Fix denial due to vfio_handler's IBoundDevice
As virtualizationmanager holds references to IBoundDevice returned by
vfio_handler, virtualizationmanager should also have permission to
binder_call.
Bug: 278008519
Test: boot microdroid with assigned devices
Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index bbae070..d0fe571 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -111,3 +111,8 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # virtualizationmanager holds references to bound devices, returned from vfio_handler
+ binder_call(virtualizationmanager, vfio_handler)
+')