| Jooyung Han | d470ed7 | 2021-05-27 21:33:15 +0900 | [diff] [blame] | 1 | # TODO(b/189165759) for moving this to packages/modules/Virtualization |
| 2 | # microdroid_manager is a daemon running in the microdroid. |
| 3 | |
| 4 | type microdroid_manager, domain, coredomain; |
| 5 | type microdroid_manager_exec, exec_type, file_type, system_file_type; |
| 6 | |
| 7 | # allow domain transition from init |
| 8 | init_daemon_domain(microdroid_manager) |
| 9 | |
| 10 | # microdroid_manager accesses /dev/block/by-name/signature which points to |
| 11 | # a /dev/vd* block device file. |
| 12 | allow microdroid_manager block_device:dir r_dir_perms; |
| 13 | allow microdroid_manager block_device:lnk_file r_file_perms; |
| 14 | allow microdroid_manager vd_device:blk_file r_file_perms; |
| 15 | |
| 16 | # microdroid_manager start payload task via microdroid_launcher |
| 17 | domain_auto_trans(microdroid_manager, microdroid_launcher_exec, microdroid_launcher); |
| 18 | |
| 19 | # Let microdroid_manager exec other files (e.g. payload command) in the same domain. |
| 20 | # TODO(b/189706019) we need to a domain for the app process. |
| 21 | allow microdroid_manager system_file:file execute_no_trans; |
| Jooyung Han | 55393cc | 2021-06-01 18:12:09 +0900 | [diff] [blame] | 22 | # Until then, allow microdroid_manager to execute the shell or other system executables. |
| 23 | allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms; |
| 24 | |
| 25 | # Let microdroid_manager read a config file from /mnt/apk (fusefs) |
| 26 | # TODO(b/188400186) remove the below two rules |
| 27 | userdebug_or_eng(` |
| 28 | allow microdroid_manager fuse:dir r_dir_perms; |
| 29 | allow microdroid_manager fuse:file rx_file_perms; |
| 30 | ') |