tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/crosvm.te

104 lines
3.7 KiB
Text
Raw Normal View History

Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
virtualizationservice no longer tries to check for pKVM extension. This was fixed in https://r.android.com/1963701, as it never worked. This partially reverts commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1. Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
2022-01-28 16:42:48 +01:00
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
Allow virtualizationservice to check for PKVM extension Bug: 210803811 Test: watch TH for all our tests Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
2021-12-28 13:26:03 +01:00
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
Allow crosvm to mlock VM memory. Bug: 204298056 Change-Id: I5b00273ffa37d4c1ea2f26bb40822abd0d094d90
2022-01-14 14:47:05 +01:00
# Let crosvm mlock VM memory and page tables.
allow crosvm self:capability ipc_lock;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
Rename VirtManager to VirtualizationService. Bug: 188042280 Test: atest VirtualizationTestCases Change-Id: Ia46a0dda923cb30382cbcba64aeb569685041d2b
2021-05-21 15:21:43 +02:00
# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationservice:fd use;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
Allow piping VM failure reason Allow crosvm to write a VM failure reason to virtualizationservice via the pipe provided. Fixes this denial: avc: denied { write } for path="pipe:[95872]" dev="pipefs" ino=95872 scontext=u:r:crosvm:s0 tcontext=u:r:virtualizationservice:s0 tclass=fifo_file Bug: 220071963 Test: Run VM, no denial. Change-Id: I3beedc5e715aa33209d3df0cae05f45f31e79e66
2022-03-09 15:05:18 +01:00
# Allow sending VirtualizationService the failure reason from the VM via pipe.
allow crosvm virtualizationservice:fifo_file write;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
# the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
userdebug_or_eng(`shell_data_file')
}:file { getattr read ioctl lock };
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
# Don't allow crosvm to open files that it doesn't own.
Add comment explaining why crosvm shouldn't be allowed to open files. Bug: 192453819 Test: No code change Change-Id: Iebaa1db2e8eed81122e64999ef58b728e1bf95cc
2021-12-24 14:10:25 +01:00
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
neverallow crosvm {
crosvm now takes all files by FD. Bug: 192256642 Test: `atest VirtualizationTestCases MicrodroidHostTestCases` on Cuttlefish Change-Id: I8de557269ba56095b0264a65035296627fba8145
2021-08-05 16:09:52 +02:00
virtualizationservice_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
staging_data_file
apk_data_file
app_data_file
userdebug_or_eng(`-shell_data_file')
}:file open;
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
SEPolicy for compos_verify_key. Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-02 12:10:59 +02:00
allow crosvm adbd:fd use;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
allow crosvm adbd:unix_stream_socket { read write };
Allow virtualizationservice and crosvm to access shell_data_file files. This is necessary to run tests or run VMs manually with SELinux enforcement enabled. Bug: 192256642 Test: atest VirtualizationTestCases Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4
2021-07-01 17:58:26 +02:00
crosvm: netlink perms for acpi Required by crosvm update. Bug: 228077254 Bug: 226645768 Test: CompOsTestCase progress Change-Id: I25e9aa257a26992e48e99e02f04195be52a24194
2022-04-04 22:20:24 +02:00
# For ACPI
allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
vendor_file_type
-vendor_vm_file
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
')
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
# app_data_file (and shell_data_file for debuggable builds) is the only
# app_data_file_type that is allowed for crosvm to read. Note that the use of
Add comment explaining why crosvm shouldn't be allowed to open files. Bug: 192453819 Test: No code change Change-Id: Iebaa1db2e8eed81122e64999ef58b728e1bf95cc
2021-12-24 14:10:25 +01:00
# app_data_file is allowed only for the instance disk image. This is enforced
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
# inside the virtualizationservice by checking the file context of all disk
# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
userdebug_or_eng(`-shell_data_file')
}:file read;
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
# Only virtualizationservice can run crosvm
neverallow {
domain
-crosvm
-virtualizationservice
} crosvm_exec:file no_x_file_perms;
Reference in a new issue Copy permalink