commit f252d81ec9fd509e63ab0ce06cbf046650120d1c
author Jiyong Park <jiyong@google.com> Fri Jan 21 13:40:53 2022 +0900
committer Andrew Scull <ascull@google.com> Fri Jan 21 18:19:03 2022 +0000
tree d3a1363dfa8b048f936d03f8a2987d4136a5dd0d
parent 92382fe69fe1fe8e07f5e9fed1d58c4dcb4ba973

Allow microdroid_manager to talk to diced

microdroid_manager needs to give the measurements to diced and get
per-VM secret from it for encrypting/decrypting the instance disk.

Bug: 214231981
Test: run microdroid
Change-Id: Ia4cab3f40263619e554466433cbb065e70ae0f07

microdroid/system/private/microdroid_manager.te

diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 736a135..442b091 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -41,6 +41,12 @@
 allow microdroid_manager system_bootstrap_lib_file:dir r_dir_perms;
 allow microdroid_manager system_bootstrap_lib_file:file { execute read open getattr map };
 
+# microdroid_manager can talk to diced over binder
+binder_use(microdroid_manager)
+binder_call(microdroid_manager, diced)
+allow microdroid_manager { dice_node_service dice_maintenance_service }:service_manager find;
+allow microdroid_manager diced:diced { derive demote_self };
+
 # microdroid_manager create /apex/vm-payload-metadata for apexd
 # TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
 allow microdroid_manager apex_mnt_dir:dir w_dir_perms;