Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 094e8e81a2f30bcf505b66223a1333cfc815b9f7 / . / private / vfio_handler.te
blob: 963809edb080c5a56d9fb2e3ff2924c42da29840 [file] [log] [blame]
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]1is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
2 # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
3 # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
4 type vfio_handler, domain, coredomain;
5 type vfio_handler_exec, system_file_type, exec_type, file_type;
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]6
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]7 # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
8 init_daemon_domain(vfio_handler)
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]9
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]10 # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
11 add_service(vfio_handler, vfio_handler_service)
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]12
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]13 # Let the vfio_handler domain use Binder.
14 binder_use(vfio_handler)
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]15
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]16 # Allow vfio_handler to check if VFIO is supported
17 allow vfio_handler vfio_device:chr_file getattr;
18 allow vfio_handler vfio_device:dir r_dir_perms;
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]19
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]20 # Allow vfio_handler to bind/unbind platform devices
21 allow vfio_handler sysfs:dir r_dir_perms;
22 allow vfio_handler sysfs:file rw_file_perms;
Inseob Kim825056d2023-08-01 11:00:49 +0900[diff] [blame]23
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]24 # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
25 allow vfio_handler virtualizationservice:fd use;
26 allow vfio_handler virtualizationservice_data_file:file write;
Inseob Kimbbe514d2023-08-03 12:53:48 +0900[diff] [blame]27
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]28 # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
29 neverallow vfio_handler virtualizationservice_data_file:file { open create };
Inseob Kimbbe514d2023-08-03 12:53:48 +0900[diff] [blame]30
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]31 # Allow vfio_handler to search /dev/block for accessing dtbo.img
32 allow vfio_handler block_device:dir search;
33 allow vfio_handler dtbo_block_device:blk_file r_file_perms;
Seungjae Yoo1b2d9de2023-08-14 09:11:38 +0900[diff] [blame]34
Inseob Kim094e8e82023-11-17 18:03:46 +0900[diff] [blame^]35 # Only vfio_handler can add vfio_handler_service
36 neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
37') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)