Merge "Allow virtmgr to talk to IVmCapabilitiesService HAL" into main am: 2ee35208ed
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3527941
Change-Id: Ib648c2bc7d2064d9691242abc4521bb4063fb465
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 6e973d6..b743d46 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -153,3 +153,7 @@
# virtualizationmanager uses libselinux to check if VM is allowed to access requested
# tee services.
selinux_check_access(virtualizationmanager)
+
+# virtualizationmanager needs to talk to IVmCapabilitiesService HAL to allow specific VMs to
+# issue vendor-private smcs.
+hal_client_domain(virtualizationmanager, hal_vm_capabilities);
diff --git a/vendor/file_contexts b/vendor/file_contexts
index dc09d79..a2ae309 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -209,3 +209,4 @@
/(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.virtualization\.capabilities\.capabilities_service-noop u:object_r:hal_vm_capabilities_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.virtualization\.capabilities\.capabilities_service-default u:object_r:hal_vm_capabilities_default_exec:s0