Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272

commit: 825056de9ab6c5d8231cd0039e12280eb5b0ea10 [log] [tgz]
author: Inseob Kim <inseob@google.com> Tue Aug 01 11:00:49 2023 +0900
committer: Inseob Kim <inseob@google.com> Wed Aug 02 15:06:51 2023 +0900
tree: 8ce24eec819e35e1c672917763818613e0f509c7
parent: d7d3609af7530d260b4b461b82630535ef533e41 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index 8a6bd24..3f39201 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -92,6 +92,14 @@
 allow crosvm adbd:unix_stream_socket ioctl;
 allow crosvm node:tcp_socket node_bind;
 
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
+allow crosvm vfio_handler:fd use;
+allow crosvm vfio_handler:fifo_file r_file_perms;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
commit	825056de9ab6c5d8231cd0039e12280eb5b0ea10	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Tue Aug 01 11:00:49 2023 +0900
committer	Inseob Kim <inseob@google.com>	Wed Aug 02 15:06:51 2023 +0900
tree	8ce24eec819e35e1c672917763818613e0f509c7
parent	d7d3609af7530d260b4b461b82630535ef533e41 [diff] [blame]