Add labels and permissions for /mnt/vm It will be used as a storage for early boot virtmgr. Bug: 354059281 Test: boot and check /early-vm Change-Id: Ida44cdb3de3a42daf210cc2c4100615e6aab77e3

commit: 0b9625d132d1e49c2536173b1f441656bcfdba7a [log] [tgz]
author: Inseob Kim <inseob@google.com> Wed Jul 31 17:42:23 2024 +0900
committer: Inseob Kim <inseob@google.com> Fri Aug 09 17:24:36 2024 +0900
tree: 95298b7cfb6f730fd8b7a8d4cf2a9e8522430745
parent: 92c85c56f3a55095d1ce95d0167a88ca61ea4e0a [diff] [blame]
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 4e332f6..484077c 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te

@@ -5,4 +5,15 @@
     type early_virtmgr_exec, system_file_type, exec_type, file_type;
 
     use_bootstrap_libs(early_virtmgr)
+
+    allow early_virtmgr vm_data_file:dir create_dir_perms;
+    allow early_virtmgr vm_data_file:file create_file_perms;
+
+    ###
+    ### Neverallow rules
+    ###
+
+    # Only crosvm and early_virtmgr can access vm_data_file
+    neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+    neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
 ')
commit	0b9625d132d1e49c2536173b1f441656bcfdba7a	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Wed Jul 31 17:42:23 2024 +0900
committer	Inseob Kim <inseob@google.com>	Fri Aug 09 17:24:36 2024 +0900
tree	95298b7cfb6f730fd8b7a8d4cf2a9e8522430745
parent	92c85c56f3a55095d1ce95d0167a88ca61ea4e0a [diff] [blame]