tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm" am: c041485773

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2276846

Change-Id: Ifbc7486a0b2c82c6903157b948615c21546f8daa
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2022-11-10 18:54:51 +00:00 committed by Automerger Merge Worker
commit 98cc203f06
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/crosvm.te
View file

@ -10,9 +10,6 @@ neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Let crosvm mlock VM memory and page tables.
allow crosvm self:capability ipc_lock;
# Let crosvm create temporary files.
tmpfs_domain(crosvm)

3
private/virtualizationservice.te
View file

@ -22,6 +22,9 @@ add_service(virtualizationservice, virtualization_service)
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;