Merge "Allow CompOS to start a VM with its instance image."
diff --git a/private/crosvm.te b/private/crosvm.te
index 42e5181..7426ef9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -24,6 +24,7 @@
staging_data_file
apk_data_file
app_data_file
+ apex_compos_data_file
userdebug_or_eng(`shell_data_file')
}:file { getattr read ioctl lock };
@@ -49,6 +50,7 @@
allow crosvm {
virtualizationservice_data_file
app_data_file
+ apex_compos_data_file
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 837fc59..f92c94f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -54,7 +54,11 @@
# directly as they must be passed over Binder by the client.
allow virtualizationservice apk_data_file:file { getattr read };
# Write access is needed for mutable partitions like instance.img
-allow virtualizationservice app_data_file:file { getattr read write };
+allow virtualizationservice {
+ app_data_file
+ apex_compos_data_file
+}:file { getattr read write };
+
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };