Add sepolicy rules for microdroid_resources_file Bug: 287593065 Test: run microdroid with vendor VM Test: builds Change-Id: I8c8fe90a0ed14d6af430206fe947a0f4ce4f68e5

commit: f1d47f78d24e46b70f5fdd08741e504e3a3c251a [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Tue Mar 12 23:02:37 2024 +0000
committer: Nikita Ioffe <ioffe@google.com> Thu Apr 04 13:05:34 2024 +0000
tree: 67efae564bf48a0f0fb5988473a8ee95e94437ff
parent: dfc018f8861e8b2b3a93e2784b289e16c6f0870b [diff] [blame]
diff --git a/microdroid/system/private/kernel.te b/microdroid/system/private/kernel.te
index 1d03c4a..0b650d3 100644
--- a/microdroid/system/private/kernel.te
+++ b/microdroid/system/private/kernel.te

@@ -81,3 +81,10 @@
 
 #-----------------------------------------
 allow kernel apkdmverity:fd use;
+
+# We run restorecon_recursive /microdroid_resources during setup_selinux stage which runs in the
+# kernel domain. This is to avoid granting init weird capabilities like
+# `allow init tmpfs:file relabelfrom;`
+allow kernel microdroid_resources_file:dir { read open search relabelto};
+allow kernel microdroid_resources_file:file relabelto;
+allow kernel tmpfs:file { getattr relabelfrom };
commit	f1d47f78d24e46b70f5fdd08741e504e3a3c251a	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Tue Mar 12 23:02:37 2024 +0000
committer	Nikita Ioffe <ioffe@google.com>	Thu Apr 04 13:05:34 2024 +0000
tree	67efae564bf48a0f0fb5988473a8ee95e94437ff
parent	dfc018f8861e8b2b3a93e2784b289e16c6f0870b [diff] [blame]