suppress power_supply access inside microdroid Add servicemanager's service to microdroid policy Temporarily dontaudit ueventd->tmpfs access

commit: 1644afe507c8b2840ecc502dc8da6de7712e4570 [log] [tgz]
author: Inseob Kim <inseob@google.com> Thu Aug 05 04:53:06 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Aug 05 04:53:06 2021 +0000
tree: fa72ebde2e64e4661e27dc1d96df5331bd41583a
parent: c532a0fc8ff94a88bce8510ddc40088c73d47124 [diff]
parent: 7687600c50d4f66f78ba488ad2a88850d69fc06e [diff]
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 5857a0f..24cc446 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts

@@ -15,4 +15,5 @@
 android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 apexservice                               u:object_r:apex_service:s0
+manager                                   u:object_r:service_manager_service:s0
 *                                         u:object_r:default_android_service:s0

diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 8ff964f..d014af5 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te

@@ -21,3 +21,5 @@
 allow servicemanager service_contexts_file:file r_file_perms;
 
 allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+add_service(servicemanager, service_manager_service)

diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index fc51ad8..3bb879d 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te

@@ -29,3 +29,7 @@
 # filesystem test for insucre blk_file's is done
 # via hostside test
 allow shell dev_type:blk_file getattr;
+
+# Test tool automatically tries to access /sys/class/power_supply.
+# Suppressing it as we don't need power_supply in microdroid.
+dontaudit shell sysfs:dir r_dir_perms;

diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index eb06672..4ff417b 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te

@@ -50,3 +50,5 @@
 allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
 allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
 
+# TODO(b/193118220): find out why this happens.
+dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };

diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index c31509c..bd27d59 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te

@@ -19,5 +19,6 @@
 type keystore_service, service_manager_type;
 type legacykeystore_service, service_manager_type;
 type remoteprovisioning_service, service_manager_type;
+type service_manager_service, service_manager_type;
 type system_linker;
 type vm_payload_key;
commit	1644afe507c8b2840ecc502dc8da6de7712e4570	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Thu Aug 05 04:53:06 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Aug 05 04:53:06 2021 +0000
tree	fa72ebde2e64e4661e27dc1d96df5331bd41583a
parent	c532a0fc8ff94a88bce8510ddc40088c73d47124 [diff]
parent	7687600c50d4f66f78ba488ad2a88850d69fc06e [diff]