Merge "snapuserd: Add selinux policy"

commit: c532a0fc8ff94a88bce8510ddc40088c73d47124 [log] [tgz]
author: Akilesh Kailash <akailash@google.com> Thu Aug 05 03:02:07 2021 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Thu Aug 05 03:02:07 2021 +0000
tree: 5e70d569686c6331092ecdc9ab8f304748302d99
parent: 8fcf4ca296fdc106d38a2c655cda24c3cfa8dc1a [diff]
parent: 8494fbe04881a1c602b174db4046b631e71659ef [diff]
diff --git a/microdroid/system/private/keystore.te b/microdroid/system/private/keystore.te
index ac3ada1..be211a3 100644
--- a/microdroid/system/private/keystore.te
+++ b/microdroid/system/private/keystore.te

@@ -13,3 +13,6 @@
 
 # microdroid doesn't use keymaster HAL
 dontaudit keystore hal_keymaster_hwservice:hwservice_manager find;
+
+# microdroid isn't related to F2FS, but sqlite3 tries to query F2FS features.
+dontauditxperm keystore keystore_data_file:file ioctl F2FS_IOC_GET_FEATURES;

diff --git a/private/shell.te b/private/shell.te
index dc820bd..bd4e5c0 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -187,6 +187,11 @@
 # Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
 allow shell shell_key:keystore2_key { delete rebind use get_info update };
 
+# Allow shell to open and execute memfd files for minijail unit tests.
+userdebug_or_eng(`
+  allow shell appdomain_tmpfs:file { open execute_no_trans };
+')
+
 # Allow shell to write db.log.detailed, db.log.slow_query_threshold*
 set_prop(shell, sqlite_log_prop)
commit	c532a0fc8ff94a88bce8510ddc40088c73d47124	[log] [tgz]
author	Akilesh Kailash <akailash@google.com>	Thu Aug 05 03:02:07 2021 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Thu Aug 05 03:02:07 2021 +0000
tree	5e70d569686c6331092ecdc9ab8f304748302d99
parent	8fcf4ca296fdc106d38a2c655cda24c3cfa8dc1a [diff]
parent	8494fbe04881a1c602b174db4046b631e71659ef [diff]