commit b316f8bf9518eab9780e367fb83f34c52a736537
author Treehugger Robot <android-test-infra-autosubmit@system.gserviceaccount.com> Tue Sep 05 06:29:39 2023 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Sep 05 06:29:39 2023 +0000
tree 56a99fe5e16d1d25cf15f5f8df1a54c96ddfdb84
parent 70dc0bb5dc8d4195b1249d60f4ce5e692ade7299
parent 36d9d39e6efb85e60d4b334615b71643b16c8652

Merge "Relax freeze_test to check only compatibility" into main

TEST_MAPPING

diff --git a/TEST_MAPPING b/TEST_MAPPING
index 9aa510b..053e36a 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -11,9 +11,6 @@
                 },
                 {
                     "include-filter": "android.security.cts.SELinuxHostTest#testGMSCoreDomain"
-                },
-                {
-                    "include-filter": "android.security.cts.SeamendcHostTest"
                 }
             ]
         }

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index 2d9a688..afcaa3d 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,8 +27,9 @@
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), and instance.img (app_data_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
 allow crosvm {
   virtualizationservice_data_file
   staging_data_file
@@ -36,6 +37,7 @@
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
 
@@ -64,6 +66,7 @@
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.

private/file.te

diff --git a/private/file.te b/private/file.te
index 64b51a2..efdf4d1 100644
--- a/private/file.te
+++ b/private/file.te
@@ -67,6 +67,9 @@
 # /data/misc/apexdata/com.android.compos
 type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# /data/misc/apexdata/com.android.virt
+type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 9d12ab4..6ac2400 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -602,6 +602,7 @@
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc/apexdata/com\.android\.art(/.*)?           u:object_r:apex_art_data_file:s0
 /data/misc/apexdata/com\.android\.compos(/.*)?        u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.virt(/.*)?          u:object_r:apex_virt_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_system_server_data_file:s0

private/virtualizationmanager.te

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 68dc8bc..d6f0e19 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -5,7 +5,7 @@
 
 # Allow virtualizationmanager to communicate use, read and write over the adb connection.
 allow virtualizationmanager adbd:fd use;
-allow virtualizationmanager adbd:unix_stream_socket { read write };
+allow virtualizationmanager adbd:unix_stream_socket { getattr read write };
 
 # Allow writing VM logs to the shell console
 allow virtualizationmanager devpts:chr_file { read write getattr ioctl };
@@ -40,6 +40,7 @@
 allow virtualizationmanager {
   app_data_file
   apex_compos_data_file
+  apex_virt_data_file
   privapp_data_file
 }:file { getattr read write };
 

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c11fac5..2d20195 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -42,6 +42,15 @@
 allow virtualizationservice adbd:fd use;
 allow virtualizationservice adbd:unix_stream_socket { read write };
 
+# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
+virtualizationservice_use(virtualizationservice)
+
+# Allow virtualizationservice to read and write in the apex data directory
+# /data/misc/apexdata/com.android.virt
+allow virtualizationservice apex_module_data_file:dir search;
+allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
+allow virtualizationservice apex_virt_data_file:file create_file_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
 # such as the guest tombstone server.
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };