commit 094e8e81a2f30bcf505b66223a1333cfc815b9f7
author Inseob Kim <inseob@google.com> Fri Nov 17 18:03:46 2023 +0900
committer Inseob Kim <inseob@google.com> Wed Nov 22 05:28:20 2023 +0000
tree c7a710af2969fca32e00da3580cd593eda47b929
parent 9868a0ce1145bf6b3caaad69782e4afd1ce391a2

Flag-guard vfio_handler policies

vfio_handler will be active only if device assignment feature is turned
on.

Bug: 306563735
Test: microdroid tests with and without the flag
Change-Id: I5559dfca1a29852b65481c95f37edc9977ee9d7d

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 93cd04c..21d77b0 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,9 +15,11 @@
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # Let virtualizationservice find and communicate with vfio_handler.
+    allow virtualizationservice vfio_handler_service:service_manager find;
+    binder_call(virtualizationservice, vfio_handler)
+')
 
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
@@ -97,5 +99,7 @@
   -virtualizationservice
 }:process setrlimit;
 
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # Only virtualizationservice can communicate to vfio_handler
+    neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+')