commit 0b9625d132d1e49c2536173b1f441656bcfdba7a
author Inseob Kim <inseob@google.com> Wed Jul 31 17:42:23 2024 +0900
committer Inseob Kim <inseob@google.com> Fri Aug 09 17:24:36 2024 +0900
tree 95298b7cfb6f730fd8b7a8d4cf2a9e8522430745
parent 92c85c56f3a55095d1ce95d0167a88ca61ea4e0a

Add labels and permissions for /mnt/vm

It will be used as a storage for early boot virtmgr.

Bug: 354059281
Test: boot and check /early-vm
Change-Id: Ida44cdb3de3a42daf210cc2c4100615e6aab77e3

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..6f07391 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -40,10 +40,14 @@
   apex_virt_data_file
   shell_data_file
   vendor_microdroid_file
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
 }:file { getattr read ioctl lock };
 
 # Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+    virtualizationservice_data_file
+    is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
 
 # When running a VM as root we get spurious capability denials.
 # Suppress them.
@@ -74,6 +78,7 @@
   privapp_data_file
   apex_compos_data_file
   apex_virt_data_file
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -153,6 +158,7 @@
   app_data_file
   privapp_data_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
   userdebug_or_eng(`-shell_data_file')
 }:file open;