Allow virtualizationservice to create and manage socket files in its data folder am: ad58b8d38a

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2149695 Change-Id: I82ec979db7920325ad6b8f72fdc625b45695db2f Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2022-10-06 05:31:28 +00:00 · 2022-10-06 05:31:28 +00:00 · ceaafdd823
commit ceaafdd823
parent 8b2e80ef80 ad58b8d38a
2 changed files with 9 additions and 0 deletions
--- a/private/crosvm.te
+++ b/private/crosvm.te
@ -38,6 +38,12 @@ allow crosvm {
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;

+# Let crosvm access its control socket as created by VS.
+#   read, write, getattr: listener socket polling
+#   accept: listener socket accepting new connection
+# Note that the open permission is not given as the socket is passed by FD.
+allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr };
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@ -29,6 +29,9 @@ allow virtualizationservice crosvm:process sigkill;
 allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;

+# Let virtualizationservice manage crosvm control sockets.
+allow virtualizationservice virtualizationservice_data_file:sock_file create_file_perms;
+
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
 allow virtualizationservice adbd:fd use;