Enable odrefresh to work with composd.
composd spawns odrefresh in its usual domain. odrefresh then spawns
fd_server in a different domain, and makes binder calls back to
composd to perform individual compilation steps.
fd_server is fairly generic, and part of the virt APEX, but this
instance is specific to composd (e.g. it has access to ART files), so
I named the domain composd_fd_server.
Bug: 186126194
Test: Run composd_cmd, artifacts generated
Change-Id: I5a431dd00b5b396a67021c618fc6edcfb25aa21b
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index ad8d55c..cc712ff 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,3 +1,4 @@
(/.*)? u:object_r:system_file:s0
/bin/crosvm u:object_r:crosvm_exec:s0
+/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
diff --git a/private/compos_fd_server.te b/private/compos_fd_server.te
new file mode 100644
index 0000000..16a57e2
--- /dev/null
+++ b/private/compos_fd_server.te
@@ -0,0 +1,16 @@
+# Make ART inputs and outputs available to the CompOS VM
+type compos_fd_server, domain, coredomain;
+
+# Allow access to open fds inherited from odrefresh - read inputs, generate outputs
+allow compos_fd_server odrefresh:fd use;
+allow compos_fd_server apex_art_data_file:file { getattr read };
+allow compos_fd_server apex_art_staging_data_file:file { getattr read write };
+# TODO(b/196109647) - remove this when no longer needed by minijail
+allow compos_fd_server odrefresh:fifo_file read;
+
+# Create a listening vsock for the VM to connect back to
+allow compos_fd_server self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Only odrefresh can enter the domain via exec
+neverallow { domain -odrefresh } compos_fd_server:process transition;
+neverallow * compos_fd_server:process dyntransition;
diff --git a/private/file.te b/private/file.te
index 124309c..7e0bdd2 100644
--- a/private/file.te
+++ b/private/file.te
@@ -68,3 +68,6 @@
# /dev/kvm
type kvm_device, dev_type;
+
+# /apex/com.android.virt/bin/fd_server
+type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/odrefresh.te b/private/odrefresh.te
index 811b7cf..c6ab7bb 100644
--- a/private/odrefresh.te
+++ b/private/odrefresh.te
@@ -49,9 +49,20 @@
# odrefesh.
allow odrefresh composd:fd use;
-# Run system binaries, e.g. pvm_exec, in the same domain
+# Run binaries from the CompOS APEX in the same domain
allow odrefresh system_file:file execute_no_trans;
+# Make binder calls back to composd
+binder_use(odrefresh)
+allow odrefresh compos_service:service_manager find;
+binder_call(odrefresh, composd)
+
+# Run fd_server in its own domain
+domain_auto_trans(odrefresh, fd_server_exec, compos_fd_server)
+
+# And kill it via SIGTERM
+allow odrefresh compos_fd_server:process signal;
+
# Do not audit unused resources from parent processes (adb, shell, su).
# These appear to be unnecessary for odrefresh.
dontaudit odrefresh { adbd shell }:fd use;