Use regular file for VM DTBO Bug: 287379025 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --protected --mem 512 --devices \ /sys/bus/platform/devices/16d00000.eh Change-Id: Id77c25f5f22672da9281078fc17f45087d893f4d

commit: bbe514d9b3eba926d13d282b999c620636f2590a [log] [tgz]
author: Inseob Kim <inseob@google.com> Thu Aug 03 12:53:48 2023 +0900
committer: Inseob Kim <inseob@google.com> Fri Aug 04 15:26:17 2023 +0900
tree: b82ce9f546220190945ae9f0f38d0e86c33a4c80
parent: bf36988355a3e49da03775ca4d3e955d2f6f658c [diff] [blame]
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 706a6ca..2a0bd37 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te

@@ -20,5 +20,12 @@
 allow vfio_handler sysfs:dir r_dir_perms;
 allow vfio_handler sysfs:file rw_file_perms;
 
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
+allow vfio_handler virtualizationmanager:fd use;
+allow vfio_handler virtualizationservice_data_file:file write;
+
+# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
 # Only vfio_handler can add vfio_handler_service
 neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
commit	bbe514d9b3eba926d13d282b999c620636f2590a	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Thu Aug 03 12:53:48 2023 +0900
committer	Inseob Kim <inseob@google.com>	Fri Aug 04 15:26:17 2023 +0900
tree	b82ce9f546220190945ae9f0f38d0e86c33a4c80
parent	bf36988355a3e49da03775ca4d3e955d2f6f658c [diff] [blame]