microdroid: Run apk mount utils from MM
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.
Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 351e89e..04cdadf 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -6,9 +6,6 @@
type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
# zipfuse is using bootstrap bionic
allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
@@ -36,3 +33,13 @@
# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;
+
+# allow zipfuse to log to the kernel
+allow zipfuse kmsg_device:chr_file w_file_perms;
+
+# zipfuse is forked from microdroid_manager
+# TODO(inseob): remove this
+allow zipfuse microdroid_manager:fd use;
+
+# Only microdroid_manager can run zipfuse
+neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };