Add sepolicy rules for microdroid_resources_file
Bug: 287593065
Test: run microdroid with vendor VM
Test: builds
Change-Id: I8c8fe90a0ed14d6af430206fe947a0f4ce4f68e5
diff --git a/microdroid/system/private/file.te b/microdroid/system/private/file.te
index 62ca9b7..e250c35 100644
--- a/microdroid/system/private/file.te
+++ b/microdroid/system/private/file.te
@@ -20,6 +20,8 @@
type encryptedstore_file, file_type;
type encryptedstore_fs, fs_type, contextmount_type;
+type microdroid_resources_file, file_type;
+
# Filesystem entry for for PRNG seeder socket.
type prng_seeder_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index 03e9cba..6414f76 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -15,7 +15,7 @@
# Empty directories
/lost\+found u:object_r:rootfs:s0
/debug_ramdisk u:object_r:tmpfs:s0
-/microdroid_resources u:object_r:tmpfs:s0
+/microdroid_resources(/.*)? u:object_r:microdroid_resources_file:s0
/mnt u:object_r:tmpfs:s0
/proc u:object_r:rootfs:s0
/second_stage_resources u:object_r:tmpfs:s0
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..0b650d3 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te
@@ -81,3 +81,10 @@
#-----------------------------------------
allow kernel apkdmverity:fd use;
+
+# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
+# kernel domain. This is to avoid granting init weird capabilities like
+# `allow init tmpfs:file relabelfrom;`
+allow kernel microdroid_resources_file:dir { read open search relabelto};
+allow kernel microdroid_resources_file:file relabelto;
+allow kernel tmpfs:file { getattr relabelfrom };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index d1a5c6f..75c89be 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -24,6 +24,19 @@
# Read config from the open-dice driver.
allow microdroid_manager open_dice_device:chr_file rw_file_perms;
+# In case Microdroid VM is started with microdroid vendor partition, the first_stage_init
+# will derive a microdroid vendor dice node, and write a resulting dice chain into file
+# with dice_chain_file type, microdroid_manager will need to read it to derive the next chain.
+allow microdroid_manager microdroid_resources_file:file { rw_file_perms unlink };
+# In case dice chain is stored in dice_chain_file microdroid_manager will delete it after deriving
+# the next dice chain.
+allow microdroid_manager microdroid_resources_file:dir { remove_name search write };
+
+# Microdroid manager unmounts /microdroid_resources before starting the payload.
+# This is a defence-in-depth measure to ensure that payload can't read the dice chain stored
+# on /microdroid_resources/dice_chain.raw
+allow microdroid_manager tmpfs:filesystem unmount;
+
# Block crash dumps to ensure the DICE secrets are not leaked.
typeattribute microdroid_manager no_crash_dump_domain;