Merge "Sepolicy setting for crosvm virtiofs mounts" into android15-tests-dev
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 33d3783..4fe3843 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -6,7 +6,7 @@
allow bpfloader kmsg_device:chr_file w_file_perms;
# These permissions are required to pin ebpf maps & programs.
-allow bpfloader bpffs_type:dir { add_name create remove_name search setattr write };
+allow bpfloader bpffs_type:dir { add_name create open read remove_name search setattr write };
allow bpfloader bpffs_type:file { create getattr read rename setattr };
allow bpfloader bpffs_type:lnk_file { create getattr read };
allow { bpffs_type -fs_bpf } fs_bpf:filesystem associate;
@@ -29,8 +29,8 @@
###
# Note: we don't care about getattr/mounton/search
-neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton remove_name search setattr write };
-neverallow { domain -bpfloader } bpffs_type:dir { add_name create remove_name setattr write };
+neverallow { domain } bpffs_type:dir ~{ add_name create getattr mounton open read remove_name search setattr write };
+neverallow { domain -bpfloader } bpffs_type:dir { add_name create open read remove_name setattr write };
neverallow { domain } bpffs_type:file ~{ create getattr map open read rename setattr write };
neverallow { domain -bpfloader } bpffs_type:file { create map open rename setattr };
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index a4898a7..633d8c0 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -57,3 +57,6 @@
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
+
+# Allow virtual_camera to access dmabuf_system_heap_device
+allow virtual_camera dmabuf_system_heap_device:chr_file { read open };
