Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 18fa8bb..d15f9ba 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -13,3 +13,7 @@
allow system_data_file tmpfs:filesystem associate;
type authfs_fuse, fs_type, contextmount_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..258c8d7 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,19 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;
diff --git a/private/file.te b/private/file.te
index f3e1855..0eb2018 100644
--- a/private/file.te
+++ b/private/file.te
@@ -77,3 +77,7 @@
# /metadata/sepolicy
type sepolicy_metadata_file, file_type;
+
+# /dev/selinux/test - used to verify that apex sepolicy is loaded and
+# property labeled.
+type sepolicy_test_file, file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ea5f66f..895b579 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -196,6 +196,15 @@
# Linker configuration
#
/linkerconfig(/.*)? u:object_r:linkerconfig_file:s0
+
+# Apex sepoolicy files.
+/dev/selinux/apex_file_contexts u:object_r:file_contexts_file:s0
+/dev/selinux/apex_seapp_contexts u:object_r:seapp_contexts_file:s0
+/dev/selinux/apex_service_contexts u:object_r:service_contexts_file:s0
+/dev/selinux/apex_property_contexts u:object_r:property_contexts_file:s0
+/dev/selinux/apex_hwservice_contexts u:object_r:hwservice_contexts_file:s0
+/dev/selinux/apex_mac_permissions\.xml u:object_r:mac_perms_file:s0
+
#############################
# System files
#
diff --git a/private/kernel.te b/private/kernel.te
index 5341163..6775b3b 100644
--- a/private/kernel.te
+++ b/private/kernel.te
@@ -31,3 +31,19 @@
allow kernel kmsg_device:chr_file write;
allow kernel gsid:fd use;
+
+# Some contexts are changed before the device is flipped into enforcing mode
+# during the setup of Apex sepolicy. These denials can be suppressed since
+# the permissions should not be allowed after the device is flipped into
+# enforcing mode.
+dontaudit kernel device:dir { open read relabelto };
+dontaudit kernel tmpfs:file { getattr open read relabelfrom };
+dontaudit kernel {
+ file_contexts_file
+ hwservice_contexts_file
+ mac_perms_file
+ property_contexts_file
+ seapp_contexts_file
+ sepolicy_test_file
+ service_contexts_file
+}:file relabelto;