commit 2141ad5877e4db638ed7822114532a40cb2dfe49
author Jaewan Kim <jaewan@google.com> Wed Jan 31 05:56:43 2024 +0000
committer Jaewan Kim <jaewan@google.com> Thu Feb 01 01:53:59 2024 +0000
tree 6400524243de8f6e3039f9d72c88cb972c5175d6
parent cf8ae3a3e4647de1c702e9a487517ac4383ee5aa

Use /proc/device-tree for reading AVF DT

Although /proc/device-tree is symlink to /sys/firmware/devicetree/base,
/proc/device-tree is the stable API but the absolute path may be
changed in the future.

Bug: 322465386
Test: atest CustomPvmfwHostTestCases
Change-Id: I81cbe8a4dddbac97e4fb94e6684d2a91127f3378

private/virtualizationmanager.te

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d0fe571..3aaff5b 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -83,9 +83,9 @@
 allow virtualizationmanager tombstone_data_file:file { append getattr };
 allow virtualizationmanager tombstoned:fd use;
 
-# Allow virtualizationmanager to read AVF debug policy
-allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
+# Allow virtualizationmanager to read file system DT for VM reference DT and AVF debug policy
+r_dir_file(virtualizationmanager, proc_dt_avf)
+r_dir_file(virtualizationmanager, sysfs_dt_avf)
 
 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
 # from pVM to HAL.