Merge "bpfloader: allowing reading proc_bpf:file" into main
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 046f20f..03e9cba 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -15,6 +15,7 @@
# Empty directories
/lost\+found u:object_r:rootfs:s0
/debug_ramdisk u:object_r:tmpfs:s0
+/microdroid_resources u:object_r:tmpfs:s0
/mnt u:object_r:tmpfs:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index 4bd55cf..2f25703 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -15,7 +15,10 @@
r_dir_file(ueventd, sysfs_type)
allow ueventd sysfs_type:{ file lnk_file } { relabelfrom relabelto setattr };
allow ueventd sysfs_type:dir { relabelfrom relabelto setattr };
-allow ueventd tmpfs:chr_file rw_file_perms;
+# the open-dice0 device is now created in first_stage_init, ueventd needs these permissions
+# so that it can relabel it to open_dice_device, so that microdroid_manager can access it.
+allow ueventd tmpfs:chr_file { relabelfrom rw_file_perms setattr };
+allow ueventd open_dice_device:chr_file relabelto;
allow ueventd dev_type:dir create_dir_perms;
allow ueventd dev_type:lnk_file { create unlink };
allow ueventd dev_type:chr_file { getattr create setattr unlink };
diff --git a/private/apexd.te b/private/apexd.te
index b62e6e6..eeacf65 100644
--- a/private/apexd.te
+++ b/private/apexd.te
@@ -204,3 +204,6 @@
# Allow set apex ready property
set_prop(apexd, apex_ready_prop)
+
+# Allow apexd to write to statsd.
+unix_socket_send(apexd, statsdw, statsd)