tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/crosvm.te

179 lines
7.3 KiB
Text
Raw Normal View History

Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
Introduce vm_manager_device_type for crosvm Introduce hypervisor-generic type for VM managers: vm_manager_device_type. Bug: 274758531 Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c Suggested-by: Steven Moreland <smoreland@google.com> Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
2023-03-23 01:31:35 +01:00
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
virtualizationservice no longer tries to check for pKVM extension. This was fixed in https://r.android.com/1963701, as it never worked. This partially reverts commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1. Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
2022-01-28 16:42:48 +01:00
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
Allow virtualizationservice to check for PKVM extension Bug: 210803811 Test: watch TH for all our tests Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
2021-12-28 13:26:03 +01:00
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
Introduce vm_manager_device_type for crosvm Introduce hypervisor-generic type for VM managers: vm_manager_device_type. Bug: 274758531 Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c Suggested-by: Steven Moreland <smoreland@google.com> Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
2023-03-23 01:31:35 +01:00
# Most other domains shouldn't access other vm managers either.
# These restrictions need to be slightly looser than for kvm_device to allow
# for different implementations.
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
Rename VirtManager to VirtualizationService. Bug: 188042280 Test: atest VirtualizationTestCases Change-Id: Ia46a0dda923cb30382cbcba64aeb569685041d2b
2021-05-21 15:21:43 +02:00
# Let crosvm receive file descriptors from VirtualizationService.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:fd use;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
dontaudit crosvm reading VM's pipe Bug: 238593451 Test: boot microdroid and see console Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
2023-01-13 06:08:16 +01:00
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:fifo_file write;
Allow piping VM failure reason Allow crosvm to write a VM failure reason to virtualizationservice via the pipe provided. Fixes this denial: avc: denied { write } for path="pipe:[95872]" dev="pipefs" ino=95872 scontext=u:r:crosvm:s0 tcontext=u:r:virtualizationservice:s0 tclass=fifo_file Bug: 220071963 Test: Run VM, no denial. Change-Id: I3beedc5e715aa33209d3df0cae05f45f31e79e66
2022-03-09 15:05:18 +01:00
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-15 09:59:30 +01:00
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
[service-vm] Adjust sepolicy for running service VM Bug: 278858244 Test: Runs the ServiceVmClientApp in VM Test: atest MicrodroidHostTests Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d
2023-08-31 13:37:30 +02:00
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
allow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
privapp_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
[service-vm] Adjust sepolicy for running service VM Bug: 278858244 Test: Runs the ServiceVmClientApp in VM Test: atest MicrodroidHostTests Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d
2023-08-31 13:37:30 +02:00
apex_virt_data_file
crosvm can access data_shell_file on user builds Some of our CTS tests require that crosvm to have read/write access to files on /data/local/tmp/virt which is labeled as data_shell_file. Since CTS tests should pass on user builds, grant the access in user builds as well. Note that the open access is still disallowed in user builds. Bug: 222013014 Test: run cts Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
2022-04-19 04:48:32 +02:00
shell_data_file
Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-15 09:59:30 +01:00
vendor_microdroid_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
}:file { getattr read ioctl lock };
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
Suppress spurious ipc_lock denials When running a VM from a root shell (e.g. via vm_shell), we see frequent ipc_lock denials: avc: denied { ipc_lock } for comm="crosvm" capability=14 scontext=u:r:crosvm:s0 tcontext=u:r:crosvm:s0 tclass=capability permissive=0 These don't appear for non-root crosvm, and don't prevent the VM from working. Suppress them to reduce log spam. Test: Run vm_shell Change-Id: I3b68ca9e3f15709a1f0fce285ba8916419ee82e8
2024-02-01 17:16:01 +01:00
# When running a VM as root we get spurious capability denials.
# Suppress them.
userdebug_or_eng(`
dontaudit crosvm self:capability ipc_lock;
')
Allow CAP_SYS_NICE for crosvm Open up CAP_SYS_NICE policies so that crosvm can adjust uclamp on its vCPU threads to provide a boost in performance. Bug: 322197421 Test: Booted device and processes that checked that the correct capabilites are given with no sepolicy denials. Change-Id: I089bf26caf862c32e85440575800bb095bb9087b Signed-off-by: David Dai <davidai@google.com>
