Merge "Sepolicy for crosvm to show display" into main

flagging/Android.bp

@@ -17,6 +17,7 @@
 se_flags {
     name: "aosp_selinux_flags",
     flags: [
+        "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
         "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
         "RELEASE_AVF_ENABLE_LLPVM_CHANGES",
         "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",

private/crosvm.te

@@ -81,6 +81,24 @@ allow crosvm adbd:fd use;
 allow crosvm adbd:unix_stream_socket { read write };
 allow crosvm devpts:chr_file { read write getattr ioctl };
 
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+  # Allow crosvm to draw screen in the surface
+  allow crosvm device:dir { read open };
+  allow crosvm same_process_hal_file:file { read open getattr map execute };
+  allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
+  allow crosvm hal_graphics_allocator:fd use;
+  allow crosvm hal_graphics_allocator_server:binder call;
+  allow crosvm surfaceflinger:fd use;
+  hal_client_domain(crosvm, hal_graphics_allocator)
+
+  # To provide display service to an app to get surface.
+  # TODO(b/332677707): remove them when display service uses binder RPC.
+  allow crosvm priv_app:binder { transfer call };
+  allow crosvm servicemanager:binder { call transfer };
+  allow crosvm virtualization_service:service_manager find;
+  allow crosvm virtualizationservice:binder { call transfer };
+')
+
 # crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
 dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
 
@@ -136,6 +154,7 @@ full_treble_only(`
     -vendor_microdroid_file
     -vndk_sp_file
     -vendor_task_profiles_file
+    is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
   }:file *;
 ')
 

private/priv_app.te

@@ -124,6 +124,13 @@ allow priv_app preloads_data_file:dir r_dir_perms;
 allow priv_app preloads_media_file:file r_file_perms;
 allow priv_app preloads_media_file:dir r_dir_perms;
 
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+  # TODO(b/332677707): remove them when display service uses binder RPC.
+  allow priv_app virtualization_service:service_manager find;
+  allow priv_app virtualizationservice:binder call;
+  allow priv_app crosvm:binder { call transfer };
+')
+
 read_runtime_log_tags(priv_app)
 
 # Allow priv_apps to request and collect incident reports.

private/virtualizationservice.te

@@ -18,7 +18,7 @@ is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
     add_service(virtualizationservice, virtualization_maintenance_service)
 ')
 
-is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
     # Let virtualizationservice find and communicate with vfio_handler.
     allow virtualizationservice vfio_handler_service:service_manager find;
     binder_call(virtualizationservice, vfio_handler)
@@ -44,6 +44,12 @@ hal_client_domain(virtualizationservice, hal_secretkeeper)
 allow virtualizationservice self:capability sys_resource;
 allow virtualizationservice virtualizationmanager:process setrlimit;
 
+is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
+  # To provide display service to an app to get surface.
+  # TODO(b/332677707): remove them when display service uses binder RPC.
+  allow virtualizationservice priv_app:binder transfer;
+')
+
 # Let virtualizationservice set the owner of a VM's temporary directory.
 allow virtualizationservice self:capability chown;
 
@@ -112,6 +118,8 @@ neverallow virtualizationservice {
   domain
   -virtualizationmanager
   -virtualizationservice
+  # TODO(b/332677707): remove them when display service uses binder RPC.
+  is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm')
 }:process setrlimit;
 
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `