Add vsock permissions to microdroid_payload microdroid_payload needs to open a vsock server, so this change grants permissions for that. This change also temporarily grants permissions to get local CID, which should be removed once the RPC binder API supports getting CID. Bug: 195381416 Test: atest MicrodroidHostTestCases Change-Id: I57a603e74d7552e13a83fa4934621e09e13015fd

commit: 2f7600920d42a6cc5cb88fbe1b5c457a970587c6 [log] [tgz]
author: Inseob Kim <inseob@google.com> Thu Sep 02 17:20:29 2021 +0900
committer: Inseob Kim <inseob@google.com> Thu Sep 09 02:30:59 2021 +0000
tree: f04501c0140752cb952caa9046a606e04ac9a80b
parent: f96cd6557e56347002a9121f172a06cae0eb1d05 [diff]
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 87edb31..6079ed1 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te

@@ -29,3 +29,13 @@
 
 # Only microdroid_payload can be run by microdroid_manager
 neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+
+# Allow microdroid_payload to open binder servers via vsock.
+allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
+
+# Allow microdroid_payload to ioctl /dev/vsock.
+# TODO(b/199259751): remove the below rules
+allow microdroid_payload device:chr_file r_file_perms;
+allowxperm microdroid_payload device:chr_file ioctl {
+    IOCTL_VM_SOCKETS_GET_LOCAL_CID
+};
commit	2f7600920d42a6cc5cb88fbe1b5c457a970587c6	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Thu Sep 02 17:20:29 2021 +0900
committer	Inseob Kim <inseob@google.com>	Thu Sep 09 02:30:59 2021 +0000
tree	f04501c0140752cb952caa9046a606e04ac9a80b
parent	f96cd6557e56347002a9121f172a06cae0eb1d05 [diff]