Sepolicy setting for crosvm virtiofs mounts With this change, crosvm won't be accessing priv_app internal storage from crosvm domain. crosvm will be run from app domain. Bug: 378451265 Test: Launch terminal app - verify virtiofs mount points Change-Id: Id7801a79651a80b5482ad52694047fa0ea32ebd4 Signed-off-by: Akilesh Kailash <akailash@google.com>

commit: e7cd0eb225f50e61a92202c300839df7da88fa8e [log] [tgz]
author: Akilesh Kailash <akailash@google.com> Sat Nov 30 08:10:11 2024 -0800
committer: Akilesh Kailash <akailash@google.com> Tue Dec 03 03:39:11 2024 +0000
tree: 0d25edc33e81b1ced3b22f889a7892c7829a2caf
parent: 43ce26ab2b26e2c7fdd20a5879e5b848d5188f4b [diff] [blame]
diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te
index 8597fcd..ef34c31 100644
--- a/private/vmlauncher_app.te
+++ b/private/vmlauncher_app.te

@@ -12,6 +12,11 @@
 virtualizationservice_use(vmlauncher_app)
 
 allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
+allow vmlauncher_app crosvm:fd use;
+allow vmlauncher_app crosvm_tmpfs:file { map read write };
+allow vmlauncher_app crosvm_exec:file rx_file_perms;
+
+allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };
 
 is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
   # TODO(b/332677707): remove them when display service uses binder RPC.
commit	e7cd0eb225f50e61a92202c300839df7da88fa8e	[log] [tgz]
author	Akilesh Kailash <akailash@google.com>	Sat Nov 30 08:10:11 2024 -0800
committer	Akilesh Kailash <akailash@google.com>	Tue Dec 03 03:39:11 2024 +0000
tree	0d25edc33e81b1ced3b22f889a7892c7829a2caf
parent	43ce26ab2b26e2c7fdd20a5879e5b848d5188f4b [diff] [blame]