Fix virtualizationservice rules
Virtualizationservice should be able to read
* /apex/apex-info-list.xml: apex_info_file
* /data/apex/{active, uncompressed}: staging_data_file,
apex_data_file
and pass them to guest OS.
Bug: n/a
Test: atest MicrodroidHostTestCases
(see logcat for denials)
Change-Id: Ia9dab957a6f912aa193d58e2817a00d4a39b4536
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1bf14d8..4efe355 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -42,5 +42,12 @@
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };
+# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
+allow virtualizationservice apex_data_file:dir search;
+allow virtualizationservice staging_data_file:file r_file_perms;
+
+# Allow virtualizationservice to read apex-info-list.xml
+allow virtualizationservice apex_info_file:file r_file_perms;
+
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };