microdroid: Add support for extra apk files
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.
Currently only payload can read the files.
Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index cbbd379..18fa8bb 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -4,6 +4,7 @@
allow cgroup_rc_file tmpfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
allow dev_type tmpfs:filesystem associate;
+allow extra_apk_file zipfusefs:filesystem associate;
allow file_type labeledfs:filesystem associate;
allow file_type tmpfs:filesystem associate;
allow file_type rootfs:filesystem associate;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 8a5f628..933c63f 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -171,3 +171,7 @@
# microdroid doesn't use anr, but tombstoned tries to read this.
# So marking /data/anr as tombstone_data_file
/data/anr(/.*)? u:object_r:tombstone_data_file:s0
+
+#############################
+# Directory for extra apks
+/mnt/extra-apk u:object_r:extra_apk_file:s0
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index b914775..36a5f53 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -77,4 +77,11 @@
# that is different from what is recorded in the instance.img file.
allow microdroid_manager proc_bootconfig:file r_file_perms;
+# Allow microdroid_manager to handle extra_apks
+allow microdroid_manager extra_apk_file:dir create_dir_perms;
+
+# Domains other than microdroid can't write extra_apks
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
+neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 7c50db7..5419f52 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -39,3 +39,6 @@
allowxperm microdroid_payload vsock_device:chr_file ioctl {
IOCTL_VM_SOCKETS_GET_LOCAL_CID
};
+
+# Payload can read extra apks
+r_dir_file(microdroid_payload, extra_apk_file)
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 04cdadf..b88c014 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -37,9 +37,16 @@
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
+# allow zipfuse to handle extra apks
+r_dir_file(zipfuse, extra_apk_file)
+allow zipfuse extra_apk_file:dir mounton;
+
# zipfuse is forked from microdroid_manager
# TODO(inseob): remove this
allow zipfuse microdroid_manager:fd use;
# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
+
+# only zipfuse can mount on extra_apk_file
+neverallow { domain -zipfuse } extra_apk_file:dir mounton;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index c750ccc..5b678ba 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -10,6 +10,7 @@
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
+type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type hwservice_contexts_file, file_type, system_file_type;
type keystore2_key_contexts_file, file_type, system_file_type;