Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9b2fa1b94a6c55510af0db14b3b39735d45f4be7^! / . / private
commit9b2fa1b94a6c55510af0db14b3b39735d45f4be7[log] [tgz]
authorAndrew Walbran <qwandor@google.com>Thu Jul 01 15:58:26 2021 +0000
committerAndrew Walbran <qwandor@google.com>Wed Jul 07 11:11:19 2021 +0000
tree308cb3eb3b83607239f3d5bff2799c536a4c6236
parente838fe268176c0442fad388a337504c0f55facff [diff]
Allow virtualizationservice and crosvm to access shell_data_file files.

This is necessary to run tests or run VMs manually with SELinux
enforcement enabled.

Bug: 192256642
Test: atest VirtualizationTestCases
Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4

diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -14,3 +14,10 @@
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4c6f1f9..9b82e01 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -23,3 +23,21 @@
 # Let virtualizationservice access its data directory.
 allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+
+# virtualizationservice_use(client)
+define(`virtualizationservice_use', `
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let the client pass file descriptors to virtualizationservice.
+allow virtualizationservice $1:fd use;
+')
+
+# Let the shell user call virtualizationservice for debugging.
+virtualizationservice_use(shell)
+
+# Let virtualizationservice read and write files from its various clients, but not open them
+# directly as they must be passed over Binder by the client.
+allow virtualizationservice apk_data_file:file { getattr read };
+allow virtualizationservice app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow virtualizationservice shell_data_file:file { getattr read write };