1*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 2*e4a36f41SAndroid Build Coastguard Worker # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. 3*e4a36f41SAndroid Build Coastguard Worker # vfio_handler is separate from virtualizationservice as VFIO tasks require root. 4*e4a36f41SAndroid Build Coastguard Worker type vfio_handler, domain, coredomain; 5*e4a36f41SAndroid Build Coastguard Worker type vfio_handler_exec, system_file_type, exec_type, file_type; 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. 8*e4a36f41SAndroid Build Coastguard Worker init_daemon_domain(vfio_handler) 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Worker # Let the vfio_handler domain register the vfio_handler_service with ServiceManager. 11*e4a36f41SAndroid Build Coastguard Worker add_service(vfio_handler, vfio_handler_service) 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker # Let the vfio_handler domain use Binder. 14*e4a36f41SAndroid Build Coastguard Worker binder_use(vfio_handler) 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker # Allow vfio_handler to check if VFIO is supported 17*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler vfio_device:chr_file getattr; 18*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler vfio_device:dir r_dir_perms; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker # Allow vfio_handler to bind/unbind platform devices 21*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler sysfs:dir r_dir_perms; 22*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler sysfs:file rw_file_perms; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice. 25*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler virtualizationservice:fd use; 26*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler virtualizationservice_data_file:file write; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker # vfio_handler can only use fd from virtualizationservice, and cannot open files itself 29*e4a36f41SAndroid Build Coastguard Worker neverallow vfio_handler virtualizationservice_data_file:file { open create }; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker # Allow vfio_handler to search /dev/block for accessing dtbo.img 32*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler block_device:dir search; 33*e4a36f41SAndroid Build Coastguard Worker allow vfio_handler dtbo_block_device:blk_file r_file_perms; 34*e4a36f41SAndroid Build Coastguard Worker') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT) 35