Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 32ea89af9e9846a9865d85389bed271423b173a7 / . / microdroid / sepolicy / system / private / crosvm.te
blob: f7729fd61989cfc359954949b15ee3ce0f0e9dfb [file] [log] [blame]
Inseob Kimff43be22021-06-07 16:56:56 +0900[diff] [blame]1type crosvm, domain, coredomain;
2type crosvm_exec, system_file_type, exec_type, file_type;
3type crosvm_tmpfs, file_type;
4
5# Let crosvm create temporary files.
6tmpfs_domain(crosvm)
7
8# Let crosvm receive file descriptors from VirtualizationService.
9allow crosvm virtualizationservice:fd use;
10
11# Let crosvm open /dev/kvm.
12allow crosvm kvm_device:chr_file rw_file_perms;
13
14# Most other domains shouldn't access /dev/kvm.
15neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
16neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;