Merge "Adjust policy for hypervisor system properties"
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 0628a5b..d1dcff0 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -277,14 +277,6 @@
installable: false,
}
-prebuilt_etc {
- name: "microdroid_service_contexts",
- filename: "plat_service_contexts",
- src: "system/private/service_contexts",
- relative_install_path: "selinux",
- installable: false,
-}
-
// For CTS
se_policy_conf {
name: "microdroid_general_sepolicy.conf",
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 0da1a6f..04a9859 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -46,17 +46,6 @@
allow domain null_device:chr_file rw_file_perms;
allow domain zero_device:chr_file rw_file_perms;
-# /dev/binder can be accessed by ... everyone! :)
-allow domain binder_device:chr_file rw_file_perms;
-
-# Restrict binder ioctls to an allowlist. Additional ioctl commands may be
-# added to individual domains, but this sets safe defaults for all processes.
-allowxperm domain binder_device:chr_file ioctl { unpriv_binder_ioctls };
-
-# /dev/binderfs needs to be accessed by everyone too!
-allow domain binderfs:dir { getattr search };
-allow domain binderfs_logs_proc:dir search;
-
allow domain ptmx_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain proc_random:dir r_dir_perms;
@@ -398,13 +387,6 @@
{ create relabelfrom relabelto append link rename };
neverallow domain { contextmount_type -authfs_fuse }:dir_file_class_set { write unlink };
-# Do not allow service_manager add for default service labels.
-# Instead domains should use a more specific type such as
-# system_app_service rather than the generic type.
-# New service_types are defined in {,hw,vnd}service.te and new mappings
-# from service name to service_type are defined in {,hw,vnd}service_contexts.
-neverallow * default_android_service:service_manager *;
-
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 60becf8..ae9b095 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -34,7 +34,6 @@
/dev(/.*)? u:object_r:device:s0
/dev/ashmem u:object_r:ashmem_device:s0
/dev/ashmem(.*)? u:object_r:ashmem_libcutils_device:s0
-/dev/binder u:object_r:binder_device:s0
/dev/block(/.*)? u:object_r:block_device:s0
/dev/block/dm-[0-9]+ u:object_r:dm_device:s0
/dev/block/loop[0-9]* u:object_r:loop_device:s0
@@ -55,7 +54,6 @@
/dev/hvc1 u:object_r:serial_device:s0
/dev/hvc2 u:object_r:log_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
-/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
/dev/ppp u:object_r:ppp_device:s0
/dev/ptmx u:object_r:ptmx_device:s0
@@ -86,7 +84,6 @@
/dev/uio[0-9]* u:object_r:uio_device:s0
/dev/urandom u:object_r:random_device:s0
/dev/vhost-vsock u:object_r:kvm_device:s0
-/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/vsock u:object_r:vsock_device:s0
/dev/zero u:object_r:zero_device:s0
/dev/__properties__ u:object_r:properties_device:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index 254dbe8..40decfe 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -357,15 +357,8 @@
genfscon securityfs / u:object_r:securityfs:s0
-genfscon binder /binder u:object_r:binder_device:s0
-genfscon binder /hwbinder u:object_r:hwbinder_device:s0
-genfscon binder /vndbinder u:object_r:vndbinder_device:s0
-genfscon binder /binder_logs u:object_r:binderfs_logs:s0
-genfscon binder /binder_logs/proc u:object_r:binderfs_logs_proc:s0
-
genfscon inotifyfs / u:object_r:inotify:s0
genfscon vfat / u:object_r:vfat:s0
-genfscon binder / u:object_r:binderfs:s0
genfscon exfat / u:object_r:exfat:s0
genfscon debugfs / u:object_r:debugfs:s0
genfscon fuse / u:object_r:fuse:s0
diff --git a/microdroid/system/private/init.te b/microdroid/system/private/init.te
index 19b7256..283775e 100644
--- a/microdroid/system/private/init.te
+++ b/microdroid/system/private/init.te
@@ -230,11 +230,9 @@
allow init { fs_type -contextmount_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
- binder_device
console_device
devpts
dm_device
- hwbinder_device
kmsg_device
null_device
owntty_device
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index e1db47b..8765f75 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -51,6 +51,9 @@
# Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
+# Allow microdroid_manager to read the CID of the VM.
+allow microdroid_manager vsock_device:chr_file { ioctl open read };
+
# microdroid_manager is using bootstrap bionic
use_bootstrap_libs(microdroid_manager)
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
deleted file mode 100644
index 837a28f..0000000
--- a/microdroid/system/private/service_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-adb u:object_r:adb_service:s0
-manager u:object_r:service_manager_service:s0
-* u:object_r:default_android_service:s0
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index 27efdc4..8c6f777 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -1,6 +1,5 @@
type ashmem_device, dev_type;
type ashmem_libcutils_device, dev_type;
-type binder_device, dev_type;
type block_device, dev_type;
type console_device, dev_type;
type device, dev_type, fs_type;
@@ -11,7 +10,6 @@
type dmabuf_system_secure_heap_device, dev_type, dmabuf_heap_device_type;
type fuse_device, dev_type;
type hw_random_device, dev_type;
-type hwbinder_device, dev_type;
type kmsg_debug_device, dev_type;
type kmsg_device, dev_type;
type kvm_device, dev_type;
@@ -37,6 +35,5 @@
type uio_device, dev_type;
type userdata_sysdev, dev_type;
type vd_device, dev_type;
-type vndbinder_device, dev_type;
type vsock_device, dev_type;
type zero_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 46ead43..5616160 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -47,9 +47,6 @@
type vm_payload_service_socket, file_type, coredomain_socket;
# file system types
-type binderfs, fs_type;
-type binderfs_logs, fs_type;
-type binderfs_logs_proc, fs_type;
type binfmt_miscfs, fs_type;
type cgroup, fs_type;
type cgroup_v2, fs_type;
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index 5b411b6..efc1aa3 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -1,6 +1,3 @@
# Miscellaneous types
-type adb_service, service_manager_type;
-type default_android_service, service_manager_type;
-type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;