Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d376e2041f3f1da174d4b710c59935d3a1f41e0a^! / . / private
commitd376e2041f3f1da174d4b710c59935d3a1f41e0a[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Thu Sep 09 17:08:15 2021 +0100
committerAlan Stokes <alanstokes@google.com>Mon Sep 13 10:33:53 2021 +0100
tree498248591850c4cd6b63fee0243a7ad25b05e306
parent2f7600920d42a6cc5cb88fbe1b5c457a970587c6 [diff]
Initial sepolicy for composd

Add what we need to allow composd to run and expose an AIDL service.

Also delete the policy for compsvc; we never access it in the host
now, and the real policy is in microdroid. Retain the compos_exec
type, since it is referenced in the APEX sepolicy.

Bug: 186126194
Test: adb shell cmd -w android.system.composd; no denials.
Change-Id: I5f06b2b01852cdebd2d67009b363ec08b17ce33a

diff --git a/private/compos.te b/private/compos.te
index f4cdc17..ffbb33e 100644
--- a/private/compos.te
+++ b/private/compos.te

@@ -1,3 +1 @@
-# TODO(b/193504816): move this to compos APEX
-type compos, domain, coredomain;
 type compos_exec, exec_type, file_type, system_file_type;

diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..725e79e
--- /dev/null
+++ b/private/composd.te

@@ -0,0 +1,15 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host a dynamic AIDL service
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;

diff --git a/private/service.te b/private/service.te
index 7f692f3..2ab6335 100644
--- a/private/service.te
+++ b/private/service.te

@@ -1,4 +1,5 @@
 type attention_service,             system_server_service, service_manager_type;
+type compos_service,                service_manager_type;
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     system_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index df03915..7901db9 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -48,6 +48,8 @@
 android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.security.remoteprovisioning       u:object_r:remoteprovisioning_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
+android.system.composd                    u:object_r:compos_service:s0
+android.system.virtualizationservice      u:object_r:virtualization_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
 app_integrity                             u:object_r:app_integrity_service:s0
@@ -78,7 +80,6 @@
 carrier_config                            u:object_r:radio_service:s0
 clipboard                                 u:object_r:clipboard_service:s0
 com.android.net.IProxyService             u:object_r:IProxyService_service:s0
-android.system.virtualizationservice      u:object_r:virtualization_service:s0
 companiondevice                           u:object_r:companion_device_service:s0
 platform_compat                           u:object_r:platform_compat_service:s0
 platform_compat_native                    u:object_r:platform_compat_service:s0