Allow ueventd to relabel /dev/open-dice0 Other patch in this topic moves the initialisation of /dev/open-dice0 to the first_stage_init which runs before the sepolicy is setup. However, microdroid_manager should still be able to access the /dev/open-dice0, hence this patch which grants ueventd permissions to relabel the device and fix its permissions. Bug: 287593065 Test: vm run-microdroid --protected Change-Id: Iacf5b0aa9b85ee9f07abac35f6b43b7ec378bff4

commit: 73282e4d1b5ac641058e8a4d9cc1c91b08c04e39 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Mon Mar 04 21:45:37 2024 +0000
committer: Nikita Ioffe <ioffe@google.com> Wed Mar 13 15:24:31 2024 +0000
tree: ad9b06e90406401a194c485bfca0e5ee3d67d249
parent: 8cc0e508ef9f6f88933c72912617ff22763140ed [diff]
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 4bd55cf..2f25703 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te

@@ -15,7 +15,10 @@
 r_dir_file(ueventd, sysfs_type)
 allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
 allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
+# the open-dice0 device is now created in first_stage_init, ueventd needs these permissions
+# so that it can relabel it to open_dice_device, so that microdroid_manager can access it.
+allow ueventd tmpfs:chr_file { relabelfrom rw_file_perms setattr };
+allow ueventd open_dice_device:chr_file relabelto;
 allow ueventd dev_type:dir create_dir_perms;
 allow ueventd dev_type:lnk_file { create unlink };
 allow ueventd dev_type:chr_file { getattr create setattr unlink };
commit	73282e4d1b5ac641058e8a4d9cc1c91b08c04e39	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Mon Mar 04 21:45:37 2024 +0000
committer	Nikita Ioffe <ioffe@google.com>	Wed Mar 13 15:24:31 2024 +0000
tree	ad9b06e90406401a194c485bfca0e5ee3d67d249
parent	8cc0e508ef9f6f88933c72912617ff22763140ed [diff]