Allow virtualizationservice and crosvm to access shell_data_file files. This is necessary to run tests or run VMs manually with SELinux enforcement enabled. Bug: 192256642 Test: atest VirtualizationTestCases Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4

commit: 9b2fa1b94a6c55510af0db14b3b39735d45f4be7 [log] [tgz]
author: Andrew Walbran <qwandor@google.com> Thu Jul 01 15:58:26 2021 +0000
committer: Andrew Walbran <qwandor@google.com> Wed Jul 07 11:11:19 2021 +0000
tree: 308cb3eb3b83607239f3d5bff2799c536a4c6236
parent: e838fe268176c0442fad388a337504c0f55facff [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index f7729fd..b139286 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -14,3 +14,10 @@
 # Most other domains shouldn't access /dev/kvm.
 neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
 neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+
+# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
+# as they must be passed via virtualizationservice.
+allow crosvm apk_data_file:file { getattr read };
+allow crosvm app_data_file:file { getattr read write };
+# shell_data_file is used for automated tests and manual debugging.
+allow crosvm shell_data_file:file { getattr read write };
commit	9b2fa1b94a6c55510af0db14b3b39735d45f4be7	[log] [tgz]
author	Andrew Walbran <qwandor@google.com>	Thu Jul 01 15:58:26 2021 +0000
committer	Andrew Walbran <qwandor@google.com>	Wed Jul 07 11:11:19 2021 +0000
tree	308cb3eb3b83607239f3d5bff2799c536a4c6236
parent	e838fe268176c0442fad388a337504c0f55facff [diff] [blame]