tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow virtualizationmanager to open test artifacts in shell_data_file

Browse source 
Bug: 275047565
Test: atest
Change-Id: Iff9bdd4434a66af0e17fb74da4f173158dd66399
This commit is contained in:
Jaewan Kim 2023-04-03 12:57:25 +09:00
parent 9bc9a63b68
commit 0783a9cd36
2 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/domain.te
View file

@ -683,6 +683,7 @@ neverallow {
-dumpstate -dumpstate
-installd -installd
userdebug_or_eng(`-uncrypt') userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-virtualizationservice') userdebug_or_eng(`-virtualizationservice')
userdebug_or_eng(`-crosvm') userdebug_or_eng(`-crosvm')
} shell_data_file:file open; } shell_data_file:file open;
@ -729,6 +730,7 @@ neverallow {
-simpleperf_app_runner -simpleperf_app_runner
-system_server # why? -system_server # why?
userdebug_or_eng(`-uncrypt') userdebug_or_eng(`-uncrypt')
userdebug_or_eng(`-virtualizationmanager')
userdebug_or_eng(`-crosvm') userdebug_or_eng(`-crosvm')
} shell_data_file:dir search; } shell_data_file:dir search;

9
private/virtualizationmanager.te
View file

@ -69,10 +69,17 @@ unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned)
allow virtualizationmanager tombstone_data_file:file { append getattr }; allow virtualizationmanager tombstone_data_file:file { append getattr };
allow virtualizationmanager tombstoned:fd use; allow virtualizationmanager tombstoned:fd use;
# Allow virtualizationservice to read AVF debug policy # Allow virtualizationmanager to read AVF debug policy
allow virtualizationmanager sysfs_dt_avf:dir search; allow virtualizationmanager sysfs_dt_avf:dir search;
allow virtualizationmanager sysfs_dt_avf:file { open read }; allow virtualizationmanager sysfs_dt_avf:file { open read };
# Let virtualizationmanager open test artifacts under /data/local/tmp with file path.
# (e.g. custom debug policy)
userdebug_or_eng(`
allow virtualizationmanager shell_data_file:dir search;
allow virtualizationmanager shell_data_file:file open;
')
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM. # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm); r_dir_file(virtualizationmanager, crosvm);