Let crosvm be able to use TAP interface created by vmnic Bug: 340376951 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --network-supported Change-Id: Ic2828b8e6c82269d0180dbac9466ae2874435596

commit: 12fd482d556137279af0f76057d95e52ee3bfb3a [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Tue May 28 14:12:52 2024 +0900
committer: Seungjae Yoo <seungjaeyoo@google.com> Tue May 28 14:33:40 2024 +0900
tree: d9bdd8ea586cc70f846670b25e0796feac45546e
parent: 74ea085cf1d10d896ee11c12a023301c2d95c9b8 [diff]
diff --git a/private/crosvm.te b/private/crosvm.te
index ac62b66..25157a0 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -128,6 +128,15 @@
 allow crosvm virtualizationmanager:fd use;
 allow crosvm virtualizationservice_data_file:file read;
 
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    # Allow crosvm to deal with file descriptors of TAP interfaces.
+    allow crosvm tun_device:chr_file rw_file_perms;
+    allowxperm crosvm tun_device:chr_file ioctl { TUNGETIFF TUNSETVNETHDRSZ };
+    allow crosvm self:udp_socket create_socket_perms;
+    allowxperm crosvm self:udp_socket ioctl SIOCGIFMTU;
+    allow crosvm vmnic:fd use;
+')
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
commit	12fd482d556137279af0f76057d95e52ee3bfb3a	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Tue May 28 14:12:52 2024 +0900
committer	Seungjae Yoo <seungjaeyoo@google.com>	Tue May 28 14:33:40 2024 +0900
tree	d9bdd8ea586cc70f846670b25e0796feac45546e
parent	74ea085cf1d10d896ee11c12a023301c2d95c9b8 [diff]