Merge "dontaudit crosvm reading VM's pipe"
diff --git a/private/crosvm.te b/private/crosvm.te
index c682bb5..aae8323 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -16,7 +16,7 @@
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
@@ -74,6 +74,11 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to