commit 9acd00484bc53a756147ae42f1f5182677fb59a2
author Treehugger Robot <treehugger-gerrit@google.com> Tue Jan 25 00:26:11 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Jan 25 00:26:11 2022 +0000
tree 468224525a2f71257f1bd6dac97e2ab29f76b97b
parent db8d838e5abad61acb165b4bd3f8b39bb0fe0008
parent 8a881c14bfffa4f7ffc02bd4552b8ea4f7b2d2b8

Merge "Fix virtualizationservice denials"

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,17 +55,22 @@
 # Run derive_classpath in our domain
 allow virtualizationservice derive_classpath_exec:file rx_file_perms;
 allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
 
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
 allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
 neverallow {
   domain
   -init