1*e4a36f41SAndroid Build Coastguard Workertype vmlauncher_app, domain; 2*e4a36f41SAndroid Build Coastguard Workertypeattribute vmlauncher_app coredomain; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Workerapp_domain(vmlauncher_app) 5*e4a36f41SAndroid Build Coastguard Workernet_domain(vmlauncher_app) 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app app_api_service:service_manager find; 8*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app system_api_service:service_manager find; 9*e4a36f41SAndroid Build Coastguard Worker 10*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app shell_data_file:dir search; 11*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app shell_data_file:file { read open write }; 12*e4a36f41SAndroid Build Coastguard Workervirtualizationservice_use(vmlauncher_app) 13*e4a36f41SAndroid Build Coastguard Worker 14*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans }; 15*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app crosvm:fd use; 16*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app crosvm_tmpfs:file { map read write }; 17*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app crosvm_exec:file rx_file_perms; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Workerallow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr }; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 22*e4a36f41SAndroid Build Coastguard Worker # TODO(b/332677707): remove them when display service uses binder RPC. 23*e4a36f41SAndroid Build Coastguard Worker allow vmlauncher_app virtualization_service:service_manager find; 24*e4a36f41SAndroid Build Coastguard Worker allow vmlauncher_app virtualizationservice:binder call; 25*e4a36f41SAndroid Build Coastguard Worker allow vmlauncher_app crosvm:binder { call transfer }; 26*e4a36f41SAndroid Build Coastguard Worker') 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 29*e4a36f41SAndroid Build Coastguard Worker allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 30*e4a36f41SAndroid Build Coastguard Worker') 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 33*e4a36f41SAndroid Build Coastguard Worker # Create pty/pts and connect it to the guest terminal. 34*e4a36f41SAndroid Build Coastguard Worker create_pty(vmlauncher_app) 35*e4a36f41SAndroid Build Coastguard Worker # Allow other processes to access the pts. 36*e4a36f41SAndroid Build Coastguard Worker allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr; 37*e4a36f41SAndroid Build Coastguard Worker') 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Worker# TODO(b/372664601): Remove this when we don't need linux_vm_setup 40*e4a36f41SAndroid Build Coastguard Workerset_prop(vmlauncher_app, debug_prop); 41