Merge "Allow vmlauncher_app to create ptys to communicate with shell" into main

commit: d9c73d7aaf0593794dbb2d875198e7a5e0830c0f [log] [tgz]
author: Yi-Yo Chiang <yochiang@google.com> Wed May 29 05:54:43 2024 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Wed May 29 05:54:43 2024 +0000
tree: 33103f6eb701a8927cfc15ffba22b6623c5b5164
parent: 9bd1809252384844779b05946bd394a15c5b9225 [diff]
parent: 15bdfcb1804922e2f2260a60868599ef2c4baed1 [diff]
diff --git a/private/shell.te b/private/shell.te
index dbdd132..263db8c 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -430,6 +430,12 @@
 # Allow reads (but not writes) of the MGLRU state
 allow shell sysfs_lru_gen_enabled:file r_file_perms;
 
+# Allow communicating with the VM terminal.
+userdebug_or_eng(`
+  allow shell vmlauncher_app_devpts:chr_file rw_file_perms;
+  allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls;
+')
+
 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;
 

diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index dcc4f55..f0f372b 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te

@@ -16,3 +16,10 @@
   allow vmlauncher_app virtualizationservice:binder call;
   allow vmlauncher_app crosvm:binder { call transfer };
 ')
+
+userdebug_or_eng(`
+  # Create pty/pts and connect it to the guest terminal.
+  create_pty(vmlauncher_app)
+  # Allow other processes to access the pts.
+  allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr;
+')
commit	d9c73d7aaf0593794dbb2d875198e7a5e0830c0f	[log] [tgz]
author	Yi-Yo Chiang <yochiang@google.com>	Wed May 29 05:54:43 2024 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Wed May 29 05:54:43 2024 +0000
tree	33103f6eb701a8927cfc15ffba22b6623c5b5164
parent	9bd1809252384844779b05946bd394a15c5b9225 [diff]
parent	15bdfcb1804922e2f2260a60868599ef2c4baed1 [diff]