encryptedstore - Create Selinux context & grant permissions
encryptedstore is Microdroid's dm-crypt based encryption solution. It
requires access to block device, mapper devices etc.
Test: Run a VM & look for sepolicy denials.
Bug: 241541860
Change-Id: I556f56a184fc7a1ea71d67c3e591cc567dab2431
diff --git a/microdroid/system/private/encryptedstore.te b/microdroid/system/private/encryptedstore.te
new file mode 100644
index 0000000..4bbf657
--- /dev/null
+++ b/microdroid/system/private/encryptedstore.te
@@ -0,0 +1,28 @@
+# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
+
+type encryptedstore, domain, coredomain;
+type encryptedstore_exec, exec_type, file_type, system_file_type;
+
+# encryptedstore is using bootstrap bionic
+use_bootstrap_libs(encryptedstore)
+
+# encryptedstore require access to block device directory to map dm-crypt
+r_dir_file(encryptedstore, block_device)
+
+# encryptedstore accesses /dev/vd* block device file.
+allow encryptedstore vd_device:blk_file r_file_perms;
+
+# allow encryptedstore to create dm-crypt devices
+allow encryptedstore dm_device:{chr_file blk_file} rw_file_perms;
+
+# sys_admin is required to access the device-mapper and mount
+allow encryptedstore self:global_capability_class_set sys_admin;
+
+# encryptedstore is forked from microdroid_manager
+allow encryptedstore microdroid_manager:fd use;
+
+# allow encryptedstore to log to the kernel
+allow encryptedstore kmsg_device:chr_file w_file_perms;
+
+# Only microdroid_manager can run encryptedstore
+neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 13f5d0e..9f46f24 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -120,6 +120,7 @@
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
/system/bin/authfs u:object_r:authfs_exec:s0
/system/bin/authfs_service u:object_r:authfs_service_exec:s0
+/system/bin/encryptedstore u:object_r:encryptedstore_exec:s0
/system/bin/kexec_load u:object_r:kexec_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 399330f..31bdd85 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -39,6 +39,9 @@
domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+# Allow microdroid_manager to start encryptedstore binary
+domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
+
# Allow microdroid_manager to run kexec to load crashkernel
domain_auto_trans(microdroid_manager, kexec_exec, kexec)
@@ -126,6 +129,7 @@
-crash_dump
-microdroid_payload
-apkdmverity
+ -encryptedstore
-zipfuse
-kexec
}:process transition;