commit cf5d5051ff1a5320603d3ed782d678353b340be5
author Shikha Panwar <shikhapanwar@google.com> Fri Feb 03 18:43:02 2023 +0000
committer Shikha Panwar <shikhapanwar@google.com> Thu Mar 09 16:01:35 2023 +0000
tree 71fd6964dbd9cc77eaee09b3325ad9be5028ecad
parent 11feefd839eb4a10743d97511b8d357a561b1c27

Microdroid sepolicy changes to handle crash export

Change1# Add property export_tombstones.enabled - This is set by
microdroid_manager to indicate that tombstones in Microdroid be exported
out to host. This read by crash_dump (specifically tombstone_handler).

Change2# allow crash_dump to create/connect/write on vsock.

Change3# Deleting rules/domain related to tombstoned &
tombstone_transmit in Microdroid.

Test: atest MicrodroidHostTests#testTombstonesAreGeneratedUponUserspaceCrash
Test: Look for selinux denials in log
Bug: 243494912
Change-Id: Ibd607eb11202d492bcb0c4ba40a6888683420fb9

microdroid/system/private/property.te

diff --git a/microdroid/system/private/property.te b/microdroid/system/private/property.te
index 1bbe2a9..638b246 100644
--- a/microdroid/system/private/property.te
+++ b/microdroid/system/private/property.te
@@ -1,6 +1,3 @@
-system_internal_prop(ctl_tombstoned_prop)
-system_restricted_prop(tombstone_transmit_status_prop)
-
 system_restricted_prop(boot_status_prop)
 
 # Declare ART properties for CompOS
@@ -52,4 +49,11 @@
     domain
     -init
     -microdroid_manager
-} {microdroid_config_prop microdroid_lifecycle_prop}:file no_rw_file_perms;
+} {microdroid_lifecycle_prop}:file no_rw_file_perms;
+
+neverallow {
+    domain
+    -init
+    -microdroid_manager
+    -crash_dump
+} {microdroid_config_prop}:file no_rw_file_perms;