From b20cb78404c49ef0ebcade21c0457e86fd0b40d9 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Thu, 3 Feb 2022 15:30:26 +0900
Subject: [PATCH] Neverallow domains other than VS from executing VM

Bug: 216610937
Test: atest MicrodroidTests
Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
---
 private/crosvm.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/private/crosvm.te b/private/crosvm.te
index ec58875f4..426cb28fe 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -89,3 +89,10 @@ neverallow crosvm {
   -app_data_file
   userdebug_or_eng(`-shell_data_file')
 }:file read;
+
+# Only virtualizationservice can run crosvm
+neverallow {
+  domain
+  -crosvm
+  -virtualizationservice
+} crosvm_exec:file no_x_file_perms;