Revert "crosvm: Remove obsoleted vmlauncher_app usage"
This reverts commit 43e9dbacb487a45c862e098d03fba11be2fe31e1.
Reason for revert: broke b/399981318
Change-Id: Ib1bc96a5a760d162bcf01e5cd4568c4111106882
diff --git a/private/crosvm.te b/private/crosvm.te
index b782eac..6051992 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -109,6 +109,8 @@
hal_client_domain(crosvm, hal_graphics_allocator)
# To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow crosvm vmlauncher_app:binder { transfer call };
allow crosvm servicemanager:binder { call transfer };
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
@@ -215,10 +217,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
userdebug_or_eng(`-overlay_remounter')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 2007177..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te
@@ -14,7 +14,7 @@
allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
allow vmlauncher_app crosvm:fd use;
allow vmlauncher_app crosvm_tmpfs:file { map read write };
-allow vmlauncher_app crosvm_exec:file r_file_perms;
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };