Allow microdroid_manager to run kexec /system/bin/kexec in Microdroid is now properly labeled as kexec_exec. The binary is responsible for loading the crashkernel into memory so that when a kernel panic occurs the crashkernel is executed to dump the RAM. Microdroid_manager executes the kexec binary as part of the boot process. It does this only when the kernel is booted with a memory reserved for the crashkernel, which is determined by checking if `crashkernel=` is included in the cmdline. For this, it is allowed to read /proc/cmdline. Bug: 238404545 Test: boot microdroid Change-Id: Id08ba9610e3849ba811367917df8dfcc1774b561

commit: bc0e0dce049b6f882af65f7bfdf872bea46836d6 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Mon Aug 22 16:01:14 2022 +0900
committer: Jiyong Park <jiyong@google.com> Tue Aug 23 00:02:36 2022 +0900
tree: 60ba70da2c30e38add661c5e6934219fdcef75c9
parent: 3da60892419c01b6e1788bd79a008dbdd5a6b9ae [diff] [blame]
diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te
new file mode 100644
index 0000000..c0ab735
--- /dev/null
+++ b/microdroid/system/private/kexec.te

@@ -0,0 +1,12 @@
+# kexec loads a crashdump kernel into memory using the kexec_file_load syscall.
+type kexec, domain, coredomain;
+type kexec_exec, exec_type, file_type, system_file_type;
+
+# allow kexec to write into /dev/kmsg for logging
+allow kexec kmsg_device:chr_file w_file_perms;
+
+# kexec is launched by microdroid_manager with fork/execvp.
+allow kexec microdroid_manager:fd use;
+
+# allow kexec to have SYS_BOOT
+allow kexec self:capability sys_boot;
commit	bc0e0dce049b6f882af65f7bfdf872bea46836d6	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Mon Aug 22 16:01:14 2022 +0900
committer	Jiyong Park <jiyong@google.com>	Tue Aug 23 00:02:36 2022 +0900
tree	60ba70da2c30e38add661c5e6934219fdcef75c9
parent	3da60892419c01b6e1788bd79a008dbdd5a6b9ae [diff] [blame]