Add comment explaining why crosvm shouldn't be allowed to open files.
Bug: 192453819
Test: No code change
Change-Id: Iebaa1db2e8eed81122e64999ef58b728e1bf95cc
diff --git a/private/crosvm.te b/private/crosvm.te
index 90addc8..b0b4ec5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,6 +32,10 @@
allow crosvm virtualizationservice_data_file:dir search;
# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -73,7 +77,7 @@
# app_data_file (and shell_data_file for debuggable builds) is the only
# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the intance disk image. This is enforced
+# app_data_file is allowed only for the instance disk image. This is enforced
# inside the virtualizationservice by checking the file context of all disk
# image files.
neverallow crosvm {