Introduce vm_manager_device_type for crosvm
Introduce hypervisor-generic type for VM managers:
vm_manager_device_type.
Bug: 274758531
Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c
Suggested-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
diff --git a/private/crosvm.te b/private/crosvm.te
index df97235..f1012b7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,14 +2,20 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
+# Let crosvm open VM manager devices such as /dev/kvm.
+allow crosvm vm_manager_device_type:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Most other domains shouldn't access other vm managers either.
+# These restrictions need to be slightly looser than for kvm_device to allow
+# for different implementations.
+neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
+neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)