Fix denial due to vfio_handler's IBoundDevice As virtualizationmanager holds references to IBoundDevice returned by vfio_handler, virtualizationmanager should also have permission to binder_call. Bug: 278008519 Test: boot microdroid with assigned devices Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c

commit: fb0ed7fcc4fbef84b9d6f906e13afd774e5009ac [log] [tgz]
author: Inseob Kim <inseob@google.com> Wed Jan 03 09:32:18 2024 +0900
committer: Inseob Kim <inseob@google.com> Wed Jan 03 09:35:43 2024 +0900
tree: 8fb3b1822a3dc9ef0b37bc700c250f057e8017b1
parent: 24d52ac42ae775ea98e276c73d8f84fc987ad968 [diff] [blame]
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index e17797e..4d8ac6b 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -104,6 +104,6 @@
 }:process setrlimit;
 
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
-    # Only virtualizationservice can communicate to vfio_handler
-    neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+    # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
+    neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
 ')
commit	fb0ed7fcc4fbef84b9d6f906e13afd774e5009ac	[log] [tgz]
author	Inseob Kim <inseob@google.com>	Wed Jan 03 09:32:18 2024 +0900
committer	Inseob Kim <inseob@google.com>	Wed Jan 03 09:35:43 2024 +0900
tree	8fb3b1822a3dc9ef0b37bc700c250f057e8017b1
parent	24d52ac42ae775ea98e276c73d8f84fc987ad968 [diff] [blame]