Add mmd selinux policies This adds minimum selinux policies to unblock these functions which are already submitted: * The init service launchs mmd as a native daemon by mmd.rc. * mmd exposes binder API. EXCEPTION_NO_FUZZER in build/soong/service_fuzzer_bindings.go is allowed for Rust products. Bug: 375432644 Bug: 370509309 Test: confirmed mmd is launched after: adb shell aflags enable \ android.mmd.flags.mmd_enabled; adb reboot Change-Id: Ibd3e68e5aea83b3bc4a01e9dcf00be2daf2466c1

commit: 9c7d306429f3ef12ce53fdf5ee868cf75c91d8e2 [log] [tgz]
author: Hung Nguyen <hungmn@google.com> Tue Nov 05 15:50:00 2024 -0800
committer: Shintaro Kawamura <kawasin@google.com> Thu Nov 21 11:42:40 2024 +0900
tree: c06cc17f5bbf911c42a0a4d773a9bc213a44b736
parent: f75e3f6cfa2fb9a297ffdc54f7ffd0e269685c0f [diff]
diff --git a/private/file_contexts b/private/file_contexts
index 59ef299..bb8a35a 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -329,6 +329,7 @@
 /system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/llkd        u:object_r:llkd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
+/system/bin/mmd         u:object_r:mmd_exec:s0
 /system/bin/usbd   u:object_r:usbd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
 /system/bin/logd        u:object_r:logd_exec:s0

diff --git a/private/mmd.te b/private/mmd.te
new file mode 100644
index 0000000..4955d13
--- /dev/null
+++ b/private/mmd.te

@@ -0,0 +1,10 @@
+# mmd memory management daemon
+type mmd, domain;
+typeattribute mmd coredomain;
+type mmd_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(mmd)
+
+# mmd binder setup
+add_service(mmd, mmd_service)
+binder_use(mmd)

diff --git a/private/service.te b/private/service.te
index bb24fd4..c12c1a0 100644
--- a/private/service.te
+++ b/private/service.te

@@ -16,6 +16,7 @@
 type logcat_service,                 system_server_service, service_manager_type;
 type logd_service,                   service_manager_type;
 type mediatuner_service,             app_api_service, service_manager_type;
+type mmd_service,                    service_manager_type;
 type on_device_intelligence_service, app_api_service, system_server_service, service_manager_type, isolated_compute_allowed_service;
 type profcollectd_service,           service_manager_type;
 type protolog_configuration_service, app_api_service, system_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 4fc9435..fbdc081 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -354,6 +354,7 @@
 meminfo                                   u:object_r:meminfo_service:s0
 memtrack.proxy                            u:object_r:memtrackproxy_service:s0
 midi                                      u:object_r:midi_service:s0
+mmd                                       u:object_r:mmd_service:s0
 mount                                     u:object_r:mount_service:s0
 music_recognition                         u:object_r:music_recognition_service:s0
 nearby                                    u:object_r:nearby_service:s0
commit	9c7d306429f3ef12ce53fdf5ee868cf75c91d8e2	[log] [tgz]
author	Hung Nguyen <hungmn@google.com>	Tue Nov 05 15:50:00 2024 -0800
committer	Shintaro Kawamura <kawasin@google.com>	Thu Nov 21 11:42:40 2024 +0900
tree	c06cc17f5bbf911c42a0a4d773a9bc213a44b736
parent	f75e3f6cfa2fb9a297ffdc54f7ffd0e269685c0f [diff]