Allow su to access virtualization
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.
Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)
Together this allows a root shell to use `vm run` without getting
spurious denials such as:
avc: denied { ioctl } for comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
Bug: 316048644
Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
diff --git a/private/su.te b/private/su.te
index cc00e10..2e0d10a 100644
--- a/private/su.te
+++ b/private/su.te
@@ -19,8 +19,9 @@
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
- # Put the virtmgr command into its domain.
- domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
+ # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its
+ # own domain.
+ virtualizationservice_use(su)
# su is also permissive to permit setenforce.
permissive su;