Merge "microdroid_manager: allow to read dm_device"
diff --git a/microdroid/system/private/authfs.te b/microdroid/system/private/authfs.te
new file mode 100644
index 0000000..e8c340b
--- /dev/null
+++ b/microdroid/system/private/authfs.te
@@ -0,0 +1,20 @@
+# authfs is a FUSE-based filesystem to support "remote" file access normally
+# over vsock, backed by a file server backend on Android.
+
+type authfs, domain, coredomain;
+type authfs_exec, exec_type, file_type, system_file_type;
+
+allow authfs self:vsock_socket create_socket_perms_no_ioctl;
+
+# Allow basic rules to implement FUSE.
+# TODO(195554831): Move the privilege to authfs_service
+allow authfs fuse_device:chr_file rw_file_perms;
+
+# Allow mounting authfs.
+# TODO(195554831): Move the privilege to authfs_service.
+allow authfs fuse:filesystem relabelfrom;
+allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
+allow authfs authfs_data_file:dir { mounton search };
+
+# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
+allow authfs authfs_service:fd use;
diff --git a/microdroid/system/private/authfs_service.te b/microdroid/system/private/authfs_service.te
new file mode 100644
index 0000000..8461f3c
--- /dev/null
+++ b/microdroid/system/private/authfs_service.te
@@ -0,0 +1,31 @@
+# authfs_service is a binder service running on microdroid. It serves the
+# client's request and manages the mount/unmount of individual authfs instances
+# (a FUSE based filesystem). The service then can pass file descriptor on authfs
+# to the client for remote file access.
+
+type authfs_service, domain, coredomain;
+type authfs_service_exec, exec_type, file_type, system_file_type;
+
+# Allow domain transition from init.
+init_daemon_domain(authfs_service)
+
+# Allow running as a binder service.
+binder_call(authfs_service, servicemanager)
+
+# Allow domain transition into authfs.
+domain_auto_trans(authfs_service, authfs_exec, authfs)
+
+# Allow creating/deleting mount directories.
+allow authfs_service authfs_data_file:dir create_dir_perms;
+
+# Allow opening a file from the FUSE mount.
+# Note: authfs_service doesn't really need to read and write the file, but the
+# check seems to happen on open anyway. It also doesn't need getattr, but it is
+# currently called internally by binder to estimate ashmem size.
+allow authfs_service authfs_fuse:dir search;
+# TODO(195752513): Remove getattr once the binder bug is fixed.
+allow authfs_service authfs_fuse:file { getattr open read write };
+
+# Allow killing the authfs process and unmount.
+allow authfs_service authfs:process sigkill;
+allow authfs_service authfs_fuse:filesystem unmount;
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 1989d7e..cbbd379 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -10,3 +10,5 @@
allow proc_net proc:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow system_data_file tmpfs:filesystem associate;
+
+type authfs_fuse, fs_type, contextmount_type;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 97e756d..ffd75a1 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -117,6 +117,8 @@
/system/bin/microdroid_launcher u:object_r:microdroid_app_exec:s0
/system/bin/microdroid_manager u:object_r:microdroid_manager_exec:s0
/system/bin/apkdmverity u:object_r:apkdmverity_exec:s0
+/system/bin/authfs u:object_r:authfs_exec:s0
+/system/bin/authfs_service u:object_r:authfs_service_exec:s0
/system/etc/cgroups\.json u:object_r:cgroup_desc_file:s0
/system/etc/task_profiles/cgroups_[0-9]+\.json u:object_r:cgroup_desc_api_file:s0
/system/etc/event-log-tags u:object_r:system_event_log_tags_file:s0
@@ -158,6 +160,7 @@
/data/local/tmp/ltp(/.*)? u:object_r:nativetest_data_file:s0
/data/local/traces(/.*)? u:object_r:trace_data_file:s0
/data/misc/keystore(/.*)? u:object_r:keystore_data_file:s0
+/data/misc/authfs(/.*)? u:object_r:authfs_data_file:s0
/data/tombstones(/.*)? u:object_r:tombstone_data_file:s0
/data/vendor(/.*)? u:object_r:vendor_data_file:s0
diff --git a/microdroid/system/private/microdroid_app.te b/microdroid/system/private/microdroid_app.te
index d3ec74b..004aa3d 100644
--- a/microdroid/system/private/microdroid_app.te
+++ b/microdroid/system/private/microdroid_app.te
@@ -24,3 +24,6 @@
use
};
+# Microdroid manager connects vsock_socket to the host and app's output is redirected to it.
+# TODO(b/195751698) This is flaky; it seems this is not always necessary.
+dontaudit microdroid_app microdroid_manager:vsock_socket getattr;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index c8be9d9..61cd68d 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -32,6 +32,7 @@
ro.logd.kernel u:object_r:logd_prop:s0 exact bool
ro.boottime.adbd u:object_r:boottime_prop:s0 exact int
+ro.boottime.authfs_service u:object_r:boottime_prop:s0 exact int
ro.boottime.hwservicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.init u:object_r:boottime_prop:s0 exact int
ro.boottime.init.cold_boot_wait u:object_r:boottime_prop:s0 exact int
@@ -60,6 +61,7 @@
sys.usb.controller u:object_r:usb_control_prop:s0 exact string
+init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
init.svc.hwservicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.keystore2 u:object_r:init_service_status_private_prop:s0 exact string
init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 67d5068..c750ccc 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -6,6 +6,7 @@
type anr_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
type apex_info_file, file_type;
type apex_mnt_dir, file_type;
+type authfs_data_file, file_type, data_file_type, core_data_file_type;
type cgroup_desc_api_file, file_type, system_file_type;
type cgroup_desc_file, file_type, system_file_type;
type cgroup_rc_file, file_type;
diff --git a/prebuilts/api/31.0/private/shell.te b/prebuilts/api/31.0/private/shell.te
index 40b19fd..f5b786d 100644
--- a/prebuilts/api/31.0/private/shell.te
+++ b/prebuilts/api/31.0/private/shell.te
@@ -171,6 +171,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow to issue control commands to profcollectd binder service.
diff --git a/private/property_contexts b/private/property_contexts
index 7f97281..0761ede 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -285,6 +285,7 @@
ro.virtual_ab.enabled u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.retrofit u:object_r:virtual_ab_prop:s0 exact bool
ro.virtual_ab.compression.enabled u:object_r:virtual_ab_prop:s0 exact bool
+ro.virtual_ab.compression.xor.enabled u:object_r:virtual_ab_prop:s0 exact bool
snapuserd.ready u:object_r:snapuserd_prop:s0 exact bool
snapuserd.proxy_ready u:object_r:snapuserd_prop:s0 exact bool
diff --git a/private/shell.te b/private/shell.te
index bd4e5c0..08cf8ff 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -179,6 +179,9 @@
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
+# Allow shell to read odsign verification properties
+get_prop(shell, odsign_prop)
+
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.