Merge "Allow snapuserd to inotify watch /dev/socket."
diff --git a/microdroid/system/private/service_contexts b/microdroid/system/private/service_contexts
index 5857a0f..24cc446 100644
--- a/microdroid/system/private/service_contexts
+++ b/microdroid/system/private/service_contexts
@@ -15,4 +15,5 @@
android.security.metrics u:object_r:keystore_metrics_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
apexservice u:object_r:apex_service:s0
+manager u:object_r:service_manager_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid/system/private/servicemanager.te b/microdroid/system/private/servicemanager.te
index 8ff964f..d014af5 100644
--- a/microdroid/system/private/servicemanager.te
+++ b/microdroid/system/private/servicemanager.te
@@ -21,3 +21,5 @@
allow servicemanager service_contexts_file:file r_file_perms;
allow servicemanager vendor_service_contexts_file:file r_file_perms;
+
+add_service(servicemanager, service_manager_service)
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
index fc51ad8..3bb879d 100644
--- a/microdroid/system/private/shell.te
+++ b/microdroid/system/private/shell.te
@@ -29,3 +29,7 @@
# filesystem test for insucre blk_file's is done
# via hostside test
allow shell dev_type:blk_file getattr;
+
+# Test tool automatically tries to access /sys/class/power_supply.
+# Suppressing it as we don't need power_supply in microdroid.
+dontaudit shell sysfs:dir r_dir_perms;
diff --git a/microdroid/system/private/ueventd.te b/microdroid/system/private/ueventd.te
index eb06672..4ff417b 100644
--- a/microdroid/system/private/ueventd.te
+++ b/microdroid/system/private/ueventd.te
@@ -50,3 +50,5 @@
allow ueventd system_bootstrap_lib_file:dir r_dir_perms;
allow ueventd system_bootstrap_lib_file:file { execute read open getattr map };
+# TODO(b/193118220): find out why this happens.
+dontaudit ueventd tmpfs:chr_file { relabelfrom setattr };
diff --git a/microdroid/system/public/type.te b/microdroid/system/public/type.te
index c31509c..bd27d59 100644
--- a/microdroid/system/public/type.te
+++ b/microdroid/system/public/type.te
@@ -19,5 +19,6 @@
type keystore_service, service_manager_type;
type legacykeystore_service, service_manager_type;
type remoteprovisioning_service, service_manager_type;
+type service_manager_service, service_manager_type;
type system_linker;
type vm_payload_key;
diff --git a/private/snapuserd.te b/private/snapuserd.te
index ade77dd..f24986c 100644
--- a/private/snapuserd.te
+++ b/private/snapuserd.te
@@ -8,6 +8,18 @@
allow snapuserd kmsg_device:chr_file rw_file_perms;
+# Allow snapuserd to reach block devices in /dev/block.
+allow snapuserd block_device:dir search;
+
+# Read /sys/block to find all the DM directories like (/sys/block/dm-X).
+allow snapuserd sysfs:dir { open read };
+
+# Read /sys/block/dm-X/dm/name (which is a symlink to
+# /sys/devices/virtual/block/dm-X/dm/name) to identify the mapping between
+# dm-X and dynamic partitions.
+allow snapuserd sysfs_dm:dir { open read search };
+allow snapuserd sysfs_dm:file r_file_perms;
+
# Reading and writing to /dev/block/dm-* (device-mapper) nodes.
allow snapuserd block_device:dir r_dir_perms;
allow snapuserd dm_device:chr_file rw_file_perms;