1type crosvm, domain, coredomain; 2type crosvm_exec, system_file_type, exec_type, file_type; 3type crosvm_tmpfs, file_type; 4 5# Let crosvm create temporary files. 6tmpfs_domain(crosvm) 7 8# Let crosvm receive file descriptors from virtmanager. 9allow crosvm virtmanager:fd use; 10 11# Let crosvm open /dev/kvm. 12allow crosvm kvm_device:chr_file rw_file_perms; 13 14# Most other domains shouldn't access /dev/kvm. 15neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; 16neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; 17