From 15bdfcb1804922e2f2260a60868599ef2c4baed1 Mon Sep 17 00:00:00 2001 From: Yi-Yo Chiang Date: Fri, 10 May 2024 18:01:47 +0800 Subject: [PATCH] Allow vmlauncher_app to create ptys to communicate with shell * Allow vmlauncher_app to create pty/pts * Allow vmlauncher_app to change permission of created pts * Allow shell to read/write vmlauncher_app pts adb shell can open and communicate with vmlauncher_app via the pts device. VM console would be available on the pts. Bug: 335362012 Test: adb shell -t microcom /dev/pts/0 Test: No new avc denials in logcat Change-Id: If630235b486bf5ffffb45aeac3e29438029edb04 --- private/shell.te | 6 ++++++ private/vmlauncher_app.te | 7 +++++++ 2 files changed, 13 insertions(+) diff --git a/private/shell.te b/private/shell.te index dbdd132e7..263db8ceb 100644 --- a/private/shell.te +++ b/private/shell.te @@ -430,6 +430,12 @@ allow shell sysfs_batteryinfo:file r_file_perms; # Allow reads (but not writes) of the MGLRU state allow shell sysfs_lru_gen_enabled:file r_file_perms; +# Allow communicating with the VM terminal. +userdebug_or_eng(` + allow shell vmlauncher_app_devpts:chr_file rw_file_perms; + allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls; +') + # Allow access to ion memory allocation device. allow shell ion_device:chr_file rw_file_perms; diff --git a/private/vmlauncher_app.te b/private/vmlauncher_app.te index dcc4f55c7..f0f372b48 100644 --- a/private/vmlauncher_app.te +++ b/private/vmlauncher_app.te @@ -16,3 +16,10 @@ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` allow vmlauncher_app virtualizationservice:binder call; allow vmlauncher_app crosvm:binder { call transfer }; ') + +userdebug_or_eng(` + # Create pty/pts and connect it to the guest terminal. + create_pty(vmlauncher_app) + # Allow other processes to access the pts. + allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr; +')