Merge "Add rules for reading VM DTBO by vfio_handler" into main am: 6d6183a709
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2715175 Change-Id: Ie5e9e91685444367d5357bb0baaf434ad7cc5d0c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
83c375ea49
4 changed files with 10 additions and 0 deletions
|
@ -6,6 +6,7 @@
|
|||
(typeattributeset new_objects
|
||||
( new_objects
|
||||
archive_service
|
||||
dtbo_block_device
|
||||
ota_build_prop
|
||||
snapuserd_log_data_file
|
||||
hal_threadnetwork_service
|
||||
|
|
|
@ -27,5 +27,9 @@ allow vfio_handler virtualizationservice_data_file:file write;
|
|||
# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
|
||||
neverallow vfio_handler virtualizationservice_data_file:file { open create };
|
||||
|
||||
# Allow vfio_handler to search /dev/block for accessing dtbo.img
|
||||
allow vfio_handler block_device:dir search;
|
||||
allow vfio_handler dtbo_block_device:blk_file r_file_perms;
|
||||
|
||||
# Only vfio_handler can add vfio_handler_service
|
||||
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
|
||||
|
|
|
@ -93,6 +93,10 @@ type recovery_block_device, dev_type;
|
|||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type boot_block_device, dev_type;
|
||||
|
||||
# dtbo block device, type used for getting DTBO information for AVF.
|
||||
# Documented at https://source.android.com/docs/core/architecture/dto/partitions
|
||||
type dtbo_block_device, dev_type;
|
||||
|
||||
# Userdata block device mounted on /data.
|
||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||
type userdata_block_device, dev_type;
|
||||
|
|
|
@ -56,6 +56,7 @@ allow init {
|
|||
userdata_block_device
|
||||
}:{ blk_file lnk_file } relabelto;
|
||||
|
||||
allow init dtbo_block_device:lnk_file relabelto;
|
||||
allow init super_block_device:lnk_file relabelto;
|
||||
|
||||
# Create /mnt/sdcard -> /storage/self/primary symlink.
|
||||
|
|
Loading…
Reference in a new issue