Fix VS denials on fifo_file

While running the MicrodroidTests I noticed denials like these: avc: denied { getattr } for comm="virtualizations" path="pipe:[86794]" dev="pipefs" ino=86794 scontext=u:r:virtualizationservice:s0 tcontext=u:r:untrusted_app:s0:c122,c256,c512,c768 tclass=fifo_file permissive=0 These are harmless, so we could dontaudit them, but it is also fine to simply allow getattr. Test: atest MicrodroidTests, no denials seen Change-Id: I53a2967eb6e396979a86715b3d5a7681f48dcb63
2022-10-26 11:26:58 +01:00 · 2022-10-26 11:26:58 +01:00 · c69ad27186
commit c69ad27186
parent b65de6ed0a
1 changed files with 1 additions and 1 deletions
--- a/public/te_macros
+++ b/public/te_macros
@ -194,7 +194,7 @@ binder_call(virtualizationservice, $1)
 # to crosvm
 allow { virtualizationservice crosvm } $1:fd use;
 # Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
 # Allow client to read/write vsock created by virtualizationservice to
 # communicate with the VM that it created. Notice that we do not grant
 # permission to create a vsock; the client can only connect to VMs