From c69ad27186e0d25b6139db8d5e80ee975b3a847d Mon Sep 17 00:00:00 2001
From: Alan Stokes <alanstokes@google.com>
Date: Wed, 26 Oct 2022 11:26:58 +0100
Subject: [PATCH] Fix VS denials on fifo_file

While running the MicrodroidTests I noticed denials like these:
 avc: denied { getattr } for comm="virtualizations" path="pipe:[86794]"
 dev="pipefs" ino=86794 scontext=u:r:virtualizationservice:s0
 tcontext=u:r:untrusted_app:s0:c122,c256,c512,c768 tclass=fifo_file
 permissive=0

These are harmless, so we could dontaudit them, but it is also fine
to simply allow getattr.

Test: atest MicrodroidTests, no denials seen
Change-Id: I53a2967eb6e396979a86715b3d5a7681f48dcb63
---
 public/te_macros | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/public/te_macros b/public/te_macros
index 8a8b47356..ab42534ea 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -194,7 +194,7 @@ binder_call(virtualizationservice, $1)
 # to crosvm
 allow { virtualizationservice crosvm } $1:fd use;
 # Allow piping console log to the client
-allow { virtualizationservice crosvm } $1:fifo_file write;
+allow { virtualizationservice crosvm } $1:fifo_file { getattr write};
 # Allow client to read/write vsock created by virtualizationservice to
 # communicate with the VM that it created. Notice that we do not grant
 # permission to create a vsock; the client can only connect to VMs