| Inseob Kim | 9c0d712 | 2024-07-22 18:04:18 +0900 | [diff] [blame] | 1 | is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, ` |
| 2 | # Domain for a child process that manages early VMs available before /data mount, on behalf of |
| 3 | # its parent. |
| 4 | type early_virtmgr, domain, coredomain; |
| 5 | type early_virtmgr_exec, system_file_type, exec_type, file_type; |
| 6 | |
| 7 | use_bootstrap_libs(early_virtmgr) |
| Inseob Kim | 0b9625d | 2024-07-31 17:42:23 +0900 | [diff] [blame] | 8 | |
| 9 | allow early_virtmgr vm_data_file:dir create_dir_perms; |
| 10 | allow early_virtmgr vm_data_file:file create_file_perms; |
| 11 | |
| 12 | ### |
| 13 | ### Neverallow rules |
| 14 | ### |
| 15 | |
| 16 | # Only crosvm and early_virtmgr can access vm_data_file |
| 17 | neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms; |
| 18 | neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms; |
| Inseob Kim | 9c0d712 | 2024-07-22 18:04:18 +0900 | [diff] [blame] | 19 | ') |