Allow virtualizationservice to create and manage socket files in its data folder
...and crosvm to access a listener socket when passed to it by file
descriptor from virtualizationservice.
Bug: 235579465
Test: Start a VM
Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
diff --git a/private/crosvm.te b/private/crosvm.te
index f3fc9a8..034107f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -38,6 +38,12 @@
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
+# Let crosvm access its control socket as created by VS.
+# read, write, getattr: listener socket polling
+# accept: listener socket accepting new connection
+# Note that the open permission is not given as the socket is passed by FD.
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 9ae5308..6e6b459 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -29,6 +29,9 @@
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
+# Let virtualizationservice manage crosvm control sockets.
+allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;