From 42798af0cb6189d89a449b083c7e08d12aa39428 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Fri, 13 Jan 2023 14:08:16 +0900
Subject: [PATCH] dontaudit crosvm reading VM's pipe

Bug: 238593451
Test: boot microdroid and see console
Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
---
 private/crosvm.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/private/crosvm.te b/private/crosvm.te
index c682bb504..aae83231a 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -16,7 +16,7 @@ tmpfs_domain(crosvm)
 # Let crosvm receive file descriptors from VirtualizationService.
 allow crosvm virtualizationmanager:fd use;
 
-# Allow sending VirtualizationService the failure reason from the VM via pipe.
+# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
 allow crosvm virtualizationmanager:fifo_file write;
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
@@ -74,6 +74,11 @@ dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
 # when the vm is created by the `vm` tool) and handed over to crosvm as FD.
 allow crosvm shell_data_file:file write;
 
+# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
+# forward console/log to the host logcat).
+# crosvm only needs write permission, so dontaudit read
+dontaudit crosvm virtualizationmanager:fifo_file read;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to