Allow virtualizationservice to check for PKVM extension Bug: 210803811 Test: watch TH for all our tests Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43

commit: 2dd48d0400ad214948d7d5863e5d90b18a07dcb1 [log] [tgz]
author: Jiyong Park <jiyong@google.com> Tue Dec 28 21:26:03 2021 +0900
committer: Jiyong Park <jiyong@google.com> Mon Jan 03 14:59:58 2022 +0900
tree: 51a96ddbb06c05489f4f8d23912a3a7207f840e3
parent: ca043d348f0a5d08d38a324b2a53f04ecfc11f42 [diff] [blame]
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1e00dcd..1418642 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -55,6 +55,10 @@
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
+# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
+allow virtualizationservice kvm_device:chr_file { open read write };
+allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
+
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 neverallow {
commit	2dd48d0400ad214948d7d5863e5d90b18a07dcb1	[log] [tgz]
author	Jiyong Park <jiyong@google.com>	Tue Dec 28 21:26:03 2021 +0900
committer	Jiyong Park <jiyong@google.com>	Mon Jan 03 14:59:58 2022 +0900
tree	51a96ddbb06c05489f4f8d23912a3a7207f840e3
parent	ca043d348f0a5d08d38a324b2a53f04ecfc11f42 [diff] [blame]