type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;

# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)

# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)

# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)

# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain.
domain_auto_trans(virtualizationservice, crosvm_exec, crosvm)

# Let virtualizationservice exec other files (e.g. mk_cdisk) in the same domain.
allow virtualizationservice system_file:file execute_no_trans;

# Let virtualizationservice kill crosvm.
allow virtualizationservice crosvm:process sigkill;

# Let virtualizationservice access its data directory.
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;

# virtualizationservice_use(client)
define(`virtualizationservice_use', `
# Let the client call virtualizationservice.
binder_call($1, virtualizationservice)
# Let the client pass file descriptors to virtualizationservice.
allow virtualizationservice $1:fd use;
')

# Let the shell user call virtualizationservice for debugging.
virtualizationservice_use(shell)

# Let virtualizationservice read and write files from its various clients, but not open them
# directly as they must be passed over Binder by the client.
allow virtualizationservice apk_data_file:file { getattr read };
allow virtualizationservice app_data_file:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };

# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;

# Allow virtualizationservice to read apex-info-list.xml
allow virtualizationservice apex_info_file:file r_file_perms;

# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };