Add basic sepolicy for the IVmCapabilities HAL Bug: 360102915 Test: builds Test: presubmit Change-Id: I1b7f73a9e3ff1ad35c318ac56667c64775de4064

commit: 439563f9437b364222ac03d15cf7948c1e96bdc2 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Tue Dec 10 18:33:22 2024 +0000
committer: Nikita Ioffe <ioffe@google.com> Thu Jan 09 02:02:05 2025 +0000
tree: f302fc4c6d32a19fb5723f799ea5b948cec99c58
parent: 15a8dbb7fcc5699aba3f69c6e292dc4995af8003 [diff]
diff --git a/vendor/file_contexts b/vendor/file_contexts
index 220fbd2..b0c7a37 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts

@@ -207,3 +207,4 @@
 /(vendor|system/vendor)/lib(64)?/libutils\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libutilscallstack\.so u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libz\.so u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.virtualization\.capabilities\.capabilities_service-noop       u:object_r:hal_vm_capabilities_default_exec:s0

diff --git a/vendor/hal_vm_capabilities_default.te b/vendor/hal_vm_capabilities_default.te
new file mode 100644
index 0000000..82aaf41
--- /dev/null
+++ b/vendor/hal_vm_capabilities_default.te

@@ -0,0 +1,10 @@
+type hal_vm_capabilities_default, domain;
+
+starting_at_board_api(202504, `
+    hal_server_domain(hal_vm_capabilities_default, hal_vm_capabilities);
+')
+
+type hal_vm_capabilities_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_vm_capabilities_default);
+
+# TODO(b/360102915): add more rules around vm_fd passed to the HAL
commit	439563f9437b364222ac03d15cf7948c1e96bdc2	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Tue Dec 10 18:33:22 2024 +0000
committer	Nikita Ioffe <ioffe@google.com>	Thu Jan 09 02:02:05 2025 +0000
tree	f302fc4c6d32a19fb5723f799ea5b948cec99c58
parent	15a8dbb7fcc5699aba3f69c6e292dc4995af8003 [diff]