Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 1b2d9de08da05fbaa5ab714d045b7bc9856e30f3^! / .
commit1b2d9de08da05fbaa5ab714d045b7bc9856e30f3[log] [tgz]
authorSeungjae Yoo <seungjaeyoo@google.com>Mon Aug 14 09:11:38 2023 +0900
committerSeungjae Yoo <seungjaeyoo@google.com>Fri Aug 18 01:17:23 2023 +0000
treeef61399cc73ff682f42ed8e42f1cc33f40d510d6
parentc30e7cdce3a5bc459954db5d797305e4b9adae03 [diff]
Add rules for reading VM DTBO by vfio_handler

Bug: 291191362
Test: m

Merged-In: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd
Change-Id: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 7558604..36d3aaa 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -6,6 +6,7 @@
 (typeattributeset new_objects
   ( new_objects
     archive_service
+    dtbo_block_device
     ota_build_prop
     snapuserd_log_data_file
     hal_threadnetwork_service

diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 2a0bd37..3bed3c6 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te

@@ -27,5 +27,9 @@
 # vfio_handler can only use fd from virtualizationmanager, and can't open files itself
 neverallow vfio_handler virtualizationservice_data_file:file { open create };
 
+# Allow vfio_handler to search /dev/block for accessing dtbo.img
+allow vfio_handler block_device:dir search;
+allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
 # Only vfio_handler can add vfio_handler_service
 neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;

diff --git a/public/device.te b/public/device.te
index 36299d3..4a824c9 100644
--- a/public/device.te
+++ b/public/device.te

@@ -93,6 +93,10 @@
 # Documented at https://source.android.com/devices/bootloader/partitions
 type boot_block_device, dev_type;
 
+# dtbo block device, type used for getting DTBO information for AVF.
+# Documented at https://source.android.com/docs/core/architecture/dto/partitions
+type dtbo_block_device, dev_type;
+
 # Userdata block device mounted on /data.
 # Documented at https://source.android.com/devices/bootloader/partitions
 type userdata_block_device, dev_type;

diff --git a/public/init.te b/public/init.te
index c01dc93..e552ec2 100644
--- a/public/init.te
+++ b/public/init.te

@@ -56,6 +56,7 @@
   userdata_block_device
 }:{ blk_file lnk_file } relabelto;
 
+allow init dtbo_block_device:lnk_file relabelto;
 allow init super_block_device:lnk_file relabelto;
 
 # Create /mnt/sdcard -> /storage/self/primary symlink.