tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm"

Browse source
This commit is contained in:
Treehugger Robot 2022-11-10 18:24:04 +00:00 committed by Gerrit Code Review
commit c041485773
2 changed files with 3 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/crosvm.te
View file

@ -10,9 +10,6 @@ neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION }; neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Let crosvm mlock VM memory and page tables.
allow crosvm self:capability ipc_lock;
# Let crosvm create temporary files. # Let crosvm create temporary files.
tmpfs_domain(crosvm) tmpfs_domain(crosvm)

3
private/virtualizationservice.te
View file

@ -22,6 +22,9 @@ add_service(virtualizationservice, virtualization_service)
# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain. # When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm) domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)
# Let virtualizationservice (and specifically its children) mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
# Let virtualizationservice kill crosvm. # Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill; allow virtualizationservice crosvm:process sigkill;