2024-02-02 00:19:03 +01:00
# Allow crosvm to tune for performance.
allow crosvm self:global_capability_class_set sys_nice;
Allow virtualizationservice to create and manage socket files in its data folder ...and crosvm to access a listener socket when passed to it by file descriptor from virtualizationservice. Bug: 235579465 Test: Start a VM Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
2022-07-11 16:27:40 +02:00
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
Allow virtualizationservice to create and manage socket files in its data folder ...and crosvm to access a listener socket when passed to it by file descriptor from virtualizationservice. Bug: 235579465 Test: Start a VM Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
2022-07-11 16:27:40 +02:00
Allow crosvm to open test artifacts in shell_data_file Test: Try open /data/local/tmp/a from crovm Bug: 260802656, Bug: 243672257 Change-Id: I90e2fe892f1028ea5add91a41389e2f7e812f988
2022-12-07 08:18:18 +01:00
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
allow crosvm shell_data_file:dir search;
allow crosvm shell_data_file:file open;
')
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
privapp_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
[service-vm] Adjust sepolicy for running service VM Bug: 278858244 Test: Runs the ServiceVmClientApp in VM Test: atest MicrodroidHostTests Change-Id: Ia59fe910edc0826aa5866468c27558e9d190b58d
2023-08-31 13:37:30 +02:00
apex_virt_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
SEPolicy for compos_verify_key. Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-02 12:10:59 +02:00
allow crosvm adbd:fd use;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
allow crosvm adbd:unix_stream_socket { read write };
Allow VMs to log to shell pts If we run a VM from an adb shell, e.g. via `vm run`, then we would like to get the VM console & log sent to the shell console. That doesn't work unless virtualization manager & crosvm can write to devpts. Bug: 286355623 Test: Manual: adb shell, /apex/com.android.virt/bin/vm run-microdroid --debug full Change-Id: I01b233bc6ad5fba8f333f379af62a03806ae8949
2023-06-08 14:13:08 +02:00
allow crosvm devpts:chr_file { read write getattr ioctl };
Allow virtualizationservice and crosvm to access shell_data_file files. This is necessary to run tests or run VMs manually with SELinux enforcement enabled. Bug: 192256642 Test: atest VirtualizationTestCases Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4
2021-07-01 17:58:26 +02:00
Sepolicy for crosvm to show display They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES Bug: 331708504 Test: check if the display shows Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
2024-04-02 07:50:14 +02:00
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
# Allow crosvm to draw screen in the surface
allow crosvm device:dir { read open };
allow crosvm same_process_hal_file:file { read open getattr map execute };
allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
allow crosvm hal_graphics_allocator:fd use;
allow crosvm hal_graphics_allocator_server:binder call;
allow crosvm surfaceflinger:fd use;
hal_client_domain(crosvm, hal_graphics_allocator)
# To provide display service to an app to get surface.
# TODO(b/332677707): remove them when display service uses binder RPC.
Introduce vmlauncher_app domain Bug: 333485208 Test: check display Change-Id: I64c09f09615e89cf24398c01b8f87b0136be0a7f
2024-04-09 08:02:28 +02:00
allow crosvm vmlauncher_app:binder { transfer call };
Sepolicy for crosvm to show display They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES Bug: 331708504 Test: check if the display shows Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
2024-04-02 07:50:14 +02:00
allow crosvm servicemanager:binder { call transfer };
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
')
crosvm: dontaudit netlink perms for acpi Currently experiencing these neverallows, but they're intentional. Fixes: 228077254 Test: N/A Change-Id: I79f8caaf1695e91d695b8cecbc5f01df09e4e2d2
2022-04-04 22:20:24 +02:00
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
Allow crosvm to write shell_data_file The compliance tests rely on this. Bug: 230660133 Test: run MicrodroidHostTests on a user build Merged-In: Ic061632d80285182ec2ae7d31f3527948702cf32 Change-Id: Ic061632d80285182ec2ae7d31f3527948702cf32
2022-05-02 06:23:50 +02:00
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
dontaudit crosvm reading VM's pipe Bug: 238593451 Test: boot microdroid and see console Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
2023-01-13 06:08:16 +01:00
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
Use regular file for VM DTBO Bug: 287379025 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --protected --mem 512 --devices \ /sys/bus/platform/devices/16d00000.eh Change-Id: Id77c25f5f22672da9281078fc17f45087d893f4d
2023-08-03 05:53:48 +02:00
dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
dontaudit crosvm reading VM's pipe Bug: 238593451 Test: boot microdroid and see console Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
2023-01-13 06:08:16 +01:00
Sepolicy rules to allow crosvm to start a gdb-server Bug: 242057159 Test: see another change in this topic Change-Id: Ie5116c8891a62096e767500b90a19fc5975c3599
2023-02-15 00:17:55 +01:00
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
allow crosvm port:tcp_socket name_bind;
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
2023-08-01 04:00:49 +02:00
# Allow crosvm to interact to VFIO device
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;
Use regular file for VM DTBO Bug: 287379025 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --protected --mem 512 --devices \ /sys/bus/platform/devices/16d00000.eh Change-Id: Id77c25f5f22672da9281078fc17f45087d893f4d
2023-08-03 05:53:48 +02:00
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;
Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
2023-08-01 04:00:49 +02:00
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
Add SELinux policy for storage areas We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
2024-04-30 22:26:55 +02:00
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
userdebug_or_eng(`-shell_data_file')
}:file open;
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
vendor_file_type
-vendor_vm_file
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-15 09:59:30 +01:00
-vendor_microdroid_file
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
-vndk_sp_file
-vendor_task_profiles_file
Sepolicy for crosvm to show display They are under RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES Bug: 331708504 Test: check if the display shows Change-Id: I06859493c995e384e1f30554a6a12b9cd3636f30
2024-04-02 07:50:14 +02:00
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
}:file *;
')
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
neverallow crosvm {
app_data_file_type
-app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
-privapp_data_file
crosvm can access data_shell_file on user builds Some of our CTS tests require that crosvm to have read/write access to files on /data/local/tmp/virt which is labeled as data_shell_file. Since CTS tests should pass on user builds, grant the access in user builds as well. Note that the open access is still disallowed in user builds. Bug: 222013014 Test: run cts Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
2022-04-19 04:48:32 +02:00
-shell_data_file
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
}:file read;
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
# Only virtualizationmanager can run crosvm
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
neverallow {
domain
-crosvm
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
-virtualizationmanager
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
} crosvm_exec:file no_x_file_perms;
Reference in a new issue Copy permalink