Merge "Add RemoteAuthService" into main
diff --git a/private/crosvm.te b/private/crosvm.te
index 3f39201..2d9a688 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -84,7 +84,7 @@
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file read;
+dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -96,9 +96,9 @@
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;
-# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
-allow crosvm vfio_handler:fd use;
-allow crosvm vfio_handler:fifo_file r_file_perms;
+# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
+allow crosvm virtualizationmanager:fd use;
+allow crosvm virtualizationservice_data_file:file read;
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
diff --git a/private/otapreopt_chroot.te b/private/otapreopt_chroot.te
index ea9d4ee..73e170b 100644
--- a/private/otapreopt_chroot.te
+++ b/private/otapreopt_chroot.te
@@ -36,9 +36,10 @@
# Allow otapreopt_chroot to read the persist.apexd.verity_on_system system property.
get_prop(otapreopt_chroot, apexd_prop)
-# Allow otapreopt to use file descriptors from update-engine. It will
-# close them immediately.
+# Allow otapreopt to use file descriptors from update-engine and the postinstall
+# script. It will read dexopt commands from stdin and write progress to stdout.
allow otapreopt_chroot postinstall:fd use;
+allow otapreopt_chroot postinstall:fifo_file { read write getattr };
allow otapreopt_chroot update_engine:fd use;
allow otapreopt_chroot update_engine:fifo_file write;
diff --git a/private/property_contexts b/private/property_contexts
index e3a0ca9..32b5eee 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -1143,7 +1143,7 @@
ro.crypto.type u:object_r:vold_status_prop:s0 exact enum block file managed none
ro.property_service.version u:object_r:property_service_version_prop:s0 exact int
-ro.property_service.async_persist_write u:object_r:build_config_prop:s0 exact bool
+ro.property_service.async_persist_writes u:object_r:build_config_prop:s0 exact bool
ro.vendor.redirect_socket_calls u:object_r:vendor_socket_hook_prop:s0 exact bool
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 706a6ca..2a0bd37 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -20,5 +20,12 @@
allow vfio_handler sysfs:dir r_dir_perms;
allow vfio_handler sysfs:file rw_file_perms;
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
+allow vfio_handler virtualizationmanager:fd use;
+allow vfio_handler virtualizationservice_data_file:file write;
+
+# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
# Only vfio_handler can add vfio_handler_service
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index a8fb202..b6bcd98 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -89,7 +89,3 @@
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
# a harmless denial for CompOS log files, so ignore that.
dontaudit virtualizationmanager apex_module_data_file:dir search;
-
-# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationmanager vfio_handler:fd use;
-allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a4588dc..14662fa 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -35,6 +35,7 @@
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:file write;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
@@ -62,9 +63,8 @@
allow virtualizationservice vfio_device:chr_file getattr;
allow virtualizationservice vfio_device:dir r_dir_perms;
-# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationservice vfio_handler:fd use;
-allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
neverallow {
domain