Merge "Add rules for reading VM DTBO by vfio_handler" into main am: 6d6183a709

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2715175

Change-Id: Ie5e9e91685444367d5357bb0baaf434ad7cc5d0c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2023-08-18 09:33:55 +00:00 committed by Automerger Merge Worker
commit 83c375ea49
4 changed files with 10 additions and 0 deletions

View file

@ -6,6 +6,7 @@
(typeattributeset new_objects
( new_objects
archive_service
dtbo_block_device
ota_build_prop
snapuserd_log_data_file
hal_threadnetwork_service

View file

@ -27,5 +27,9 @@ allow vfio_handler virtualizationservice_data_file:file write;
# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
neverallow vfio_handler virtualizationservice_data_file:file { open create };
# Allow vfio_handler to search /dev/block for accessing dtbo.img
allow vfio_handler block_device:dir search;
allow vfio_handler dtbo_block_device:blk_file r_file_perms;
# Only vfio_handler can add vfio_handler_service
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;

View file

@ -93,6 +93,10 @@ type recovery_block_device, dev_type;
# Documented at https://source.android.com/devices/bootloader/partitions
type boot_block_device, dev_type;
# dtbo block device, type used for getting DTBO information for AVF.
# Documented at https://source.android.com/docs/core/architecture/dto/partitions
type dtbo_block_device, dev_type;
# Userdata block device mounted on /data.
# Documented at https://source.android.com/devices/bootloader/partitions
type userdata_block_device, dev_type;

View file

@ -56,6 +56,7 @@ allow init {
userdata_block_device
}:{ blk_file lnk_file } relabelto;
allow init dtbo_block_device:lnk_file relabelto;
allow init super_block_device:lnk_file relabelto;
# Create /mnt/sdcard -> /storage/self/primary symlink.