Merge "Add ephemeral service access to sdk sandbox" into tm-dev
diff --git a/private/crosvm.te b/private/crosvm.te
index 167ad2f..e47abd7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -66,9 +66,12 @@
# For ACPI
allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
-# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
-# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
-userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
+# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
+# compliance tests and demo apps. Write access to instance.img is particularily important because
+# the VM has to initialize the disk image on its first boot. Note that open access is still not
+# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
+# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
+allow crosvm shell_data_file:file write;
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
diff --git a/private/toolbox.te b/private/toolbox.te
index a2b958d..1e53d72 100644
--- a/private/toolbox.te
+++ b/private/toolbox.te
@@ -1,3 +1,7 @@
typeattribute toolbox coredomain;
init_daemon_domain(toolbox)
+
+# rm -rf in /data/misc/virtualizationservice
+allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
+allow toolbox virtualizationservice_data_file:file { getattr unlink };
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index ceee544..26077f3 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -176,9 +176,7 @@
# permission. The protection level of the permission is `signature|development`
# so that it can only be granted to either platform-key signed apps or
# test-only apps having `android:testOnly="true"` in its manifest.
-userdebug_or_eng(`
- virtualizationservice_use(untrusted_app_all)
-')
+virtualizationservice_use(untrusted_app_all)
with_native_coverage(`
# Allow writing coverage information to /data/misc/trace
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 5a8d0aa..392a750 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -82,6 +82,7 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.rebootescrow-service\.default u:object_r:hal_rebootescrow_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@[0-9]\.[0-9]-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example u:object_r:hal_sensors_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)? u:object_r:hal_sensors_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software u:object_r:hal_dice_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service u:object_r:hal_keymint_default_exec:s0