type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;

# Let crosvm create temporary files.
tmpfs_domain(crosvm)

# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationservice:fd use;

# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;

# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;

# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
# as they must be passed via virtualizationservice.
allow crosvm apk_data_file:file { getattr read };
allow crosvm app_data_file:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.
allow crosvm shell_data_file:file { getattr read write };