Sepolicy rules to allow crosvm to start a gdb-server Bug: 242057159 Test: see another change in this topic Change-Id: Ie5116c8891a62096e767500b90a19fc5975c3599

commit: 40a48c104637336fb337cdcb64ce9ce46361f419 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Tue Feb 14 23:17:55 2023 +0000
committer: Nikita Ioffe <ioffe@google.com> Wed Feb 15 16:44:50 2023 +0000
tree: f754bae5a68adb0835730a42c3258391af5c196c
parent: b9a2339bf8bb735d4e89fc5f2c11e454351a1517 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index aae8323..df97235 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -79,6 +79,12 @@
 # crosvm only needs write permission, so dontaudit read
 dontaudit crosvm virtualizationmanager:fifo_file read;
 
+# Required for crosvm to start gdb-server to enable debugging of guest kernel.
+allow crosvm self:tcp_socket { bind create read setopt write accept listen };
+allow crosvm port:tcp_socket name_bind;
+allow crosvm adbd:unix_stream_socket ioctl;
+allow crosvm node:tcp_socket node_bind;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
commit	40a48c104637336fb337cdcb64ce9ce46361f419	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Tue Feb 14 23:17:55 2023 +0000
committer	Nikita Ioffe <ioffe@google.com>	Wed Feb 15 16:44:50 2023 +0000
tree	f754bae5a68adb0835730a42c3258391af5c196c
parent	b9a2339bf8bb735d4e89fc5f2c11e454351a1517 [diff] [blame]