commit 0783a9cd36b0ac7fdbe5ac3b321c01896c785a45
author Jaewan Kim <jaewan@google.com> Mon Apr 03 12:57:25 2023 +0900
committer Jaewan Kim <jaewan@google.com> Mon Apr 03 15:46:26 2023 +0900
tree f0724a1ff5d444e121686d0bd9dcf50f649874aa
parent 9bc9a63b68ad79b0f33f9df37b741bf7a146d5d2

Allow virtualizationmanager to open test artifacts in shell_data_file

Bug: 275047565
Test: atest
Change-Id: Iff9bdd4434a66af0e17fb74da4f173158dd66399

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index b858d4e..a87d958 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -683,6 +683,7 @@
   -dumpstate
   -installd
   userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-virtualizationmanager')
   userdebug_or_eng(`-virtualizationservice')
   userdebug_or_eng(`-crosvm')
 } shell_data_file:file open;
@@ -729,6 +730,7 @@
   -simpleperf_app_runner
   -system_server # why?
   userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-virtualizationmanager')
   userdebug_or_eng(`-crosvm')
 } shell_data_file:dir search;
 

private/virtualizationmanager.te

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 946c783..bfad8e7 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -69,10 +69,17 @@
 allow virtualizationmanager tombstone_data_file:file { append getattr };
 allow virtualizationmanager tombstoned:fd use;
 
-# Allow virtualizationservice to read AVF debug policy
+# Allow virtualizationmanager to read AVF debug policy
 allow virtualizationmanager sysfs_dt_avf:dir search;
 allow virtualizationmanager sysfs_dt_avf:file { open read };
 
+# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
+# (e.g. custom debug policy)
+userdebug_or_eng(`
+  allow virtualizationmanager shell_data_file:dir search;
+  allow virtualizationmanager shell_data_file:file open;
+')
+
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);