2021-05-21 15:21:43 +02:00
|
|
|
type virtualizationservice, domain, coredomain;
|
|
|
|
|
type virtualizationservice_exec, system_file_type, exec_type, file_type;
|
|
|
|
|
|
|
|
|
|
# When init runs a file labelled with virtualizationservice_exec, run it in the
|
|
|
|
|
# virtualizationservice domain.
|
|
|
|
|
init_daemon_domain(virtualizationservice)
|
|
|
|
|
|
|
|
|
|
# Let the virtualizationservice domain use Binder.
|
|
|
|
|
binder_use(virtualizationservice)
|
|
|
|
|
|
|
|
|
|
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
|
|
|
|
|
add_service(virtualizationservice, virtualization_service)
|
|
|
|
|
|
|
|
|
|
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
|
|
|
|
|
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
|
|
|
|
|
|
|
|
|
|
# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
|
|
|
|
|
allow virtualizationservice system_file:file execute_no_trans;
|
|
|
|
|
|
|
|
|
|
# Let virtualizationservice kill crosvm.
|
|
|
|
|
allow virtualizationservice crosvm:process sigkill;
|
|
|
|
|
|
|
|
|
|
# Let virtualizationservice access its data directory.
|
|
|
|
|
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
|
|
|
|
|
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
|
2021-07-01 17:58:26 +02:00
|
|
|
|
|
|
|
|
# virtualizationservice_use(client)
|
|
|
|
|
define(`virtualizationservice_use', `
|
|
|
|
|
# Let the client call virtualizationservice.
|
|
|
|
|
binder_call($1, virtualizationservice)
|
|
|
|
|
# Let the client pass file descriptors to virtualizationservice.
|
|
|
|
|
allow virtualizationservice $1:fd use;
|
|
|
|
|
')
|
|
|
|
|
|
|
|
|
|
# Let the shell user call virtualizationservice for debugging.
|
|
|
|
|
virtualizationservice_use(shell)
|
|
|
|
|
|
|
|
|
|
# Let virtualizationservice read and write files from its various clients, but not open them
|
|
|
|
|
# directly as they must be passed over Binder by the client.
|
|
|
|
|
allow virtualizationservice apk_data_file:file { getattr read };
|
|
|
|
|
allow virtualizationservice app_data_file:file { getattr read write };
|
|
|
|
|
# shell_data_file is used for automated tests and manual debugging.
|
|
|
|
|
allow virtualizationservice shell_data_file:file { getattr read write };
|
2021-07-10 07:35:06 +02:00
|
|
|
|
2021-07-16 06:05:40 +02:00
|
|
|
# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
|
|
|
|
|
allow virtualizationservice apex_data_file:dir search;
|
|
|
|
|
allow virtualizationservice staging_data_file:file r_file_perms;
|
|
|
|
|
|
|
|
|
|
# Allow virtualizationservice to read apex-info-list.xml
|
|
|
|
|
allow virtualizationservice apex_info_file:file r_file_perms;
|
|
|
|
|
|
2021-07-10 07:35:06 +02:00
|
|
|
# Let virtualizationservice to accept vsock connection from the guest VMs
|
|
|
|
|
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
