commit ac5044870b6a0c0597f26cfec6a6140f7b692a41
author Alan Stokes <alanstokes@google.com> Tue Dec 19 17:42:05 2023 +0000
committer Alan Stokes <alanstokes@google.com> Tue Dec 19 17:42:05 2023 +0000
tree d31bca30cbb2f4f0070c5f5043e6568b66a40aac
parent cb24b4facfaca04ffeea90673854dd07eb6add18

Tweak sysfs_dt_avf permissions

Allow r_file_perms rather than just open+read, mainly because I saw
this denial:

avc:  denied  { getattr } for  comm="binder:11247_2"
path="/sys/firmware/devicetree/base/avf/guest/common/log"
dev="sysfs" ino=16469 scontext=u:r:virtualizationmanager:s0
tcontext=u:object_r:sysfs_dt_avf:s0 tclass=file permissive=0

Also refactor slightly in microdroid_manager.te.

Test: TH
Change-Id: If2963441b3490a502c293c7a7cdd204d9db7d48a

private/virtualizationmanager.te

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 725ca72..bbae070 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -85,7 +85,7 @@
 
 # Allow virtualizationmanager to read AVF debug policy
 allow virtualizationmanager sysfs_dt_avf:dir search;
-allow virtualizationmanager sysfs_dt_avf:file { open read };
+allow virtualizationmanager sysfs_dt_avf:file r_file_perms;
 
 # virtualizationmanager to be client of secretkeeper HAL. It ferries SecretManagement messages
 # from pVM to HAL.