commit f408371097ec92d2322c599e25bfb2e1da36c36d
author Jiyong Park <jiyong@google.com> Sat Jul 10 14:35:06 2021 +0900
committer Jiyong Park <jiyong@google.com> Mon Jul 12 15:08:08 2021 +0900
tree 5e7bb06d5049eaf4b93a6334ae9782db75fb1dd3
parent 2abf1e293ba3b0a16b72c862770906ee3a67ba73

Allow virtualizationservice to use vsock

... to connect to the programs running in the guest VM

Bug: 192904048
Test: atest MicrodroidHostTestCases
Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e

private/shell.te

diff --git a/private/shell.te b/private/shell.te
index 40b19fd..2f983f2 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -205,3 +205,7 @@
 
 # Allow shell read access to /apex/apex-info-list.xml for CTS.
 allow shell apex_info_file:file r_file_perms;
+
+# Allow shell (the vm tool) the access to vsock created by virtualization
+# service
+allow shell virtualizationservice:vsock_socket { read write };

private/virtualizationservice.te

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 9b82e01..1bf14d8 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -41,3 +41,6 @@
 allow virtualizationservice app_data_file:file { getattr read write };
 # shell_data_file is used for automated tests and manual debugging.
 allow virtualizationservice shell_data_file:file { getattr read write };
+
+# Let virtualizationservice to accept vsock connection from the guest VMs
+allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };