Initial sepolicy for composd Add what we need to allow composd to run and expose an AIDL service. Also delete the policy for compsvc; we never access it in the host now, and the real policy is in microdroid. Retain the compos_exec type, since it is referenced in the APEX sepolicy. Bug: 186126194 Test: adb shell cmd -w android.system.composd; no denials. Change-Id: I5f06b2b01852cdebd2d67009b363ec08b17ce33a

commit: d376e2041f3f1da174d4b710c59935d3a1f41e0a [log] [tgz]
author: Alan Stokes <alanstokes@google.com> Thu Sep 09 17:08:15 2021 +0100
committer: Alan Stokes <alanstokes@google.com> Mon Sep 13 10:33:53 2021 +0100
tree: 498248591850c4cd6b63fee0243a7ad25b05e306
parent: 2f7600920d42a6cc5cb88fbe1b5c457a970587c6 [diff] [blame]
diff --git a/private/composd.te b/private/composd.te
new file mode 100644
index 0000000..725e79e
--- /dev/null
+++ b/private/composd.te

@@ -0,0 +1,15 @@
+type composd, domain, coredomain;
+type composd_exec, system_file_type, exec_type, file_type;
+
+# Host a dynamic AIDL service
+init_daemon_domain(composd)
+binder_use(composd)
+add_service(composd, compos_service)
+
+# Start a VM
+virtualizationservice_use(composd)
+
+# Access our APEX data files
+allow composd apex_module_data_file:dir search;
+allow composd apex_compos_data_file:dir create_dir_perms;
+allow composd apex_compos_data_file:file create_file_perms;
commit	d376e2041f3f1da174d4b710c59935d3a1f41e0a	[log] [tgz]
author	Alan Stokes <alanstokes@google.com>	Thu Sep 09 17:08:15 2021 +0100
committer	Alan Stokes <alanstokes@google.com>	Mon Sep 13 10:33:53 2021 +0100
tree	498248591850c4cd6b63fee0243a7ad25b05e306
parent	2f7600920d42a6cc5cb88fbe1b5c457a970587c6 [diff] [blame]