commit 3335a04676d400bda57d42d4af0ef4b1d311de21
author Jeongik Cha <jeongik@google.com> Fri Jun 14 14:28:42 2024 +0900
committer Jeongik Cha <jeongik@google.com> Tue Jun 18 22:54:10 2024 +0900
tree dcac64e82e86170b76c157246785d3f8c4f631a6
parent 075b734d672da77da04063f1775b6a92d1977b80

sepolicy for custom_vm_setup

Bug: 346676738
Test: run the app
Change-Id: I3b5a36f4db53f8cbd1ef21cd4c25b47907812250

contexts/plat_file_contexts_test

diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 0bd8e07..4c8f9cb 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -774,6 +774,9 @@
 /system/system_ext/bin/canhalconfigurator                         canhalconfigurator_exec
 /system/system_ext/bin/canhalconfigurator-aidl                    canhalconfigurator_exec
 
+/system_ext/bin/custom_vm_setup                                   custom_vm_setup_exec
+/system/system_ext/bin/custom_vm_setup                            custom_vm_setup_exec
+
 /system_ext/lib                                                   system_lib_file
 /system_ext/lib/does_not_exist                                    system_lib_file
 /system_ext/lib64                                                 system_lib_file

private/custom_vm_setup.te

diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
new file mode 100644
index 0000000..c14f5e0
--- /dev/null
+++ b/private/custom_vm_setup.te
@@ -0,0 +1,6 @@
+type custom_vm_setup, domain, coredomain;
+type custom_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+  init_daemon_domain(custom_vm_setup)
+')

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index f0832f3..76f412a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -530,6 +530,7 @@
 /(system_ext|system/system_ext)/bin/hwservicemanager         u:object_r:hwservicemanager_exec:s0
 /(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
 
+/(system_ext|system/system_ext)/bin/custom_vm_setup       u:object_r:custom_vm_setup_exec:s0
 
 /(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
 

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index e421ec6..d613a94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -468,6 +468,10 @@
 # Allow shell to start up vendor shell
 allow shell vendor_shell_exec:file rx_file_perms;
 
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+  allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+')
+
 # Everything is labeled as rootfs in recovery mode. Allow shell to
 # execute them.
 recovery_only(`