Sepolicy for crosvm to show display
They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES
Bug: 331708504
Test: check if the display shows
Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index ee288f2..2d14f5d 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -18,7 +18,7 @@
add_service(virtualizationservice, virtualization_maintenance_service)
')
-is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# Let virtualizationservice find and communicate with vfio_handler.
allow virtualizationservice vfio_handler_service:service_manager find;
binder_call(virtualizationservice, vfio_handler)
@@ -44,6 +44,12 @@
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+ # To provide display service to an app to get surface.
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ allow virtualizationservice priv_app:binder transfer;
+')
+
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
@@ -112,6 +118,8 @@
domain
-virtualizationmanager
-virtualizationservice
+ # TODO(b/332677707): remove them when display service uses binder RPC.
+ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `