Merge "crosvm: socket getopt"

commit: dda67f95f05138345ab6fb91d7c1e53a7ee4bf30 [log] [tgz]
author: Steven Moreland <smoreland@google.com> Tue Oct 11 23:57:52 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Oct 11 23:57:52 2022 +0000
tree: 723540e6681357365822c95e8dcd98662f8e74b2
parent: 9f7ab3c0cfe70eccd4d30ce2d575ad59dcdeb24f [diff]
parent: 34f6b2671974cb5b2af8072630efc3b1191a812c [diff]
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d5b61dc..dbd45f3 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -93,6 +93,11 @@
 # or not; if set, it executes kexec to load the crashkernel into memory.
 allow microdroid_manager proc_cmdline:file r_file_perms;
 
+# microdroid_manager needs to read /proc/stat and /proc_meminfo to collect CPU & memory usage
+# for creating atoms used in AVF telemetry metrics
+allow microdroid_manager proc_meminfo:file r_file_perms;
+allow microdroid_manager proc_stat:file r_file_perms;
+
 # Allow microdroid_manager to read/write failure serial device
 allow microdroid_manager serial_device:chr_file w_file_perms;
 

diff --git a/prebuilts/api/33.0/private/kernel.te b/prebuilts/api/33.0/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/prebuilts/api/33.0/private/kernel.te
+++ b/prebuilts/api/33.0/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into

diff --git a/private/kernel.te b/private/kernel.te
index 6775b3b..03ba79f 100644
--- a/private/kernel.te
+++ b/private/kernel.te

@@ -32,6 +32,19 @@
 allow kernel kmsg_device:chr_file write;
 allow kernel gsid:fd use;
 
+dontaudit kernel metadata_file:dir search;
+dontaudit kernel ota_metadata_file:dir rw_dir_perms;
+dontaudit kernel sysfs:dir r_dir_perms;
+dontaudit kernel sysfs:file { open read write };
+dontaudit kernel sysfs:chr_file { open read write };
+dontaudit kernel dm_device:chr_file ioctl;
+dontaudit kernel self:capability { sys_admin setgid mknod };
+
+dontaudit kernel dm_user_device:dir { write add_name };
+dontaudit kernel dm_user_device:chr_file { create setattr };
+dontaudit kernel tmpfs:lnk_file read;
+dontaudit kernel tmpfs:blk_file { open read };
+
 # Some contexts are changed before the device is flipped into enforcing mode
 # during the setup of Apex sepolicy. These denials can be suppressed since
 # the permissions should not be allowed after the device is flipped into
commit	dda67f95f05138345ab6fb91d7c1e53a7ee4bf30	[log] [tgz]
author	Steven Moreland <smoreland@google.com>	Tue Oct 11 23:57:52 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Tue Oct 11 23:57:52 2022 +0000
tree	723540e6681357365822c95e8dcd98662f8e74b2
parent	9f7ab3c0cfe70eccd4d30ce2d575ad59dcdeb24f [diff]
parent	34f6b2671974cb5b2af8072630efc3b1191a812c [diff]