| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 1 | type crosvm, domain, coredomain; |
| 2 | type crosvm_exec, system_file_type, exec_type, file_type; |
| 3 | type crosvm_tmpfs, file_type; |
| 4 | |
| 5 | # Let crosvm create temporary files. |
| 6 | tmpfs_domain(crosvm) |
| 7 | |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 8 | # Let crosvm receive file descriptors from VirtualizationService. |
| 9 | allow crosvm virtualizationservice:fd use; |
| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 10 | |
| 11 | # Let crosvm open /dev/kvm. |
| 12 | allow crosvm kvm_device:chr_file rw_file_perms; |
| 13 | |
| 14 | # Most other domains shouldn't access /dev/kvm. |
| 15 | neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; |
| 16 | neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; |
| Andrew Walbran | 9b2fa1b | 2021-07-01 15:58:26 +0000 | [diff] [blame] | 17 | |
| 18 | # Let crosvm read and write files from clients of virtualizationservice, but not open them directly |
| 19 | # as they must be passed via virtualizationservice. |
| 20 | allow crosvm apk_data_file:file { getattr read }; |
| 21 | allow crosvm app_data_file:file { getattr read write }; |
| 22 | # shell_data_file is used for automated tests and manual debugging. |
| 23 | allow crosvm shell_data_file:file { getattr read write }; |