crosvm now takes all files by FD.
Bug: 192256642 Test: `atest VirtualizationTestCases MicrodroidHostTestCases` on Cuttlefish Change-Id: I8de557269ba56095b0264a65035296627fba8145
This commit is contained in:
Andrew Walbran
parent
1644afe507
commit
c0b4a91a90
2 changed files with 6 additions and 9 deletions
|
|
@ -31,14 +31,9 @@ allow crosvm {
|
|||
# Allow searching the directory where the composite disk images are.
|
||||
allow crosvm virtualizationservice_data_file:dir search;
|
||||
|
||||
# TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for
|
||||
# the GPT headers of the composite disks.
|
||||
allow crosvm virtualizationservice_data_file:file open;
|
||||
|
||||
# Don't allow crosvm to open files that it doesn't own.
|
||||
neverallow crosvm {
|
||||
#TODO(b/193402941) uncomment the following line
|
||||
#virtualizationservice_data_file
|
||||
virtualizationservice_data_file
|
||||
staging_data_file
|
||||
apk_data_file
|
||||
app_data_file
|
||||
|
|
|
|||
|
|
@ -9,8 +9,6 @@ init_daemon_domain(virtualizationservice)
|
|||
binder_use(virtualizationservice)
|
||||
# ... and host a binder service
|
||||
binder_service(virtualizationservice)
|
||||
# It needs to call back to app
|
||||
binder_call(virtualizationservice, appdomain)
|
||||
|
||||
# Allow calling into the system server so that it can check permissions.
|
||||
binder_call(virtualizationservice, system_server)
|
||||
|
|
@ -36,6 +34,8 @@ allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms
|
|||
define(`virtualizationservice_use', `
|
||||
# Let the client call virtualizationservice.
|
||||
binder_call($1, virtualizationservice)
|
||||
# Let virtualizationservice call back to the client.
|
||||
binder_call(virtualizationservice, $1)
|
||||
# Let the client pass file descriptors to virtualizationservice.
|
||||
allow virtualizationservice $1:fd use;
|
||||
')
|
||||
|
|
@ -43,7 +43,9 @@ allow virtualizationservice $1:fd use;
|
|||
# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
|
||||
# debugging.
|
||||
virtualizationservice_use(shell)
|
||||
binder_call(virtualizationservice, shell)
|
||||
|
||||
# Let apps use virtualizationservice.
|
||||
virtualizationservice_use(appdomain)
|
||||
|
||||
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
|
||||
# crosvm to the console
|
||||
|
|
|
|||
Loading…
Reference in a new issue