tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Introduce vmlauncher_app domain

Browse source 
Bug: 333485208
Test: check display
Change-Id: I64c09f09615e89cf24398c01b8f87b0136be0a7f
This commit is contained in:
Jeongik Cha 2024-04-09 15:02:28 +09:00
parent bc71c77f94
commit 77a3ca6b4c
5 changed files with 21 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
private/crosvm.te
View file

@ -93,7 +93,7 @@ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# To provide display service to an app to get surface.
# TODO(b/332677707): remove them when display service uses binder RPC.
allow crosvm priv_app:binder { transfer call };
allow crosvm vmlauncher_app:binder { transfer call };
allow crosvm servicemanager:binder { call transfer };
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };

7
private/priv_app.te
View file

@ -124,13 +124,6 @@ allow priv_app preloads_data_file:dir r_dir_perms;
allow priv_app preloads_media_file:file r_file_perms;
allow priv_app preloads_media_file:dir r_dir_perms;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow priv_app virtualization_service:service_manager find;
allow priv_app virtualizationservice:binder call;
allow priv_app crosvm:binder { call transfer };
')
read_runtime_log_tags(priv_app)
# Allow priv_apps to request and collect incident reports.

1
private/seapp_contexts
View file

@ -224,3 +224,4 @@ user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file leve
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
user=_app isPrivApp=true name=com.android.virtualization.vmlauncher domain=vmlauncher_app type=privapp_data_file levelFrom=all

2
private/virtualizationservice.te
View file

@ -47,7 +47,7 @@ allow virtualizationservice virtualizationmanager:process setrlimit;
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# To provide display service to an app to get surface.
# TODO(b/332677707): remove them when display service uses binder RPC.
allow virtualizationservice priv_app:binder transfer;
allow virtualizationservice vmlauncher_app:binder transfer;
')
# Let virtualizationservice set the owner of a VM's temporary directory.

18
private/vmlauncher_app.te Normal file
View file

@ -0,0 +1,18 @@
type vmlauncher_app, domain;
typeattribute vmlauncher_app coredomain;
app_domain(vmlauncher_app)
allow vmlauncher_app app_api_service:service_manager find;
allow vmlauncher_app system_api_service:service_manager find;
allow vmlauncher_app shell_data_file:dir search;
allow vmlauncher_app shell_data_file:file { read open write };
virtualizationservice_use(vmlauncher_app)
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# TODO(b/332677707): remove them when display service uses binder RPC.
allow vmlauncher_app virtualization_service:service_manager find;
allow vmlauncher_app virtualizationservice:binder call;
allow vmlauncher_app crosvm:binder { call transfer };
')