Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / a32606357e98f06b851bf7398fbd1827b60e7a14^1..a32606357e98f06b851bf7398fbd1827b60e7a14 / .
commita32606357e98f06b851bf7398fbd1827b60e7a14[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Thu Feb 22 11:11:59 2024 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Thu Feb 22 11:11:59 2024 +0000
tree3907e43ac2bca5b4e344cf86ea1a5e9a701a0f79
parent37d732df161277097fb91ac16d361763367f4578 [diff]
parentd02b0526246c938b8e1539e010533b0bb639082e [diff]
Merge "Add virtualization_maintenance_service" into main am: d2bc72b7eb am: d02b052624

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2967637

Change-Id: Icd461a9c243fc7fb7c6ade7e85ad40c06e85b445
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4b1c02d..e0f6610 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go

@@ -186,6 +186,7 @@
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
+		"android.system.virtualizationmaintenance":                        EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,
 		"app_binding":                                                     EXCEPTION_NO_FUZZER,
 		"app_hibernation":                                                 EXCEPTION_NO_FUZZER,

diff --git a/flagging/Android.bp b/flagging/Android.bp
index 8f7355a..bdd0481 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp

@@ -18,6 +18,7 @@
     name: "aosp_selinux_flags",
     flags: [
         "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
+        "RELEASE_AVF_ENABLE_LLPVM_CHANGES",
         "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
     ],
     export_to: ["all_selinux_flags"],

diff --git a/private/service.te b/private/service.te
index 36d6ccf..c4e7cbc 100644
--- a/private/service.te
+++ b/private/service.te

@@ -26,6 +26,9 @@
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     type vfio_handler_service,          service_manager_type;
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    type virtualization_maintenance_service, service_manager_type;
+')
 
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      app_api_service, system_server_service, service_manager_type;

diff --git a/private/service_contexts b/private/service_contexts
index 82af95e..3138d90 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -165,6 +165,9 @@
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
+')
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index eda5695..5b0caaa 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -987,6 +987,9 @@
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
 allow system_server virtual_camera_service:service_manager find;
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    allow system_server virtualization_maintenance_service:service_manager find;
+')
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 allow system_server logd_service:service_manager find;

diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 963809e..fd6499d 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te

@@ -31,7 +31,4 @@
     # Allow vfio_handler to search /dev/block for accessing dtbo.img
     allow vfio_handler block_device:dir search;
     allow vfio_handler dtbo_block_device:blk_file r_file_perms;
-
-    # Only vfio_handler can add vfio_handler_service
-    neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
 ') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 0a9ff8b..ee288f2 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -12,8 +12,11 @@
 # Let the virtualizationservice domain use Binder.
 binder_use(virtualizationservice)
 
-# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
+# Register our services with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
+is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
+    add_service(virtualizationservice, virtualization_maintenance_service)
+')
 
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     # Let virtualizationservice find and communicate with vfio_handler.