Merge "Introduce vmlauncher_app domain" into main

commit: 575211637042df9e460e1cfcb5fd50b3adce6153 [log] [tgz]
author: Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Tue Apr 09 14:04:38 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Apr 09 14:04:38 2024 +0000
tree: 89d93c9468c9f46d08f3846b882c873b9d40d99b
parent: 015384b11027072db0a2bdc5d57cf3a621549f74 [diff]
parent: 77a3ca6b4c380efc801c38ead86f5526fa772736 [diff]
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 62ca9b7..e250c35 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te

@@ -20,6 +20,8 @@
 type encryptedstore_file, file_type;
 type encryptedstore_fs, fs_type, contextmount_type;
 
+type microdroid_resources_file, file_type;
+
 # Filesystem entry for for PRNG seeder socket.
 type prng_seeder_socket, file_type, coredomain_socket;
 

diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 03e9cba..6414f76 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts

@@ -15,7 +15,7 @@
 # Empty directories
 /lost\+found        u:object_r:rootfs:s0
 /debug_ramdisk      u:object_r:tmpfs:s0
-/microdroid_resources u:object_r:tmpfs:s0
+/microdroid_resources(/.*)? u:object_r:microdroid_resources_file:s0
 /mnt                u:object_r:tmpfs:s0
 /proc               u:object_r:rootfs:s0
 /second_stage_resources u:object_r:tmpfs:s0

diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..0b650d3 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te

@@ -81,3 +81,10 @@
 
 #-----------------------------------------
 allow kernel apkdmverity:fd use;
+
+# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
+# kernel domain. This is to avoid granting init weird capabilities like
+# `allow init tmpfs:file relabelfrom;`
+allow kernel microdroid_resources_file:dir { read open search relabelto};
+allow kernel microdroid_resources_file:file relabelto;
+allow kernel tmpfs:file { getattr relabelfrom };

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d1a5c6f..75c89be 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -24,6 +24,19 @@
 # Read config from the open-dice driver.
 allow microdroid_manager open_dice_device:chr_file rw_file_perms;
 
+# In case Microdroid VM is started with microdroid vendor partition, the first_stage_init
+# will derive a microdroid vendor dice node, and write a resulting dice chain into file
+# with dice_chain_file type, microdroid_manager will need to read it to derive the next chain.
+allow microdroid_manager microdroid_resources_file:file { rw_file_perms unlink };
+# In case dice chain is stored in dice_chain_file microdroid_manager will delete it after deriving
+# the next dice chain.
+allow microdroid_manager microdroid_resources_file:dir { remove_name search write };
+
+# Microdroid manager unmounts /microdroid_resources before starting the payload.
+# This is a defence-in-depth measure to ensure that payload can't read the dice chain stored
+# on /microdroid_resources/dice_chain.raw
+allow microdroid_manager tmpfs:filesystem unmount;
+
 # Block crash dumps to ensure the DICE secrets are not leaked.
 typeattribute microdroid_manager no_crash_dump_domain;
 

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 9b194b8..8884a7a 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -75,7 +75,7 @@
 # An unspecified isSdkSandboxAudit defaults to false.
 #
 # Precedence: entries are compared using the following rules, in the order shown
-# (see external/selinux/libselinux/src/android/android_platform.c,
+# (see external/selinux/libselinux/src/android/android_seapp.c,
 # seapp_context_cmp()).
 #       (1) isSystemServer=true before isSystemServer=false.
 #       (2) Specified isEphemeralApp= before unspecified isEphemeralApp=

diff --git a/private/system_server.te b/private/system_server.te
index 80ee886..f6ae092 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -333,6 +333,7 @@
 hal_client_domain(system_server, hal_rebootescrow)
 hal_client_domain(system_server, hal_remotelyprovisionedcomponent_avf)
 hal_client_domain(system_server, hal_sensors)
+hal_client_domain(system_server, hal_secretkeeper)
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)
 hal_client_domain(system_server, hal_threadnetwork)
commit	575211637042df9e460e1cfcb5fd50b3adce6153	[log] [tgz]
author	Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com>	Tue Apr 09 14:04:38 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Apr 09 14:04:38 2024 +0000
tree	89d93c9468c9f46d08f3846b882c873b9d40d99b
parent	015384b11027072db0a2bdc5d57cf3a621549f74 [diff]
parent	77a3ca6b4c380efc801c38ead86f5526fa772736 [diff]