Create virtmgr domain and initial policy Start a new security domain for virtmgr - a child proces of an app that manages its virtual machines. Add permissions to auto-transition to the virtmgr domain when the client fork/execs virtmgr and to communicate over UDS and pipe. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: I7624700b263f49264812e9bca6b83a003cc929be

commit: 5fcfbe49da8fa9e8f30c43869aa0ee5068ad7a5f [log] [tgz]
author: David Brazdil <dbrazdil@google.com> Thu Nov 24 11:04:49 2022 +0000
committer: David Brazdil <dbrazdil@google.com> Tue Dec 13 18:40:05 2022 +0000
tree: a993989bc6f1ea1ab461d6715c8b25cf6f083d4f
parent: aa4667290b93e17ebfd2192ef164052d613e399a [diff] [blame]
diff --git a/private/app.te b/private/app.te
index ae8b206..a7939b0 100644
--- a/private/app.te
+++ b/private/app.te

@@ -95,8 +95,9 @@
 # Exception for crash_dump to allow for app crash reporting.
 # Exception for renderscript binaries (/system/bin/bcc, /system/bin/ld.mc)
 # to allow renderscript to create privileged executable files.
+# Exception for virtmgr to allow running VMs as child processes.
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
-    { domain -appdomain -crash_dump -rs }:process { transition };
+    { domain -appdomain -crash_dump -rs -virtmgr }:process { transition };
 neverallow { appdomain -shell userdebug_or_eng(`-su') }
     { domain -appdomain }:process { dyntransition };
commit	5fcfbe49da8fa9e8f30c43869aa0ee5068ad7a5f	[log] [tgz]
author	David Brazdil <dbrazdil@google.com>	Thu Nov 24 11:04:49 2022 +0000
committer	David Brazdil <dbrazdil@google.com>	Tue Dec 13 18:40:05 2022 +0000
tree	a993989bc6f1ea1ab461d6715c8b25cf6f083d4f
parent	aa4667290b93e17ebfd2192ef164052d613e399a [diff] [blame]