Relax crosvm flagged neverallow rules
Flagged neverallow rule exceptions break CtsSecurityHostTestCases
SELinuxNeverallowRulesTest#testNeverallowRules when the exception is
used by a target branch that enables the flag under a CTS branch that
does not enable the flag. Since CTS release configurations are fixed,
these neverallow exceptions should not be flagged.
Remove the flagging of exceptions guarded by
RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES to resolve an
observed test failure.
Bug: 372674177
Test: m
Flag: EXEMPT bugfix
Change-Id: Ie023b264844d7985d71fe0dd28a15d5c08bdcaee
diff --git a/private/crosvm.te b/private/crosvm.te
index ccfffa0..0aab541 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -188,7 +188,7 @@
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
+ -same_process_hal_file
}:file *;
')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index bc29e39..1acf734 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -131,7 +131,7 @@
-virtualizationmanager
-virtualizationservice
# TODO(b/332677707): remove them when display service uses binder RPC.
- is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
+ -crosvm
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `