| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 1 | # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. |
| 2 | # vfio_handler is separate from virtualizationservice as VFIO tasks require root. |
| 3 | type vfio_handler, domain, coredomain; |
| 4 | type vfio_handler_exec, system_file_type, exec_type, file_type; |
| 5 | |
| 6 | # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. |
| 7 | init_daemon_domain(vfio_handler) |
| 8 | |
| 9 | # Let the vfio_handler domain register the vfio_handler_service with ServiceManager. |
| 10 | add_service(vfio_handler, vfio_handler_service) |
| 11 | |
| 12 | # Let the vfio_handler domain use Binder. |
| 13 | binder_use(vfio_handler) |
| 14 | |
| 15 | # Allow vfio_handler to check if VFIO is supported |
| 16 | allow vfio_handler vfio_device:chr_file getattr; |
| 17 | allow vfio_handler vfio_device:dir r_dir_perms; |
| 18 | |
| 19 | # Allow vfio_handler to bind/unbind platform devices |
| 20 | allow vfio_handler sysfs:dir r_dir_perms; |
| 21 | allow vfio_handler sysfs:file rw_file_perms; |
| 22 | |
| Inseob Kim | bbe514d | 2023-08-03 12:53:48 +0900 | [diff] [blame] | 23 | # Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager. |
| 24 | allow vfio_handler virtualizationmanager:fd use; |
| 25 | allow vfio_handler virtualizationservice_data_file:file write; |
| 26 | |
| 27 | # vfio_handler can only use fd from virtualizationmanager, and can't open files itself |
| 28 | neverallow vfio_handler virtualizationservice_data_file:file { open create }; |
| 29 | |
| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 30 | # Only vfio_handler can add vfio_handler_service |
| 31 | neverallow { domain -vfio_handler } vfio_handler_service:service_manager add; |