diff options
Diffstat (limited to 'prebuilts/api/32.0/private/crosvm.te')
| -rw-r--r-- | prebuilts/api/32.0/private/crosvm.te | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/crosvm.te b/prebuilts/api/32.0/private/crosvm.te new file mode 100644 index 000000000..5d7080a49 --- /dev/null +++ b/prebuilts/api/32.0/private/crosvm.te @@ -0,0 +1,16 @@ +type crosvm, domain, coredomain; +type crosvm_exec, system_file_type, exec_type, file_type; +type crosvm_tmpfs, file_type; + +# Let crosvm create temporary files. +tmpfs_domain(crosvm) + +# Let crosvm receive file descriptors from virtmanager. +allow crosvm virtmanager:fd use; + +# Let crosvm open /dev/kvm. +allow crosvm kvm_device:chr_file rw_file_perms; + +# Most other domains shouldn't access /dev/kvm. +neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; +neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; |