commit bbe514d9b3eba926d13d282b999c620636f2590a
author Inseob Kim <inseob@google.com> Thu Aug 03 12:53:48 2023 +0900
committer Inseob Kim <inseob@google.com> Fri Aug 04 15:26:17 2023 +0900
tree b82ce9f546220190945ae9f0f38d0e86c33a4c80
parent bf36988355a3e49da03775ca4d3e955d2f6f658c

Use regular file for VM DTBO

Bug: 287379025
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
      --protected --mem 512 --devices \
      /sys/bus/platform/devices/16d00000.eh
Change-Id: Id77c25f5f22672da9281078fc17f45087d893f4d

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a4588dc..14662fa 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -35,6 +35,7 @@
 # directories, it needs the permission to unlink the files created by virtualizationmanager.
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
 allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:file write;
 
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
@@ -62,9 +63,8 @@
 allow virtualizationservice vfio_device:chr_file getattr;
 allow virtualizationservice vfio_device:dir r_dir_perms;
 
-# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationservice vfio_handler:fd use;
-allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
 
 neverallow {
   domain