microdroid: introduce logcat domain
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.
The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.
Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.
Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 89fa02f..1066367 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -51,6 +51,8 @@
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/cgroup_info(/.*)? u:object_r:cgroup_rc_file:s0
/dev/fuse u:object_r:fuse_device:s0
+/dev/hvc0 u:object_r:serial_device:s0
+/dev/hvc1 u:object_r:serial_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
new file mode 100644
index 0000000..be6e42a
--- /dev/null
+++ b/microdroid/system/private/logcat.te
@@ -0,0 +1,15 @@
+# logcat in Microdroid runs as a daemon process. It reads logs from logd and
+# emits the logs to the virtual serial console.
+typeattribute logcat coredomain;
+
+# logcat can be executed from init
+init_daemon_domain(logcat)
+
+# logcat can append to the virtual console devices
+allow logcat device:dir r_dir_perms;
+allow logcat serial_device:chr_file ra_file_perms;
+
+# logcat can get logs from logd
+read_logd(logcat)
+
+allow logcat self:global_capability_class_set { sys_nice };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index caee216..0865727 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -52,6 +52,7 @@
# Allow microdroid_manager to start the services apexd-vm, apkdmverity and zipfuse
set_prop(microdroid_manager, ctl_apexd_vm_prop)
set_prop(microdroid_manager, ctl_apkdmverity_prop)
+set_prop(microdroid_manager, ctl_seriallogging_prop)
set_prop(microdroid_manager, ctl_zipfuse_prop)
# Allow microdroid_manager to wait for linkerconfig to be ready
@@ -60,4 +61,9 @@
# Allow microdroid_manager to pass the roothash to apkdmverity
set_prop(microdroid_manager, microdroid_manager_roothash_prop)
+# Allow microdroid_manager to read sysprops from bootconfigs. It will use the
+# sysprops to decide whether services required for debugging (adbd, logd, etc.)
+# need to be started or not.
+get_prop(microdroid_manager, bootloader_prop)
+
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 93ba1b5..c92a595 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -23,9 +23,10 @@
ctl.stop$apexd u:object_r:ctl_apexd_prop:s0
-ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
-ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
-ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
+ctl.start$apexd-vm u:object_r:ctl_apexd_vm_prop:s0
+ctl.start$apkdmverity u:object_r:ctl_apkdmverity_prop:s0
+ctl.start$seriallogging u:object_r:ctl_seriallogging_prop:s0
+ctl.start$zipfuse u:object_r:ctl_zipfuse_prop:s0
ctl.console u:object_r:ctl_console_prop:s0
ctl.fuse_ u:object_r:ctl_fuse_prop:s0
@@ -90,11 +91,13 @@
init.svc.vendor.keymint-microdroid u:object_r:vendor_default_prop:s0 exact string
-ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.adb.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.boot_devices u:object_r:bootloader_prop:s0 exact string
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
+ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
+ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string
ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
index 902fd8a..cf2bb7e 100644
--- a/microdroid/system/public/logcat.te
+++ b/microdroid/system/public/logcat.te
@@ -1,2 +1,2 @@
-type logcat;
+type logcat, domain;
type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index 45b4151..f98d87f 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -17,6 +17,7 @@
type ctl_interface_start_prop, property_type;
type ctl_interface_stop_prop, property_type;
type ctl_restart_prop, property_type;
+type ctl_seriallogging_prop, property_type;
type ctl_sigstop_prop, property_type;
type ctl_start_prop, property_type;
type ctl_stop_prop, property_type;