Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd

commit: b20cb78404c49ef0ebcade21c0457e86fd0b40d9 [log] [tgz]
author: Inseob Kim <inseob@google.com> Thu Feb 03 15:30:26 2022 +0900
committer: Inseob Kim <inseob@google.com> Mon Feb 07 09:42:21 2022 +0900
tree: 5a21c5c0ab4abe5bfb6d3d36d4985e28cf67bbff
parent: b289dc4d1de4fcb66b679699797c10fed5407066 [diff] [blame]
diff --git a/private/crosvm.te b/private/crosvm.te
index ec58875..426cb28 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -89,3 +89,10 @@
   -app_data_file
   userdebug_or_eng(`-shell_data_file')
 }:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+  domain
+  -crosvm
+  -virtualizationservice
+} crosvm_exec:file no_x_file_perms;
commit	b20cb78404c49ef0ebcade21c0457e86fd0b40d9	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Thu Feb 03 15:30:26 2022 +0900
committer	Inseob Kim <inseob@google.com>	Mon Feb 07 09:42:21 2022 +0900
tree	5a21c5c0ab4abe5bfb6d3d36d4985e28cf67bbff
parent	b289dc4d1de4fcb66b679699797c10fed5407066 [diff] [blame]