Add microdroid sepolicy test support
MicrodroidHostTestCases will pull the VM's sepolicy and check it against
system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze
tool.
Bug: 218461215
Test: atest MicrodroidHostTestCases
Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 2e8766c..0600207 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -280,3 +280,11 @@
relative_install_path: "selinux",
installable: false,
}
+
+// For CTS
+se_policy_conf {
+ name: "microdroid_general_sepolicy.conf",
+ srcs: system_policy_files,
+ exclude_build_test: true,
+ installable: false,
+}
diff --git a/microdroid/system/private/adbd.te b/microdroid/system/private/adbd.te
index 1212840..116c74d 100644
--- a/microdroid/system/private/adbd.te
+++ b/microdroid/system/private/adbd.te
@@ -48,6 +48,11 @@
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
set_prop(adbd, adbd_prop)
+# Allow pulling the SELinux policy for CTS purposes
+allow adbd selinuxfs:dir r_dir_perms;
+allow adbd selinuxfs:file r_file_perms;
+allow adbd kernel:security read_policy;
+
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
# TODO(b/200902288): patch adb and remove this rule
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;