Add permission for VFIO device binding
vfio_handler will bind platform devices to VFIO driver, and then
return a file descriptor containing DTBO. This change adds
permissions needed for that.
Bug: 278008182
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
--devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 561e778..a4588dc 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
@@ -54,6 +58,14 @@
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationservice vfio_handler:fd use;
+allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+
neverallow {
domain
-init
@@ -72,3 +84,6 @@
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;