1type vmlauncher_app, domain; 2typeattribute vmlauncher_app coredomain; 3 4app_domain(vmlauncher_app) 5net_domain(vmlauncher_app) 6 7allow vmlauncher_app app_api_service:service_manager find; 8allow vmlauncher_app system_api_service:service_manager find; 9 10allow vmlauncher_app shell_data_file:dir search; 11allow vmlauncher_app shell_data_file:file { read open write }; 12virtualizationservice_use(vmlauncher_app) 13 14allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans }; 15allow vmlauncher_app crosvm:fd use; 16allow vmlauncher_app crosvm_tmpfs:file { map read write }; 17allow vmlauncher_app crosvm_exec:file rx_file_perms; 18 19allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr }; 20 21is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 22 # TODO(b/332677707): remove them when display service uses binder RPC. 23 allow vmlauncher_app virtualization_service:service_manager find; 24 allow vmlauncher_app virtualizationservice:binder call; 25 allow vmlauncher_app crosvm:binder { call transfer }; 26') 27 28is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 29 allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 30') 31 32userdebug_or_eng(` 33 # Create pty/pts and connect it to the guest terminal. 34 create_pty(vmlauncher_app) 35 # Allow other processes to access the pts. 36 allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr; 37') 38 39# TODO(b/372664601): Remove this when we don't need linux_vm_setup 40set_prop(vmlauncher_app, debug_prop); 41