Use /proc/device-tree for reading AVF DT
Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.
Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index f55711e..13ce685 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -7,6 +7,9 @@
genfscon proc /buddyinfo u:object_r:proc_buddyinfo:s0
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,new-instance u:object_r:proc_dt_avf:s0
+genfscon proc /device-tree/chosen/avf,strict-boot u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index a9c5f4a..384f5d5 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -27,6 +27,5 @@
set_prop(init_debug_policy, init_debug_policy_prop)
# Allow init_debug_policy to read AVF debug policy
-allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file r_file_perms;
-
+r_dir_file(init_debug_policy, proc_dt_avf)
+r_dir_file(init_debug_policy, sysfs_dt_avf)
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index b84474a..d1a5c6f 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -18,10 +18,8 @@
allow microdroid_manager dm_device:blk_file r_file_perms;
# microdroid_manager can query AVF flags in the device tree
-allow microdroid_manager sysfs_dt_avf:file r_file_perms;
-
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
+r_dir_file(microdroid_manager, proc_dt_avf)
+r_dir_file(microdroid_manager, sysfs_dt_avf)
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 57852c2..201a07e 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -84,6 +84,7 @@
type proc_dirty, fs_type, proc_type;
type proc_diskstats, fs_type, proc_type;
type proc_drop_caches, fs_type, proc_type;
+type proc_dt_avf, fs_type, proc_type;
type proc_extra_free_kbytes, fs_type, proc_type;
type proc_filesystems, fs_type, proc_type;
type proc_hostname, fs_type, proc_type;
diff --git a/private/file.te b/private/file.te
index b652ccb..450fe2c 100644
--- a/private/file.te
+++ b/private/file.te
@@ -136,8 +136,9 @@
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
-# /sys/firmware/devicetree/base/avf
+# /proc/device-tree/avf and /sys/firmware/devicetree/base/avf
type sysfs_dt_avf, fs_type, sysfs_type;
+type proc_dt_avf, fs_type, proc_type;
# Type for /system/fonts/font_fallback.xm
type system_font_fallback_file, system_file_type, file_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b5f07ec..6a1caf3 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -8,6 +8,7 @@
genfscon proc /cmdline u:object_r:proc_cmdline:s0
genfscon proc /config.gz u:object_r:config_gz:s0
genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0
+genfscon proc /device-tree/avf u:object_r:proc_dt_avf:s0
genfscon proc /diskstats u:object_r:proc_diskstats:s0
genfscon proc /filesystems u:object_r:proc_filesystems:s0
genfscon proc /interrupts u:object_r:proc_interrupts:s0
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d0fe571..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -83,9 +83,9 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
# virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
# from pVM to HAL.