crosvm can access data_shell_file on user builds
Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.
Note that the open access is still disallowed in user builds.
Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
diff --git a/private/crosvm.te b/private/crosvm.te
index 0fd146e..167ad2f 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,7 +32,7 @@
apk_data_file
app_data_file
apex_compos_data_file
- userdebug_or_eng(`shell_data_file')
+ shell_data_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -84,15 +84,14 @@
}:file *;
')
-# app_data_file (and shell_data_file for debuggable builds) is the only
-# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the instance disk image. This is enforced
-# inside the virtualizationservice by checking the file context of all disk
-# image files.
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read. Note that the use of app_data_file is allowed
+# only for the instance disk image. This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
neverallow crosvm {
app_data_file_type
-app_data_file
- userdebug_or_eng(`-shell_data_file')
+ -shell_data_file
}:file read;
# Only virtualizationservice can run crosvm