Sepolicy for crosvm to show display
They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES
Bug: 331708504
Test: check if the display shows
Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
diff --git a/flagging/Android.bp b/flagging/Android.bp
index bdd0481..b40a80a 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -17,6 +17,7 @@
se_flags {
name: "aosp_selinux_flags",
flags: [
+ "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
diff --git a/private/crosvm.te b/private/crosvm.te
index 6ad3727..a96a22a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -81,6 +81,24 @@
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # Allow crosvm to draw screen in the surface
+ allow crosvm device:dir { read open };
+ allow crosvm same_process_hal_file:file { read open getattr map execute };
+ allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
+ allow crosvm hal_graphics_allocator:fd use;
+ allow crosvm hal_graphics_allocator_server:binder call;
+ allow crosvm surfaceflinger:fd use;
+ hal_client_domain(crosvm, hal_graphics_allocator)
+
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow crosvm priv_app:binder { transfer call };
+ allow crosvm servicemanager:binder { call transfer };
+ allow crosvm virtualization_service:service_manager find;
+ allow crosvm virtualizationservice:binder { call transfer };
+')
+
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
@@ -136,6 +154,7 @@
-vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
}:file *;
')
diff --git a/private/priv_app.te b/private/priv_app.te
index 9ba2c95..76682f1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -124,6 +124,13 @@
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow priv_app virtualization_service:service_manager find;
+ allow priv_app virtualizationservice:binder call;
+ allow priv_app crosvm:binder { call transfer };
+')
+
read_runtime_log_tags(priv_app)
# Allow priv_apps to request and collect incident reports.
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index ee288f2..2d14f5d 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -18,7 +18,7 @@
add_service(virtualizationservice, virtualization_maintenance_service)
')
-is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# Let virtualizationservice find and communicate with vfio_handler.
allow virtualizationservice vfio_handler_service:service_manager find;
binder_call(virtualizationservice, vfio_handler)
@@ -44,6 +44,12 @@
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow virtualizationservice priv_app:binder transfer;
+')
+
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
@@ -112,6 +118,8 @@
domain
-virtualizationmanager
-virtualizationservice
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `