microdroid/system/private/compos.te

# TODO(b/193504816): move this to compos APEX
type compos, domain, coredomain, microdroid_payload;
type compos_exec, exec_type, file_type, system_file_type;

allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };

# Allow using keystore and authfs_service binder services
binder_use(compos);
use_keystore(compos);
allow compos authfs_binder_service:service_manager find;
binder_call(compos, authfs_service);

# Allow payloads to use and manage their keys
allow compos vm_payload_key:keystore2_key {
    delete
    get_info
    manage_blob
    rebind
    use
};

# Although the compos should not really read/write the FD on authfs_fuse, this
# is apparently required for the binder driver to pass the FDs to compos from
# authfs_service.
allow compos authfs_fuse:file { read write };

# Allow getattr (in fact, getxattr) as a workaround to retrieve fs-verity
# metadata. See b/196635431.
allow compos authfs_fuse:file getattr;

# Allow creating the odrefresh output directory in authfs.
allow compos authfs_fuse:dir create_dir_perms;

# Allow locating the authfs mount directory.
allow compos authfs_data_file:dir { search };

# Allow domain transition into odrefresh and dex2oat.
# TODO(b/209008712): Remove dex2oat once the migration is done.
domain_auto_trans(compos, odrefresh_exec, odrefresh)
domain_auto_trans(compos, dex2oat_exec, dex2oat)