sepolicy for custom_vm_setup
Bug: 346676738
Test: run the app
Change-Id: I3b5a36f4db53f8cbd1ef21cd4c25b47907812250
diff --git a/private/custom_vm_setup.te b/private/custom_vm_setup.te
new file mode 100644
index 0000000..c14f5e0
--- /dev/null
+++ b/private/custom_vm_setup.te
@@ -0,0 +1,6 @@
+type custom_vm_setup, domain, coredomain;
+type custom_vm_setup_exec, system_file_type, exec_type, file_type;
+
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ init_daemon_domain(custom_vm_setup)
+')
diff --git a/private/file_contexts b/private/file_contexts
index f0832f3..76f412a 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -530,6 +530,7 @@
/(system_ext|system/system_ext)/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/(system_ext|system/system_ext)/bin/hw/android\.hidl\.allocator@1\.0-service u:object_r:hal_allocator_default_exec:s0
+/(system_ext|system/system_ext)/bin/custom_vm_setup u:object_r:custom_vm_setup_exec:s0
/(system_ext|system/system_ext)/bin/canhalconfigurator(-aidl)? u:object_r:canhalconfigurator_exec:s0
diff --git a/private/shell.te b/private/shell.te
index e421ec6..d613a94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -468,6 +468,10 @@
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ allow shell custom_vm_setup_exec:file { entrypoint r_file_perms };
+')
+
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`