Assign pkvm_enabler to vendor_misc_writer domain

Builds of gs101 targets with pKVM force-enabled have an init service which checks that /dev/kvm exists and if not, runs misc_writer to instruct the bootloader to enable pKVM, and forces a reboot. Assign the binary to the existing vendor_misc_writer domain and add permission to execute the /vendor/bin/misc_writer binary. Since this is for tests only, the rules are only added to targets that define TARGET_PKVM_ENABLED. Bug: 192819132 Test: flash a _pkvm build, observe double-reboot, check /dev/kvm exists Change-Id: I5f9962e4cdd3ec267ab19ea4485e4e94a3ec15cd
2021-10-06 17:33:57 +00:00 · 2021-10-06 17:33:57 +00:00 · a03f3b1a50
commit a03f3b1a50
parent 7d5cf2a1bd
3 changed files with 8 additions and 0 deletions
--- a/gs101-sepolicy.mk
+++ b/gs101-sepolicy.mk
@ -34,3 +34,8 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger

 # Public
 PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
+
+# pKVM
+ifeq ($(TARGET_PKVM_ENABLED),true)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
+endif
--- a/pkvm/file_contexts
+++ b/pkvm/file_contexts
@ -0,0 +1 @@
+/vendor/bin/pkvm_enabler             u:object_r:vendor_misc_writer_exec:s0
--- a/pkvm/vendor_misc_writer.te
+++ b/pkvm/vendor_misc_writer.te
@ -0,0 +1,2 @@
+# Allow pkvm_enabler to execute misc_writer.
+allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;
				`@ -0,0 +1 @@`
				`/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0`