1type vmlauncher_app, domain; 2typeattribute vmlauncher_app coredomain; 3 4app_domain(vmlauncher_app) 5net_domain(vmlauncher_app) 6 7allow vmlauncher_app app_api_service:service_manager find; 8allow vmlauncher_app system_api_service:service_manager find; 9 10# TODO(b/402303887): Remove this when WebView doesn't requires camera access. 11allow vmlauncher_app cameraserver_service:service_manager find; 12 13allow vmlauncher_app shell_data_file:dir search; 14allow vmlauncher_app shell_data_file:file { read open write }; 15virtualizationservice_use(vmlauncher_app) 16 17allow vmlauncher_app fsck_exec:file { r_file_perms execute execute_no_trans }; 18allow vmlauncher_app crosvm:fd use; 19allow vmlauncher_app crosvm_tmpfs:file { map read write }; 20allow vmlauncher_app crosvm_exec:file rx_file_perms; 21 22allow vmlauncher_app privapp_data_file:sock_file { create unlink write getattr }; 23 24is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 25 # TODO(b/332677707): remove them when display service uses binder RPC. 26 allow vmlauncher_app virtualization_service:service_manager find; 27 allow vmlauncher_app virtualizationservice:binder call; 28 allow vmlauncher_app crosvm:binder { call transfer }; 29') 30 31is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 32 allow vmlauncher_app self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 33') 34 35userdebug_or_eng(` 36 # Create pty/pts and connect it to the guest terminal. 37 create_pty(vmlauncher_app) 38 # Allow other processes to access the pts. 39 allow vmlauncher_app vmlauncher_app_devpts:chr_file setattr; 40') 41 42# TODO(b/372664601): Remove this when we don't need linux_vm_setup 43set_prop(vmlauncher_app, debug_prop); 44