Address sepolicy denials for region e2e test
denied { dac_override } for comm="vsoc_guest_regi" capability=1 scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:r:vsoc_guest_region_e2e_test:s0 tclass=capability
denied { read write } for comm="vsoc_guest_regi" name="e2e_primary" dev="tmpfs" scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for comm="vsoc_guest_regi" path="/dev/e2e_primary" dev="tmpfs" scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for comm="vsoc_guest_regi" path="/dev/e2e_primary" dev="tmpfs" ioctlcmd=f504 scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for comm="vsoc_guest_regi" path="/dev/e2e_secondary" dev="tmpfs" ioctlcmd=f506 scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read write } for comm="vsoc_guest_regi" name="e2e_managed" dev="tmpfs" scontext=u:r:vsoc_guest_region_e2e_test:s0 tcontext=u:object_r:device:s0 tclass=chr_file
Test: Device boots
Test: When device is running:
cd device/google/cuttlefish_common && \
bazel build ... && \
bazel-bin/host_region_e2e_test
All tests pass
Bug: 28053261
Change-Id: I54d706722720c7615992ffb0b84ff91519433f8a
diff --git a/shared/sepolicy/device.te b/shared/sepolicy/device.te
index cd38e2d..d00e56c 100644
--- a/shared/sepolicy/device.te
+++ b/shared/sepolicy/device.te
@@ -1,2 +1,3 @@
# Device types
+type region_e2e_test_device, dev_type;
type virtual_serial_device, dev_type;
diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index 6db6407..1617847 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -1,6 +1,10 @@
##########################
# Devices
#
+/dev/e2e_managed u:object_r:region_e2e_test_device:s0
+/dev/e2e_manager u:object_r:region_e2e_test_device:s0
+/dev/e2e_primary u:object_r:region_e2e_test_device:s0
+/dev/e2e_secondary u:object_r:region_e2e_test_device:s0
/dev/framebuffer_control u:object_r:fb_ctl_file:s0
/dev/userspace_framebuffer u:object_r:userspace_fb_file:s0
/dev/vport[0-9]p[0-9]* u:object_r:virtual_serial_device:s0
diff --git a/shared/sepolicy/vsoc_guest_region_e2e_test.te b/shared/sepolicy/vsoc_guest_region_e2e_test.te
index d3e24d4..f1bb7a0 100644
--- a/shared/sepolicy/vsoc_guest_region_e2e_test.te
+++ b/shared/sepolicy/vsoc_guest_region_e2e_test.te
@@ -2,3 +2,8 @@
type vsoc_guest_region_e2e_test_exec, exec_type, file_type;
init_daemon_domain(vsoc_guest_region_e2e_test)
+
+allow vsoc_guest_region_e2e_test self:capability dac_override;
+
+# Access region test devices
+allow vsoc_guest_region_e2e_test region_e2e_test_device:chr_file rw_file_perms;