Allow virtualizationmanager to open test artifacts in shell_data_file

Bug: 275047565 Test: atest Change-Id: Iff9bdd4434a66af0e17fb74da4f173158dd66399
2023-04-03 12:57:25 +09:00 · 2023-04-03 12:57:25 +09:00 · 0783a9cd36
commit 0783a9cd36
parent 9bc9a63b68
2 changed files with 10 additions and 1 deletions
--- a/private/domain.te
+++ b/private/domain.te
@ -683,6 +683,7 @@ neverallow {
  -dumpstate
  -installd
  userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-virtualizationmanager')
  userdebug_or_eng(`-virtualizationservice')
  userdebug_or_eng(`-crosvm')
 } shell_data_file:file open;
@ -729,6 +730,7 @@ neverallow {
  -simpleperf_app_runner
  -system_server # why?
  userdebug_or_eng(`-uncrypt')
+  userdebug_or_eng(`-virtualizationmanager')
  userdebug_or_eng(`-crosvm')
 } shell_data_file:dir search;

--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@ -69,10 +69,17 @@ unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
 allow virtualizationmanager tombstone_data_file:file { append getattr };
 allow virtualizationmanager tombstoned:fd use;

-# Allow virtualizationservice to read AVF debug policy
+# Allow virtualizationmanager to read AVF debug policy
 allow virtualizationmanager sysfs_dt_avf:dir search;
 allow virtualizationmanager sysfs_dt_avf:file { open read };

+# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
+# (e.g. custom debug policy)
+userdebug_or_eng(`
+  allow virtualizationmanager shell_data_file:dir search;
+  allow virtualizationmanager shell_data_file:file open;
+')
+
 # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
 r_dir_file(virtualizationmanager, crosvm);