2021-03-29 19:19:12 +02:00
|
|
|
type crosvm, domain, coredomain;
|
|
|
|
|
type crosvm_exec, system_file_type, exec_type, file_type;
|
|
|
|
|
type crosvm_tmpfs, file_type;
|
|
|
|
|
|
|
|
|
|
# Let crosvm create temporary files.
|
|
|
|
|
tmpfs_domain(crosvm)
|
|
|
|
|
|
2021-05-21 15:21:43 +02:00
|
|
|
# Let crosvm receive file descriptors from VirtualizationService.
|
|
|
|
|
allow crosvm virtualizationservice:fd use;
|
2021-03-29 19:19:12 +02:00
|
|
|
|
|
|
|
|
# Let crosvm open /dev/kvm.
|
|
|
|
|
allow crosvm kvm_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
|
|
# Most other domains shouldn't access /dev/kvm.
|
|
|
|
|
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
|
|
|
|
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
2021-07-01 17:58:26 +02:00
|
|
|
|
|
|
|
|
# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
|
|
|
|
|
# as they must be passed via virtualizationservice.
|
|
|
|
|
allow crosvm apk_data_file:file { getattr read };
|
|
|
|
|
allow crosvm app_data_file:file { getattr read write };
|
|
|
|
|
# shell_data_file is used for automated tests and manual debugging.
|
|
|
|
|
allow crosvm shell_data_file:file { getattr read write };
|
