tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

app_data_file is the only app_data_file_type that is allowed for crosvm

Browse source 
Bug: 204852957
Test: monitor TH
Change-Id: Ie92aa25336087519661002624b486cb35740cda6
This commit is contained in:
Jiyong Park 2021-11-26 00:59:07 +09:00
parent b25774f53c
commit 028e722934
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
private/crosvm.te
View file

@ -70,3 +70,14 @@ full_treble_only(`
-vendor_task_profiles_file
}:file *;
')
# app_data_file (and shell_data_file for debuggable builds) is the only
# app_data_file_type that is allowed for crosvm to read. Note that the use of
# app_data_file is allowed only for the intance disk image. This is enforced
# inside the virtualizationservice by checking the file context of all disk
# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
userdebug_or_eng(`-shell_data_file')
}:file read;