[service-vm] Adjust sepolicy for running service VM Bug: 278858244 Test: Runs the ServiceVmClientApp in VM Test: atest MicrodroidHostTests Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d

commit: 40519f79dc01d1411741e045bd956d66354deff2 [log] [tgz]
author: Alice Wang <aliceywang@google.com> Thu Aug 31 11:37:30 2023 +0000
committer: Alice Wang <aliceywang@google.com> Mon Sep 04 13:01:53 2023 +0000
tree: 1fc3c7cc3252ca447314b8752e06aa96cea8c226
parent: 9289cf6fa7176080da2658957b5358b059b0bf3f [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index 2d9a688..afcaa3d 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -27,8 +27,9 @@
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), and instance.img (app_data_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
 allow crosvm {
   virtualizationservice_data_file
   staging_data_file
@@ -36,6 +37,7 @@
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
 
@@ -64,6 +66,7 @@
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
commit	40519f79dc01d1411741e045bd956d66354deff2	[log] [tgz]
author	Alice Wang <aliceywang@google.com>	Thu Aug 31 11:37:30 2023 +0000
committer	Alice Wang <aliceywang@google.com>	Mon Sep 04 13:01:53 2023 +0000
tree	1fc3c7cc3252ca447314b8752e06aa96cea8c226
parent	9289cf6fa7176080da2658957b5358b059b0bf3f [diff] [blame]