Set sepolicy for creating TAP interfaces in vmnic of AVF Bug: 340376951 Test: Presubmit Change-Id: I2948698a1738d441768d77da611d5e8dd3eb3c5b

commit: 80fd618c662da83da512fa63e2b0650a2d52a0eb [log] [tgz]
author: Seungjae Yoo <seungjaeyoo@google.com> Mon May 20 16:59:02 2024 +0900
committer: Seungjae Yoo <seungjaeyoo@google.com> Fri May 24 11:18:16 2024 +0900
tree: bdca50920d1ab351c6acd8ab1e710b97dae84668
parent: f60a1e0b905b5314794547ac792b347af1517985 [diff] [blame]
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 3aaff5b..72cc0a6 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te

@@ -116,3 +116,9 @@
     # virtualizationmanager holds references to bound devices, returned from vfio_handler
     binder_call(virtualizationmanager, vfio_handler)
 ')
+
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    # Allow virtualizationmanager to deal with file descriptors of TAP interfaces.
+    allow virtualizationmanager tun_device:chr_file rw_file_perms;
+    allow virtualizationmanager vmnic:fd use;
+')
commit	80fd618c662da83da512fa63e2b0650a2d52a0eb	[log] [tgz]
author	Seungjae Yoo <seungjaeyoo@google.com>	Mon May 20 16:59:02 2024 +0900
committer	Seungjae Yoo <seungjaeyoo@google.com>	Fri May 24 11:18:16 2024 +0900
tree	bdca50920d1ab351c6acd8ab1e710b97dae84668
parent	f60a1e0b905b5314794547ac792b347af1517985 [diff] [blame]