microdroid: Add support for extra apk files extra_apk_file is a new label only for APK files passed to microdroid. microdroid_manager will create directories under /mnt/extra-apk/, and zipfuse will mount APK block devices to the directories. Currently only payload can read the files. Bug: 205224817 Test: manually edit vm config and see APK files mounted Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7

commit: 8565b96a3aab656c00ebbffc8451529b7e3c286a [log] [tgz]
author: Inseob Kim <inseob@google.com> Mon Nov 29 14:56:46 2021 +0900
committer: Inseob Kim <inseob@google.com> Wed Dec 08 14:10:28 2021 +0900
tree: 56dc531e2ade9e0e7eed7f95f02755ec6c7bd0f8
parent: 9a93d79a92000ba8b4f27522032f9262a0d15783 [diff] [blame]
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 04cdadf..b88c014 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te

@@ -37,9 +37,16 @@
 # allow zipfuse to log to the kernel
 allow zipfuse kmsg_device:chr_file w_file_perms;
 
+# allow zipfuse to handle extra apks
+r_dir_file(zipfuse, extra_apk_file)
+allow zipfuse extra_apk_file:dir mounton;
+
 # zipfuse is forked from microdroid_manager
 # TODO(inseob): remove this
 allow zipfuse microdroid_manager:fd use;
 
 # Only microdroid_manager can run zipfuse
 neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
+
+# only zipfuse can mount on extra_apk_file
+neverallow { domain -zipfuse } extra_apk_file:dir mounton;
commit	8565b96a3aab656c00ebbffc8451529b7e3c286a	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Mon Nov 29 14:56:46 2021 +0900
committer	Inseob Kim <inseob@google.com>	Wed Dec 08 14:10:28 2021 +0900
tree	56dc531e2ade9e0e7eed7f95f02755ec6c7bd0f8
parent	9a93d79a92000ba8b4f27522032f9262a0d15783 [diff] [blame]