Add microdroid_payload attribute
microdroid_payload attribute is for processes meant to be run by
microdroid_manager as a payload. Other than microdroid_payload and
crash_dump, transition from microdroid_manager will not be permitted.
Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I959a8ad8ed83c8de254d7af61fd30bcbffe6b070
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index ecb5dad..a126a02 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -1,15 +1,23 @@
# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
+type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;
type compos_key_cmd, domain, coredomain;
type compos_key_cmd_exec, exec_type, file_type, system_file_type;
-binder_use(compos)
-use_keystore(compos)
-
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-allow compos microdroid_manager:fd use;
+# Talk to binder services (for keystore)
+binder_use(compos);
-allow compos kmsg_device:chr_file w_file_perms;
+# Allow payloads to use keystore
+use_keystore(compos);
+
+# Allow payloads to use and manage their keys
+allow compos vm_payload_key:keystore2_key {
+ delete
+ get_info
+ manage_blob
+ rebind
+ use
+};