Policy for overlay_remounter Test: Manual Bug: 388912628 Change-Id: I9f27647f0e8d3ece229e7a46d50d54aa1f76fd76

commit: 879909f4d6e803f74cb2c24ba24183ef05574aa7 [log] [tgz]
author: Paul Lawrence <paullawrence@google.com> Fri Jan 24 12:56:34 2025 -0800
committer: Paul Lawrence <paullawrence@google.com> Mon Jan 27 12:39:07 2025 -0800
tree: 4834e84ecff857a17a2f52a79a2c8c8fb1f2bc80
parent: 1d45424c6a75cf46caaa8cc281ffbf2207d960bb [diff] [blame]
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 259c402..95bdd1c 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te

@@ -115,8 +115,16 @@
 r_dir_file(virtualizationmanager, vendor_microdroid_file)
 
 # Do not allow writing vendor_microdroid_file from any process.
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:dir no_w_dir_perms;
-neverallow { domain recovery_only(`userdebug_or_eng(`-fastbootd')') } vendor_microdroid_file:file no_w_file_perms;
+neverallow {
+  domain
+  recovery_only(`userdebug_or_eng(`-fastbootd')')
+  userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:dir no_w_dir_perms;
+neverallow {
+  domain
+  recovery_only(`userdebug_or_eng(`-fastbootd')')
+  userdebug_or_eng(`-overlay_remounter')
+} vendor_microdroid_file:file no_w_file_perms;
 
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);
commit	879909f4d6e803f74cb2c24ba24183ef05574aa7	[log] [tgz]
author	Paul Lawrence <paullawrence@google.com>	Fri Jan 24 12:56:34 2025 -0800
committer	Paul Lawrence <paullawrence@google.com>	Mon Jan 27 12:39:07 2025 -0800
tree	4834e84ecff857a17a2f52a79a2c8c8fb1f2bc80
parent	1d45424c6a75cf46caaa8cc281ffbf2207d960bb [diff] [blame]