private/vmlauncher_app.te

type vmlauncher_app, domain;
typeattribute vmlauncher_app coredomain;

app_domain(vmlauncher_app)
net_domain(vmlauncher_app)

allow vmlauncher_app app_api_service:service_manager find;
allow vmlauncher_app system_api_service:service_manager find;

# TODO(b/402303887): Remove this when WebView doesn't requires camera access.
allow vmlauncher_app cameraserver_service:service_manager find;

allow vmlauncher_app shell_data_file:dir search;
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)

allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans };
allow vmlauncher_app crosvm:fd use;
allow vmlauncher_app crosvm_tmpfs:file { map read write };
allow vmlauncher_app crosvm_exec:file rx_file_perms;

allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr };

is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
  # TODO(b/332677707): remove them when display service uses binder RPC.
  allow vmlauncher_app virtualization_service:service_manager find;
  allow vmlauncher_app virtualizationservice:binder call;
  allow vmlauncher_app crosvm:binder { call transfer };
')

is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
  allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept };
')

userdebug_or_eng(`
  # Create pty/pts and connect it to the guest terminal.
  create_pty(vmlauncher_app)
  # Allow other processes to access the pts.
  allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr;
')

# TODO(b/372664601): Remove this when we don't need linux_vm_setup
set_prop(vmlauncher_app, debug_prop);