Add microdroid_payload attribute
microdroid_payload attribute is for processes meant to be run by
microdroid_manager as a payload. Other than microdroid_payload and
crash_dump, transition from microdroid_manager will not be permitted.
Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I959a8ad8ed83c8de254d7af61fd30bcbffe6b070
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index ecb5dad..a126a02 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -1,15 +1,23 @@
# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
+type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
type compos_key_cmd, domain, coredomain;
type compos_key_cmd_exec, exec_type, file_type, system_file_type;
-binder_use(compos)
-use_keystore(compos)
-
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-allow compos microdroid_manager:fd use;
+# Talk to binder services (for keystore)
+binder_use(compos);
-allow compos kmsg_device:chr_file w_file_perms;
+# Allow payloads to use keystore
+use_keystore(compos);
+
+# Allow payloads to use and manage their keys
+allow compos vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index 820ec68..d3ec74b 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -6,29 +6,9 @@
# Both microdroid_launcher and payload from the shared library run in the
# context of microdroid_app.
-type microdroid_app, domain, coredomain;
+type microdroid_app, domain, coredomain, microdroid_payload;
type microdroid_app_exec, exec_type, file_type, system_file_type;
-# Allow to communicate use, read and write over the adb connection.
-allow microdroid_app adbd:fd use;
-allow microdroid_app adbd:unix_stream_socket { read write };
-
-# microdroid_launcher is launched by microdroid_manager with fork/execvp.
-allow microdroid_app microdroid_manager:fd use;
-
-# Allow to use FDs inherited from the shell. This includes the FD opened for
-# the microdroid_launcher executable itself and the FD for adb connection.
-# TODO(b/186396070) remove this when this is executed from microdroid_manager
-userdebug_or_eng(`
- allow microdroid_app shell:fd use;
-')
-
-# Allow to use terminal
-allow microdroid_app devpts:chr_file rw_file_perms;
-
-# Allow to set debug prop
-set_prop(microdroid_app, debug_prop)
-
# Talk to binder services (for keystore)
binder_use(microdroid_app);
@@ -44,8 +24,3 @@
use
};
-# Allow microdroid_app to use vsock inherited from microdroid_manager
-allow microdroid_app microdroid_manager:vsock_socket { read write };
-
-# Write to /dev/kmsg.
-allow microdroid_app kmsg_device:chr_file rw_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
new file mode 100644
index 0000000..87edb31
--- /dev/null
+++ b/microdroid/system/private/microdroid_payload.te
@@ -0,0 +1,31 @@
+# microdroid_payload is an attribute for microdroid payload processes.
+# Domains should have microdroid_payload to be run from microdroid_manager.
+
+# Allow to communicate use, read and write over the adb connection.
+allow microdroid_payload adbd:fd use;
+allow microdroid_payload adbd:unix_stream_socket { read write };
+
+# microdroid_launcher is launched by microdroid_manager with fork/execvp.
+allow microdroid_payload microdroid_manager:fd use;
+
+# Allow to use FDs inherited from the shell. This includes the FD opened for
+# the microdroid_launcher executable itself and the FD for adb connection.
+# TODO(b/186396070) remove this when this is executed from microdroid_manager
+userdebug_or_eng(`
+ allow microdroid_payload shell:fd use;
+')
+
+# Allow to use terminal
+allow microdroid_payload devpts:chr_file rw_file_perms;
+
+# Allow to set debug prop
+set_prop(microdroid_payload, debug_prop)
+
+# Allow microdroid_payload to use vsock inherited from microdroid_manager
+allow microdroid_payload microdroid_manager:vsock_socket { read write };
+
+# Write to /dev/kmsg.
+allow microdroid_payload kmsg_device:chr_file rw_file_perms;
+
+# Only microdroid_payload can be run by microdroid_manager
+neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
diff --git a/microdroid/system/public/attributes b/microdroid/system/public/attributes
index c82c0c8..cf516dd 100644
--- a/microdroid/system/public/attributes
+++ b/microdroid/system/public/attributes
@@ -393,3 +393,6 @@
attribute gsi_metadata_file_type;
attribute fusefs_type;
+
+# All types run from microdroid_manager as a payload
+attribute microdroid_payload;