Add crosvm permission to run KeyMint VM
with raw crosvm binary before the early-boot VM solution is ready.
Bug: 356783951
Test: launch_cvd -extra_kernel_cmdline 'androidboot.selinux=permissive'
Change-Id: I4770c9d73c172a30cb1e94df834762b1464fcaf8
diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..4345a2b 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -5,6 +5,10 @@
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
+# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, init_daemon_domain(crosvm))
+
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
@@ -188,4 +192,7 @@
domain
-crosvm
-virtualizationmanager
+ # TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
+ # directly. It should be removed once the KeyMint VM can be started with early_virtmgr
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
} crosvm_exec:file no_x_file_perms;