Blame - microdroid/system/private/compos.te - android_system_sepolicy

blob: 41dd91abd0ce1842f290cc247fe5e866b887b662 [file] [log] [blame]

Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	1	# TODO(b/193504816): move this to compos APEX
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	2	type compos, domain, coredomain, microdroid_payload;
Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	3	type compos_exec, exec_type, file_type, system_file_type;
				4
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame^]	5	# Expose RPC Binder service over vsock
Inseob Kim	7560aed	2021-07-20 09:57:57 +0000	[diff] [blame]	6	allow compos self:vsock_socket { create_socket_perms_no_ioctl listen accept };
				7
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame^]	8	# Allow using various binder services
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	9	binder_use(compos);
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	10	use_keystore(compos);
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame^]	11	allow compos {
				12	authfs_binder_service
				13	dice_node_service
				14	}:service_manager find;
Victor Hsieh	aa987aa	2021-08-10 16:33:32 -0700	[diff] [blame]	15	binder_call(compos, authfs_service);
Alan Stokes	50d2195	2022-01-17 13:50:16 +0000	[diff] [blame^]	16	binder_call(compos, diced);
				17	allow compos diced:diced { get_attestation_chain use_sign };
Inseob Kim	1f87fbd	2021-07-26 05:56:31 +0000	[diff] [blame]	18
				19	# Allow payloads to use and manage their keys
				20	allow compos vm_payload_key:keystore2_key {
				21	delete
				22	get_info
				23	manage_blob
				24	rebind
				25	use
				26	};
Victor Hsieh	aa987aa	2021-08-10 16:33:32 -0700	[diff] [blame]	27
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	28	# Read artifacts created by odrefresh and create signature files.
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	29	allow compos authfs_fuse:dir rw_dir_perms;
				30	allow compos authfs_fuse:file create_file_perms;
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	31
				32	# Allow locating the authfs mount directory.
Alan Stokes	14f1887	2021-12-16 13:40:21 +0000	[diff] [blame]	33	allow compos authfs_data_file:dir search;
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	34
Alan Stokes	d313282	2022-01-05 16:05:54 +0000	[diff] [blame]	35	# Run derive_classpath in our domain
				36	allow compos derive_classpath_exec:file rx_file_perms;
				37	allow compos apex_mnt_dir:dir r_dir_perms;
				38	# Ignore harmless denials on /proc/self/fd
				39	dontaudit compos self:dir write;
				40	# See b/35323867#comment3
				41	dontaudit compos self:global_capability_class_set dac_override;
				42
Victor Hsieh	f97cc1f	2021-11-30 14:43:47 -0800	[diff] [blame]	43	# Allow domain transition into odrefresh and dex2oat.
				44	# TODO(b/209008712): Remove dex2oat once the migration is done.
				45	domain_auto_trans(compos, odrefresh_exec, odrefresh)
Victor Hsieh	aa987aa	2021-08-10 16:33:32 -0700	[diff] [blame]	46	domain_auto_trans(compos, dex2oat_exec, dex2oat)