microdroid: allow init_debug_policy.sh to handle AVF debug policy
Test: Boot microdroid with no issue
Bug: 2437372
Change-Id: I485228864cce58922e7e3b3eed4b9bd1c5cce306
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 4251a9e..5482b01 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -208,6 +208,7 @@
get_prop(domain, arm64_memtag_prop)
get_prop(domain, bootloader_prop)
get_prop(domain, build_prop)
+get_prop(domain, debuggable_prop)
get_prop(domain, debug_prop)
get_prop(domain, fingerprint_prop)
get_prop(domain, init_service_status_prop)
@@ -391,6 +392,7 @@
neverallow { domain -init -vendor_init } vendor_default_prop:property_service set;
neverallow { domain -init } build_prop:property_service set;
+neverallow { domain -init -init_debug_policy } debuggable_prop:property_service set;
# Never allow anyone to connect or write to
# the tombstoned intercept socket.
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 8d9ad85..63221ce 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -106,6 +106,7 @@
/system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
/system/bin/bootstrap/linkerconfig u:object_r:linkerconfig_exec:s0
/system/bin/init u:object_r:init_exec:s0
+/system/bin/init_debug_policy u:object_r:init_debug_policy_exec:s0
/system/bin/logcat -- u:object_r:logcat_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
/system/bin/sh -- u:object_r:shell_exec:s0
diff --git a/microdroid/system/private/genfs_contexts b/microdroid/system/private/genfs_contexts
index ce28471..f55711e 100644
--- a/microdroid/system/private/genfs_contexts
+++ b/microdroid/system/private/genfs_contexts
@@ -137,6 +137,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/chosen/avf,new-instance u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/chosen/avf,strict-boot u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
diff --git a/microdroid/system/private/init_debug_policy.te b/microdroid/system/private/init_debug_policy.te
new file mode 100644
index 0000000..33b8917
--- /dev/null
+++ b/microdroid/system/private/init_debug_policy.te
@@ -0,0 +1,32 @@
+# init_debug_policy is its own domain.
+type init_debug_policy, domain, coredomain;
+type init_debug_policy_exec, system_file_type, exec_type, file_type;
+
+# Transition from init -> init_debug_policy_exec
+init_daemon_domain(init_debug_policy);
+
+# init_debug_policy is using bootstrap bionic
+use_bootstrap_libs(init_debug_policy)
+
+# Allow init_debug_policy to write /dev/kmsg (specified by stdio_to_kmsg)
+allow init_debug_policy kmsg_debug_device:chr_file w_file_perms;
+
+# Allow init_debug_policy to use xxd and set/getprop
+allow init_debug_policy toolbox_exec:file rx_file_perms;
+
+# Allow init_debug_policy to set ro.debuggable to enable/disable adb root
+set_prop(init_debug_policy, debuggable_prop)
+
+# Allow init_debug_policy to set ro.log.file_logger.path to enable/disable console log
+set_prop(init_debug_policy, log_prop)
+
+# Allow init_debug_policy to get ro.boot.microdroid.debuggable and ro.boot.adb.enabled
+get_prop(init_debug_policy, bootloader_prop)
+
+# Allow init_debug_policy to set init_debug_policy.adbd.enabled
+set_prop(init_debug_policy, init_debug_policy_prop)
+
+# Allow init_debug_policy to read AVF debug policy
+allow init_debug_policy sysfs_dt_avf:dir search;
+allow init_debug_policy sysfs_dt_avf:file { open read };
+
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 235ab14..bb43d58 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -108,10 +108,11 @@
ro.build.version.sdk u:object_r:build_prop:s0 exact int
ro.build.version.security_patch u:object_r:build_prop:s0 exact string
ro.build.version.known_codenames u:object_r:build_prop:s0 exact string
-ro.debuggable u:object_r:build_prop:s0 exact bool
ro.product.cpu.abilist u:object_r:build_prop:s0 exact string
ro.adb.secure u:object_r:build_prop:s0 exact bool
+ro.debuggable u:object_r:debuggable_prop:s0 exact bool
+
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
apex_config.done u:object_r:apex_config_prop:s0 exact bool
@@ -125,6 +126,8 @@
microdroid_manager.config_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
microdroid_manager.init_done u:object_r:microdroid_lifecycle_prop:s0 exact bool
+init_debug_policy.adbd.enabled u:object_r:init_debug_policy_prop:s0 exact bool
+
dev.mnt.blk.root u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.blk.vendor u:object_r:dev_mnt_prop:s0 exact string
dev.mnt.dev.root u:object_r:dev_mnt_prop:s0 exact string
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index a2c3b77..158d741 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -6,6 +6,7 @@
type bootloader_prop, property_type;
type boottime_prop, property_type;
type build_prop, property_type;
+type debuggable_prop, property_type;
type cold_boot_done_prop, property_type;
type ctl_adbd_prop, property_type;
type ctl_apexd_prop, property_type;
@@ -35,6 +36,7 @@
type init_service_status_private_prop, property_type;
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
+type init_debug_policy_prop, property_type;
type libc_debug_prop, property_type;
type log_prop, property_type;
type log_tag_prop, property_type;