[service-vm] Adjust sepolicy for running service VM

Bug: 278858244
Test: Runs the ServiceVmClientApp in VM
Test: atest MicrodroidHostTests
Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d

private/crosvm.te

@@ -27,8 +27,9 @@ allow crosvm virtualizationmanager:fifo_file write;
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), and instance.img (app_data_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
 allow crosvm {
   virtualizationservice_data_file
   staging_data_file
@@ -36,6 +37,7 @@ allow crosvm {
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
 
@@ -64,6 +66,7 @@ allow crosvm {
   app_data_file
   privapp_data_file
   apex_compos_data_file
+  apex_virt_data_file
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.

private/file.te

@@ -67,6 +67,9 @@ type apex_art_staging_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/apexdata/com.android.compos
 type apex_compos_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
 
+# /data/misc/apexdata/com.android.virt
+type apex_virt_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;
+
 # legacy labels for various /data/misc[_ce|_de]/*/apexdata directories - retained
 # for backward compatibility b/217581286
 type apex_appsearch_data_file, file_type, data_file_type, core_data_file_type, apex_data_file_type;

private/file_contexts

@@ -601,6 +601,7 @@
 /data/misc/apexdata(/.*)?       u:object_r:apex_module_data_file:s0
 /data/misc/apexdata/com\.android\.art(/.*)?           u:object_r:apex_art_data_file:s0
 /data/misc/apexdata/com\.android\.compos(/.*)?        u:object_r:apex_compos_data_file:s0
+/data/misc/apexdata/com\.android\.virt(/.*)?          u:object_r:apex_virt_data_file:s0
 /data/misc/apexdata/com\.android\.permission(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.scheduling(/.*)?    u:object_r:apex_system_server_data_file:s0
 /data/misc/apexdata/com\.android\.tethering(/.*)?     u:object_r:apex_system_server_data_file:s0

private/virtualizationmanager.te

@@ -40,6 +40,7 @@ allow virtualizationmanager apk_data_file:file { getattr read };
 allow virtualizationmanager {
   app_data_file
   apex_compos_data_file
+  apex_virt_data_file
   privapp_data_file
 }:file { getattr read write };
 

private/virtualizationservice.te

@@ -42,6 +42,15 @@ allow virtualizationservice virtualizationservice_data_file:file write;
 allow virtualizationservice adbd:fd use;
 allow virtualizationservice adbd:unix_stream_socket { read write };
 
+# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
+virtualizationservice_use(virtualizationservice)
+
+# Allow virtualizationservice to read and write in the apex data directory
+# /data/misc/apexdata/com.android.virt
+allow virtualizationservice apex_module_data_file:dir search;
+allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
+allow virtualizationservice apex_virt_data_file:file create_file_perms;
+
 # Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
 # such as the guest tombstone server.
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };