Change sepolicy of virtualizationservice and vfio_handler for VM DTBO

Bug: 297103622
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid --devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Icebba7f441a94f8ba54b4a9d35036d4202a513ab

private/vfio_handler.te

@@ -20,11 +20,11 @@ allow vfio_handler vfio_device:dir r_dir_perms;
 allow vfio_handler sysfs:dir r_dir_perms;
 allow vfio_handler sysfs:file rw_file_perms;
 
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
-allow vfio_handler virtualizationmanager:fd use;
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+allow vfio_handler virtualizationservice:fd use;
 allow vfio_handler virtualizationservice_data_file:file write;
 
-# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+# vfio_handler can only use fd from virtualizationservice, and can't open files itself
 neverallow vfio_handler virtualizationservice_data_file:file { open create };
 
 # Allow vfio_handler to search /dev/block for accessing dtbo.img

private/virtualizationservice.te

@@ -34,8 +34,8 @@ allow virtualizationservice self:capability chown;
 # Let virtualizationservice create and delete temporary directories of VMs. To remove old
 # directories, it needs the permission to unlink the files created by virtualizationmanager.
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
-allow virtualizationservice virtualizationservice_data_file:file write;
+allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
+allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console