From a03f3b1a50b304596f2cc0b2126c69405824cfaa Mon Sep 17 00:00:00 2001 From: David Brazdil Date: Wed, 6 Oct 2021 17:33:57 +0000 Subject: [PATCH] Assign pkvm_enabler to vendor_misc_writer domain Builds of gs101 targets with pKVM force-enabled have an init service which checks that /dev/kvm exists and if not, runs misc_writer to instruct the bootloader to enable pKVM, and forces a reboot. Assign the binary to the existing vendor_misc_writer domain and add permission to execute the /vendor/bin/misc_writer binary. Since this is for tests only, the rules are only added to targets that define TARGET_PKVM_ENABLED. Bug: 192819132 Test: flash a _pkvm build, observe double-reboot, check /dev/kvm exists Change-Id: I5f9962e4cdd3ec267ab19ea4485e4e94a3ec15cd --- gs101-sepolicy.mk | 5 +++++ pkvm/file_contexts | 1 + pkvm/vendor_misc_writer.te | 2 ++ 3 files changed, 8 insertions(+) create mode 100644 pkvm/file_contexts create mode 100644 pkvm/vendor_misc_writer.te diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk index 8a302845..b9b3b8c5 100644 --- a/gs101-sepolicy.mk +++ b/gs101-sepolicy.mk @@ -34,3 +34,8 @@ BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_logger # Public PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public + +# pKVM +ifeq ($(TARGET_PKVM_ENABLED),true) +BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm +endif diff --git a/pkvm/file_contexts b/pkvm/file_contexts new file mode 100644 index 00000000..310aad4d --- /dev/null +++ b/pkvm/file_contexts @@ -0,0 +1 @@ +/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0 diff --git a/pkvm/vendor_misc_writer.te b/pkvm/vendor_misc_writer.te new file mode 100644 index 00000000..b9b4ceb1 --- /dev/null +++ b/pkvm/vendor_misc_writer.te @@ -0,0 +1,2 @@ +# Allow pkvm_enabler to execute misc_writer. +allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;