commit 43e9dbacb487a45c862e098d03fba11be2fe31e1
author Jaewan Kim <jaewan@google.com> Wed Feb 26 13:01:23 2025 -0800
committer Jaewan Kim <jaewan@google.com> Fri Feb 28 14:29:33 2025 -0800
tree 7216ce0e4a390e70b8b2726e3f25e298eeee0ceb
parent 2ca8f7a520ddd1fc0605aeec6e5b40f646f89d15

crosvm: Remove obsoleted vmlauncher_app usage

Bug: 391731295
Change-Id: Ic8efb04cb3aa71383236ca45ad39bb771b42c92c

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index 6051992..b782eac 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -109,8 +109,6 @@
   hal_client_domain(crosvm, hal_graphics_allocator)
 
   # To provide display service to an app to get surface.
-  # TODO(b/332677707): remove them when display service uses binder RPC.
-  allow crosvm vmlauncher_app:binder { transfer call };
   allow crosvm servicemanager:binder { call transfer };
   allow crosvm virtualization_service:service_manager find;
   allow crosvm virtualizationservice:binder { call transfer };
@@ -217,12 +215,10 @@
 }:file read;
 
 # Only virtualizationmanager can run crosvm
-# Allow vmlauncher app to launch crosvm for virtiofs
 neverallow {
   domain
   -crosvm
   -virtualizationmanager
-  -vmlauncher_app
   userdebug_or_eng(`-overlay_remounter')
 
   is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')

private/vmlauncher_app.te

diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index ef34c31..2007177 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -14,7 +14,7 @@
 allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
 allow vmlauncher_app crosvm:fd use;
 allow vmlauncher_app crosvm_tmpfs:file { map read write };
-allow vmlauncher_app crosvm_exec:file rx_file_perms;
+allow vmlauncher_app crosvm_exec:file r_file_perms;
 
 allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };