Add rules for reading VM DTBO by vfio_handler Bug: 291191362 Test: m Merged-In: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd Change-Id: I0b38feb30382c5e6876e3e7809ddb5cf9034e4fd

commit: 1b2d9de08da05fbaa5ab714d045b7bc9856e30f3 [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Mon Aug 14 09:11:38 2023 +0900
committer: Seungjae Yoo <seungjaeyoo@google.com> Fri Aug 18 01:17:23 2023 +0000
tree: ef61399cc73ff682f42ed8e42f1cc33f40d510d6
parent: c30e7cdce3a5bc459954db5d797305e4b9adae03 [diff] [blame]
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 2a0bd37..3bed3c6 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te

@@ -27,5 +27,9 @@
 # vfio_handler can only use fd from virtualizationmanager, and can't open files itself
 neverallow vfio_handler virtualizationservice_data_file:file { open create };
 
+# Allow vfio_handler to search /dev/block for accessing dtbo.img
+allow vfio_handler block_device:dir search;
+allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+
 # Only vfio_handler can add vfio_handler_service
 neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
commit	1b2d9de08da05fbaa5ab714d045b7bc9856e30f3	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Mon Aug 14 09:11:38 2023 +0900
committer	Seungjae Yoo <seungjaeyoo@google.com>	Fri Aug 18 01:17:23 2023 +0000
tree	ef61399cc73ff682f42ed8e42f1cc33f40d510d6
parent	c30e7cdce3a5bc459954db5d797305e4b9adae03 [diff] [blame]