Add sepolicy for crosvm to support virtiofs mounts
Bug: 372171883
Test: Mount /storage/emulated/0/Download inside guest VM.
Tested the following covering required permissions:
$mount -t virtiofs android /mnt/shared
$cd /mnt/shared
$touch test_file
$dd if=/dev/urandom of=test_file bs=4k count=10
$stat test_file
$mv test_file new_file
$mkdir test_dir
$stat test_dir
$mv test_dir new_dir
$cd new_dir
$dd if=/dev/urandom of=test_file-1 bs=4k count=10
$rm test_file-1
$cd /mnt/shared
$rm -rf test_dir
$umount shared
$mount -t virtiofs andoird /mnt/shared
$cd shared && rm -f test_file
$shutdown VM - verify unix sockets are removed
Change-Id: I7913c9effd20628c974c7e25fc91e89e36619f30
Signed-off-by: Akilesh Kailash <akailash@google.com>
diff --git a/private/crosvm.te b/private/crosvm.te
index d9faf10..f64690f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -115,6 +115,15 @@
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
+
+ # Allow crosvm to mount fuse path in guest VM through virtiofs
+ allow crosvm fuse:file create_file_perms;
+ allow crosvm fuse:dir create_dir_perms;
+ allow crosvm mnt_user_file:dir search;
+
+ # Allow crosvm to create unix socket for vhost-user-fs
+ allow crosvm virtualizationservice_data_file:dir { add_name write remove_name };
+ allow crosvm virtualizationservice_data_file:sock_file { create write unlink };
')
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)