Selinux permissions for tombstone_transmit inside VM r.android.com/2060021 made it possible for tombstone_transmit to remove the tombstone file from guest after reading it. This is the required Selinux policy for that. Bug: 232403725 Test: atest MicrodroidHostTestCases & check vm logs for avc: denials Change-Id: Ic071c0bd5ecb85f4ceae84e435afdec155fbba0b

commit: 2df14574fa0e2179d4e1a604abf8cd4abb5704a6 [log] [tgz]
author: Shikha Panwar <shikhapanwar@google.com> Thu May 12 16:17:58 2022 +0000
committer: Shikha Panwar <shikhapanwar@google.com> Tue May 17 11:10:42 2022 +0000
tree: 334a644832c346636564506deb56deb89c17af57
parent: 800e948e616bd898721bb9a14bf41442a7e7ecf6 [diff]
diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te
index 588ebff..1887654 100644
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te

@@ -3,6 +3,8 @@
 
 init_daemon_domain(tombstone_transmit)
 
-r_dir_file(tombstone_transmit, tombstone_data_file)
+# permission required to read the file & remove it from directory
+allow tombstone_transmit tombstone_data_file:dir { r_dir_perms write remove_name };
+allow tombstone_transmit tombstone_data_file:file { r_file_perms unlink };
 
 allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
commit	2df14574fa0e2179d4e1a604abf8cd4abb5704a6	[log] [tgz]
author	Shikha Panwar <shikhapanwar@google.com>	Thu May 12 16:17:58 2022 +0000
committer	Shikha Panwar <shikhapanwar@google.com>	Tue May 17 11:10:42 2022 +0000
tree	334a644832c346636564506deb56deb89c17af57
parent	800e948e616bd898721bb9a14bf41442a7e7ecf6 [diff]