app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6

commit: 028e722934ae0776ca0c51a6f416bd720df7facd [log] [tgz]
author: Jiyong Park <jiyong@google.com> Fri Nov 26 00:59:07 2021 +0900
committer: Jiyong Park <jiyong@google.com> Fri Nov 26 01:20:20 2021 +0900
tree: 44c19f75d3376ab6a3e3c661b609c7e1959ef3c8
parent: b25774f53c0a61e1debf55696e02ab9890bf2107 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index 5ec50b5..90addc8 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -70,3 +70,14 @@
     -vendor_task_profiles_file
   }:file *;
 ')
+
+# app_data_file (and shell_data_file for debuggable builds) is the only
+# app_data_file_type that is allowed for crosvm to read.  Note that the use of
+# app_data_file is allowed only for the intance disk image.  This is enforced
+# inside the virtualizationservice by checking the file context of all disk
+# image files.
+neverallow crosvm {
+  app_data_file_type
+  -app_data_file
+  userdebug_or_eng(`-shell_data_file')
+}:file read;
commit	028e722934ae0776ca0c51a6f416bd720df7facd	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Fri Nov 26 00:59:07 2021 +0900
committer	Jiyong Park <jiyong@google.com>	Fri Nov 26 01:20:20 2021 +0900
tree	44c19f75d3376ab6a3e3c661b609c7e1959ef3c8
parent	b25774f53c0a61e1debf55696e02ab9890bf2107 [diff] [blame]