Merge "Add rules for reading VM DTBO by vfio_handler" into main am: 6d6183a709
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2715175 Change-Id: Ie5e9e91685444367d5357bb0baaf434ad7cc5d0c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot
Automerger Merge Worker
commit
83c375ea49
4 changed files with 10 additions and 0 deletions
|
|
@ -6,6 +6,7 @@
|
||||||
(typeattributeset new_objects
|
(typeattributeset new_objects
|
||||||
( new_objects
|
( new_objects
|
||||||
archive_service
|
archive_service
|
||||||
|
dtbo_block_device
|
||||||
ota_build_prop
|
ota_build_prop
|
||||||
snapuserd_log_data_file
|
snapuserd_log_data_file
|
||||||
hal_threadnetwork_service
|
hal_threadnetwork_service
|
||||||
|
|
|
||||||
|
|
@ -27,5 +27,9 @@ allow vfio_handler virtualizationservice_data_file:file write;
|
||||||
# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
|
# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
|
||||||
neverallow vfio_handler virtualizationservice_data_file:file { open create };
|
neverallow vfio_handler virtualizationservice_data_file:file { open create };
|
||||||
|
|
||||||
|
# Allow vfio_handler to search /dev/block for accessing dtbo.img
|
||||||
|
allow vfio_handler block_device:dir search;
|
||||||
|
allow vfio_handler dtbo_block_device:blk_file r_file_perms;
|
||||||
|
|
||||||
# Only vfio_handler can add vfio_handler_service
|
# Only vfio_handler can add vfio_handler_service
|
||||||
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
|
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
|
||||||
|
|
|
||||||
|
|
@ -93,6 +93,10 @@ type recovery_block_device, dev_type;
|
||||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||||
type boot_block_device, dev_type;
|
type boot_block_device, dev_type;
|
||||||
|
|
||||||
|
# dtbo block device, type used for getting DTBO information for AVF.
|
||||||
|
# Documented at https://source.android.com/docs/core/architecture/dto/partitions
|
||||||
|
type dtbo_block_device, dev_type;
|
||||||
|
|
||||||
# Userdata block device mounted on /data.
|
# Userdata block device mounted on /data.
|
||||||
# Documented at https://source.android.com/devices/bootloader/partitions
|
# Documented at https://source.android.com/devices/bootloader/partitions
|
||||||
type userdata_block_device, dev_type;
|
type userdata_block_device, dev_type;
|
||||||
|
|
|
||||||
|
|
@ -56,6 +56,7 @@ allow init {
|
||||||
userdata_block_device
|
userdata_block_device
|
||||||
}:{ blk_file lnk_file } relabelto;
|
}:{ blk_file lnk_file } relabelto;
|
||||||
|
|
||||||
|
allow init dtbo_block_device:lnk_file relabelto;
|
||||||
allow init super_block_device:lnk_file relabelto;
|
allow init super_block_device:lnk_file relabelto;
|
||||||
|
|
||||||
# Create /mnt/sdcard -> /storage/self/primary symlink.
|
# Create /mnt/sdcard -> /storage/self/primary symlink.
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue