Merge "crosvm can access data_shell_file on user builds" am: d222ea676b
am: af42eee34c
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2064912 Change-Id: Ifcd1e801f0f591601eb054e0ea0b78c363afdc9f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
178a031dce
1 changed files with 6 additions and 7 deletions
|
@ -32,7 +32,7 @@ allow crosvm {
|
|||
apk_data_file
|
||||
app_data_file
|
||||
apex_compos_data_file
|
||||
userdebug_or_eng(`shell_data_file')
|
||||
shell_data_file
|
||||
}:file { getattr read ioctl lock };
|
||||
|
||||
# Allow searching the directory where the composite disk images are.
|
||||
|
@ -84,15 +84,14 @@ full_treble_only(`
|
|||
}:file *;
|
||||
')
|
||||
|
||||
# app_data_file (and shell_data_file for debuggable builds) is the only
|
||||
# app_data_file_type that is allowed for crosvm to read. Note that the use of
|
||||
# app_data_file is allowed only for the instance disk image. This is enforced
|
||||
# inside the virtualizationservice by checking the file context of all disk
|
||||
# image files.
|
||||
# app_data_file and shell_data_file is the only app_data_file_type that is
|
||||
# allowed for crosvm to read. Note that the use of app_data_file is allowed
|
||||
# only for the instance disk image. This is enforced inside the
|
||||
# virtualizationservice by checking the file context of all disk image files.
|
||||
neverallow crosvm {
|
||||
app_data_file_type
|
||||
-app_data_file
|
||||
userdebug_or_eng(`-shell_data_file')
|
||||
-shell_data_file
|
||||
}:file read;
|
||||
|
||||
# Only virtualizationservice can run crosvm
|
||||
|
|
Loading…
Reference in a new issue