Allow getopt to eliminate warnings in MicrodroidBenchmarks tests
This CL allows getopt in sepolicy to eliminate getopt denied
warnings in MicrodroidBenchmarks tests, e.g.
$ atest MicrodroidBenchmarks
W FinalizerDaemon: type=1400 audit(0.0:625): avc: denied
{ getopt } for scontext=u:r:untrusted_app:s0:c163,c256,c512,
c768 tcontext=u:r:virtualizationservice:s0 tclass=vsock_socket
permissive=0 app=com.android.microdroid.benchmark
Bug: 236123069
Test: atest MicrodroidBenchmarks
Change-Id: I2ed94ae6beab60176d9fac85a0b818089d563427
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0d6d42c..1a1ed62 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,7 +123,7 @@
# Apps can read/write an already open vsock (e.g. created by
# virtualizationservice) but nothing more than that (e.g. creating a
# new vsock, etc.)
-neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr getopt read write };
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/public/te_macros b/public/te_macros
index 78e7636..551f4f3 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -199,7 +199,7 @@
# communicate with the VM that it created. Notice that we do not grant
# permission to create a vsock; the client can only connect to VMs
# that it owns.
-allow $1 virtualizationservice:vsock_socket { getattr read write };
+allow $1 virtualizationservice:vsock_socket { getattr getopt read write };
# Allow client to inspect hypervisor capabilities
get_prop($1, hypervisor_prop)
# Allow client to read (but not open) the crashdump provided by virtualizationservice