Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 1 | type crosvm, domain, coredomain; |
| 2 | type crosvm_exec, system_file_type, exec_type, file_type; |
| 3 | type crosvm_tmpfs, file_type; |
| 4 | |
| 5 | # Let crosvm create temporary files. |
| 6 | tmpfs_domain(crosvm) |
| 7 | |
Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 8 | # Let crosvm receive file descriptors from VirtualizationService. |
| 9 | allow crosvm virtualizationservice:fd use; |
Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 10 | |
| 11 | # Let crosvm open /dev/kvm. |
| 12 | allow crosvm kvm_device:chr_file rw_file_perms; |
| 13 | |
| 14 | # Most other domains shouldn't access /dev/kvm. |
| 15 | neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; |
| 16 | neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; |