Neverallow domains other than VS from executing VM

Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 15:30:26 +09:00 · 2022-02-03 15:30:26 +09:00 · b20cb78404
commit b20cb78404
parent b289dc4d1d
1 changed files with 7 additions and 0 deletions
--- a/private/crosvm.te
+++ b/private/crosvm.te
@ -89,3 +89,10 @@ neverallow crosvm {
  -app_data_file
  userdebug_or_eng(`-shell_data_file')
 }:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+  domain
+  -crosvm
+  -virtualizationservice
+} crosvm_exec:file no_x_file_perms;