1*e4a36f41SAndroid Build Coastguard Workertype crosvm, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype crosvm_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Workertype crosvm_tmpfs, file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Let crosvm create temporary files. 6*e4a36f41SAndroid Build Coastguard Workertmpfs_domain(crosvm) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Let crosvm receive file descriptors from virtmanager. 9*e4a36f41SAndroid Build Coastguard Workerallow crosvm virtmanager:fd use; 10*e4a36f41SAndroid Build Coastguard Worker 11*e4a36f41SAndroid Build Coastguard Worker# Let crosvm open /dev/kvm. 12*e4a36f41SAndroid Build Coastguard Workerallow crosvm kvm_device:chr_file rw_file_perms; 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Worker# Most other domains shouldn't access /dev/kvm. 15*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; 16*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; 17