From cdd5e079562a62c392b2f935f06a8190baf46bae Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Tue, 19 Apr 2022 11:48:32 +0900
Subject: [PATCH] crosvm can access data_shell_file on user builds

Some of our CTS tests require that crosvm to have read/write access to
files on /data/local/tmp/virt which is labeled as data_shell_file.
Since CTS tests should pass on user builds, grant the access in user
builds as well.

Note that the open access is still disallowed in user builds.

Bug: 222013014
Test: run cts
Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
---
 private/crosvm.te | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/private/crosvm.te b/private/crosvm.te
index 0fd146e31..167ad2f97 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -32,7 +32,7 @@ allow crosvm {
   apk_data_file
   app_data_file
   apex_compos_data_file
-  userdebug_or_eng(`shell_data_file')
+  shell_data_file
 }:file { getattr read ioctl lock };
 
 # Allow searching the directory where the composite disk images are.
@@ -84,15 +84,14 @@ full_treble_only(`
   }:file *;
 ')
 
-# app_data_file (and shell_data_file for debuggable builds) is the only
-# app_data_file_type that is allowed for crosvm to read.  Note that the use of
-# app_data_file is allowed only for the instance disk image.  This is enforced
-# inside the virtualizationservice by checking the file context of all disk
-# image files.
+# app_data_file and shell_data_file is the only app_data_file_type that is
+# allowed for crosvm to read.  Note that the use of app_data_file is allowed
+# only for the instance disk image.  This is enforced inside the
+# virtualizationservice by checking the file context of all disk image files.
 neverallow crosvm {
   app_data_file_type
   -app_data_file
-  userdebug_or_eng(`-shell_data_file')
+  -shell_data_file
 }:file read;
 
 # Only virtualizationservice can run crosvm