commit ac5044870b6a0c0597f26cfec6a6140f7b692a41
author Alan Stokes <alanstokes@google.com> Tue Dec 19 17:42:05 2023 +0000
committer Alan Stokes <alanstokes@google.com> Tue Dec 19 17:42:05 2023 +0000
tree d31bca30cbb2f4f0070c5f5043e6568b66a40aac
parent cb24b4facfaca04ffeea90673854dd07eb6add18

Tweak sysfs_dt_avf permissions

Allow r_file_perms rather than just open+read, mainly because I saw
this denial:

avc:  denied  { getattr } for  comm="binder:11247_2"
path="/sys/firmware/devicetree/base/avf/guest/common/log"
dev="sysfs" ino=16469 scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:sysfs_dt_avf:s0 tclass=file permissive=0

Also refactor slightly in microdroid_manager.te.

Test: TH
Change-Id: If2963441b3490a502c293c7a7cdd204d9db7d48a

microdroid/system/private/init_debug_policy.te

diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
index 33b8917..a9c5f4a 100644
--- a/microdroid/system/private/init_debug_policy.te
+++ b/microdroid/system/private/init_debug_policy.te
@@ -28,5 +28,5 @@
 
 # Allow init_debug_policy to read AVF debug policy
 allow init_debug_policy sysfs_dt_avf:dir search;
-allow init_debug_policy sysfs_dt_avf:file { open read };
+allow init_debug_policy sysfs_dt_avf:file r_file_perms;
 

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 2aed367..b84474a 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -20,6 +20,9 @@
 # microdroid_manager can query AVF flags in the device tree
 allow microdroid_manager sysfs_dt_avf:file r_file_perms;
 
+# Allow microdroid_manager to read AVF debug policy
+allow microdroid_manager sysfs_dt_avf:dir search;
+
 # Read config from the open-dice driver.
 allow microdroid_manager open_dice_device:chr_file rw_file_perms;
 
@@ -123,10 +126,6 @@
 # Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
 allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
 
-# Allow microdroid_manager to read AVF debug policy
-allow microdroid_manager sysfs_dt_avf:dir search;
-allow microdroid_manager sysfs_dt_avf:file { open read };
-
 # Domains other than microdroid can't write extra_apks
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
 neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;

private/virtualizationmanager.te

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 725ca72..bbae070 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -85,7 +85,7 @@
 
 # Allow virtualizationmanager to read AVF debug policy
 allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file { open read };
+allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
 
 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
 # from pVM to HAL.