commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1
author Jiyong Park <jiyong@google.com> Tue Dec 28 21:26:03 2021 +0900
committer Jiyong Park <jiyong@google.com> Mon Jan 03 14:59:58 2022 +0900
tree 51a96ddbb06c05489f4f8d23912a3a7207f840e3
parent ca043d348f0a5d08d38a324b2a53f04ecfc11f42

Allow virtualizationservice to check for PKVM extension

Bug: 210803811
Test: watch TH for all our tests
Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index 90addc8..3f13525 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -7,7 +7,8 @@
 
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
+neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
 
 # Let crosvm create temporary files.
 tmpfs_domain(crosvm)