Allow virtualizationmanager to read AVF debug policy
virtualizationmanager may handle some AVF debug policies for unproteted VM.
Bug: 243630590
Test: Run unprotected VM with/without ramdump
Change-Id: I2941761efe230a9925d1146f8ac55b50e984a4e9
diff --git a/private/file.te b/private/file.te
index 776c8e5..539e63e 100644
--- a/private/file.te
+++ b/private/file.te
@@ -130,3 +130,6 @@
# write permission on this to connect, and needs to be mlstrustedobject
# in to satisfy MLS constraints for trusted domains.
type prng_seeder_socket, file_type, coredomain_socket, mlstrustedobject;
+
+# /sys/firmware/devicetree/base/avf
+type sysfs_dt_avf, fs_type, sysfs_type;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6fa98ea..77e3954 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -145,6 +145,7 @@
genfscon sysfs /devices/virtual/net u:object_r:sysfs_net:s0
genfscon sysfs /devices/virtual/switch u:object_r:sysfs_switch:s0
genfscon sysfs /devices/virtual/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /firmware/devicetree/base/avf u:object_r:sysfs_dt_avf:s0
genfscon sysfs /firmware/devicetree/base/firmware/android u:object_r:sysfs_dt_firmware_android:s0
genfscon sysfs /fs/ext4/features u:object_r:sysfs_fs_ext4_features:s0
genfscon sysfs /fs/f2fs u:object_r:sysfs_fs_f2fs:s0
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 4cd32b7..946c783 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -69,6 +69,10 @@
allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use;
+# Allow virtualizationservice to read AVF debug policy
+allow virtualizationmanager sysfs_dt_avf:dir search;
+allow virtualizationmanager sysfs_dt_avf:file { open read };
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);