1is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 2 # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. 3 # vfio_handler is separate from virtualizationservice as VFIO tasks require root. 4 type vfio_handler, domain, coredomain; 5 type vfio_handler_exec, system_file_type, exec_type, file_type; 6 7 # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. 8 init_daemon_domain(vfio_handler) 9 10 # Let the vfio_handler domain register the vfio_handler_service with ServiceManager. 11 add_service(vfio_handler, vfio_handler_service) 12 13 # Let the vfio_handler domain use Binder. 14 binder_use(vfio_handler) 15 16 # Allow vfio_handler to check if VFIO is supported 17 allow vfio_handler vfio_device:chr_file getattr; 18 allow vfio_handler vfio_device:dir r_dir_perms; 19 20 # Allow vfio_handler to bind/unbind platform devices 21 allow vfio_handler sysfs:dir r_dir_perms; 22 allow vfio_handler sysfs:file rw_file_perms; 23 24 # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice. 25 allow vfio_handler virtualizationservice:fd use; 26 allow vfio_handler virtualizationservice_data_file:file write; 27 28 # vfio_handler can only use fd from virtualizationservice, and cannot open files itself 29 neverallow vfio_handler virtualizationservice_data_file:file { open create }; 30 31 # Allow vfio_handler to search /dev/block for accessing dtbo.img 32 allow vfio_handler block_device:dir search; 33 allow vfio_handler dtbo_block_device:blk_file r_file_perms; 34') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT) 35