Define sepolicy for compos and dex2oat
Bug: 194474784
Test: ComposTestCase # with debug disabled
Change-Id: I2a53df337356fc8e299837358da2a5a88c9c20d3
diff --git a/microdroid/system/private/compos.te b/microdroid/system/private/compos.te
index 9e6b2bb..05936a6 100644
--- a/microdroid/system/private/compos.te
+++ b/microdroid/system/private/compos.te
@@ -4,11 +4,11 @@
allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-# Talk to binder services (for keystore)
+# Allow using keystore and authfs_service binder services
binder_use(compos);
-
-# Allow payloads to use keystore
use_keystore(compos);
+allow compos authfs_binder_service:service_manager find;
+binder_call(compos, authfs_service);
# Allow payloads to use and manage their keys
allow compos vm_payload_key:keystore2_key {
@@ -18,3 +18,11 @@
rebind
use
};
+
+# Although the compos should not really read/write the FD on authfs_fuse, this
+# is apparently required for the binder driver to pass the FDs to compos from
+# authfs_service.
+allow compos authfs_fuse:file { read write };
+
+# Allow domain transition into dex2oat.
+domain_auto_trans(compos, dex2oat_exec, dex2oat)