tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow virtualizationservice to check for PKVM extension

Browse source 
Bug: 210803811
Test: watch TH for all our tests
Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
This commit is contained in:
Jiyong Park 2021-12-28 21:26:03 +09:00
parent ca043d348f
commit 2dd48d0400
2 changed files with 6 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/crosvm.te
View file

@ -7,7 +7,8 @@ allow crosvm kvm_device:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Let crosvm create temporary files.
tmpfs_domain(crosvm)

4
private/virtualizationservice.te
View file

@ -55,6 +55,10 @@ allow virtualizationservice staging_data_file:dir search;
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
allow virtualizationservice kvm_device:chr_file { open read write };
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
neverallow {