Merge "Enable ART properties modularization"
diff --git a/OWNERS b/OWNERS
index 866b7b6..c5b61ae 100644
--- a/OWNERS
+++ b/OWNERS
@@ -9,3 +9,4 @@
 jiyong@google.com
 smoreland@google.com
 trong@google.com
+tweek@google.com
diff --git a/private/adbd.te b/private/adbd.te
index 3fc77a2..52070cb 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -84,6 +84,10 @@
 allow adbd anr_data_file:dir r_dir_perms;
 allow adbd anr_data_file:file r_file_perms;
 
+# adb pull /vendor/framework/*
+allow adbd vendor_framework_file:dir r_dir_perms;
+allow adbd vendor_framework_file:file r_file_perms;
+
 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
 set_prop(adbd, shell_prop)
 set_prop(adbd, powerctl_prop)
diff --git a/private/domain.te b/private/domain.te
index c1dea0a..13cf988 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,7 +216,7 @@
     -appdomain # for oemfs
     -bootanim # for oemfs
     -recovery # for /tmp/update_binary in tmpfs
-    userdebug_or_eng(`-microdroid_launcher') # for executing shared libs on /mnt/apk in Microdroid
+    userdebug_or_eng(`-microdroid_launcher -microdroid_manager') # for executing shared libs on /mnt/apk in Microdroid
 } { fs_type -rootfs }:file execute;
 
 #
diff --git a/private/fsck.te b/private/fsck.te
index f8e09b6..c2eb25b 100644
--- a/private/fsck.te
+++ b/private/fsck.te
@@ -3,3 +3,8 @@
 init_daemon_domain(fsck)
 
 allow fsck metadata_block_device:blk_file rw_file_perms;
+
+# TODO(b/189165759): move this to microdroid specific sepolicy
+userdebug_or_eng(`
+    allow fsck vd_device:blk_file rw_file_perms;
+')
diff --git a/private/microdroid_manager.te b/private/microdroid_manager.te
new file mode 100644
index 0000000..b1e4d75
--- /dev/null
+++ b/private/microdroid_manager.te
@@ -0,0 +1,30 @@
+# TODO(b/189165759) for moving this to packages/modules/Virtualization
+# microdroid_manager is a daemon running in the microdroid.
+
+type microdroid_manager, domain, coredomain;
+type microdroid_manager_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(microdroid_manager)
+
+# microdroid_manager accesses /dev/block/by-name/signature which points to
+# a /dev/vd* block device file.
+allow microdroid_manager block_device:dir r_dir_perms;
+allow microdroid_manager block_device:lnk_file r_file_perms;
+allow microdroid_manager vd_device:blk_file r_file_perms;
+
+# microdroid_manager start payload task via microdroid_launcher
+domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher);
+
+# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
+# TODO(b/189706019) we need to a domain for the app process.
+allow microdroid_manager system_file:file execute_no_trans;
+# Until then, allow microdroid_manager to execute the shell or other system executables.
+allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
+
+# Let microdroid_manager read a config file from /mnt/apk (fusefs)
+# TODO(b/188400186) remove the below two rules
+userdebug_or_eng(`
+  allow microdroid_manager fuse:dir r_dir_perms;
+  allow microdroid_manager fuse:file rx_file_perms;
+')
diff --git a/private/shell.te b/private/shell.te
index 231a63f..7c786c9 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -194,6 +194,7 @@
 # Allow shell to launch microdroid_launcher in its own domain
 # TODO(b/186396070) remove this when microdroid_manager can do this
 domain_auto_trans(shell, microdroid_launcher_exec, microdroid_launcher)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
 
 # Never allow others to set or get the perf.drop_caches property.
 neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
diff --git a/public/uncrypt.te b/public/uncrypt.te
index 0f549c9..3b04671 100644
--- a/public/uncrypt.te
+++ b/public/uncrypt.te
@@ -32,8 +32,12 @@
 
 r_dir_file(uncrypt, rootfs)
 
-# uncrypt reads /proc/cmdline
-allow uncrypt proc_cmdline:file r_file_perms;
+# Access to bootconfig is needed when calling ReadDefaultFstab.
+allow uncrypt {
+  proc_bootconfig
+  proc_cmdline
+
+}:file r_file_perms;
 
 # Read files in /sys
 r_dir_file(uncrypt, sysfs_dt_firmware_android)