commit 7560aed40a59eb264f04e8a921c38f4021061f76
author Inseob Kim <inseob@google.com> Tue Jul 20 09:57:57 2021 +0000
committer Inseob Kim <inseob@google.com> Fri Jul 23 06:01:39 2021 +0000
tree ec7878ea5463b68b2c3f25dce49762493fbb4b87
parent f778a0bd8956a2a846575c6d5802ded9e3be378b

Add domain for compos binaries

Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I1fd35d0efe83d2cecaa41580e6d1d0b8f6242b3f

apex/com.android.compos-file_contexts

diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 83b4b58..f404a07 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1 +1,5 @@
 (/.*)?                   u:object_r:system_file:s0
+/bin/compos_key_cmd      u:object_r:compos_key_cmd_exec:s0
+/bin/compos_key_main     u:object_r:compos_exec:s0
+/bin/compsvc             u:object_r:compos_exec:s0
+/bin/compsvc_worker      u:object_r:compos_exec:s0

microdroid/system/private/compos.te

diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
new file mode 100644
index 0000000..ecb5dad
--- /dev/null
+++ b/microdroid/system/private/compos.te
@@ -0,0 +1,15 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain;
+type compos_exec, exec_type, file_type, system_file_type;
+
+type compos_key_cmd, domain, coredomain;
+type compos_key_cmd_exec, exec_type, file_type, system_file_type;
+
+binder_use(compos)
+use_keystore(compos)
+
+allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+allow compos microdroid_manager:fd use;
+
+allow compos kmsg_device:chr_file w_file_perms;

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 074024f..fa7f12c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -11,8 +11,9 @@
 allow microdroid_manager block_device:lnk_file r_file_perms;
 allow microdroid_manager vd_device:blk_file r_file_perms;
 
-# microdroid_manager start payload task via microdroid_launcher
-domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app);
+# Allow microdroid_manager to start payload tasks
+domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
+domain_auto_trans(microdroid_manager, compos_exec, compos)
 
 # Let microdroid_manager exec other files (e.g. payload command) in the same domain.
 # TODO(b/189706019) we need to a domain for the app process.

private/compos.te

diff --git a/private/compos.te b/private/compos.te
new file mode 100644
index 0000000..a86fd38
--- /dev/null
+++ b/private/compos.te
@@ -0,0 +1,6 @@
+# TODO(b/193504816): move this to compos APEX
+type compos, domain, coredomain;
+type compos_exec, exec_type, file_type, system_file_type;
+
+type compos_key_cmd, domain, coredomain;
+type compos_key_cmd_exec, exec_type, file_type, system_file_type;