Fix denial due to vfio_handler's IBoundDevice

As virtualizationmanager holds references to IBoundDevice returned by vfio_handler, virtualizationmanager should also have permission to binder_call. Bug: 278008519 Test: boot microdroid with assigned devices Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
2024-01-03 09:32:18 +09:00 · 2024-01-03 09:32:18 +09:00 · fb0ed7fcc4
commit fb0ed7fcc4
parent 24d52ac42a
2 changed files with 7 additions and 2 deletions
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@ -111,3 +111,8 @@ r_dir_file(virtualizationmanager, crosvm);
 # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
 # a harmless denial for CompOS log files, so ignore that.
 dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+    # virtualizationmanager holds references to bound devices, returned from vfio_handler
+    binder_call(virtualizationmanager, vfio_handler)
+')
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@ -104,6 +104,6 @@ neverallow virtualizationservice {
 }:process setrlimit;

 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
-    # Only virtualizationservice can communicate to vfio_handler
-    neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+    # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
+    neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
 ')