2021-03-29 19:19:12 +02:00
|
|
|
type crosvm, domain, coredomain;
|
|
|
|
type crosvm_exec, system_file_type, exec_type, file_type;
|
|
|
|
type crosvm_tmpfs, file_type;
|
|
|
|
|
2021-07-12 14:11:33 +02:00
|
|
|
# Let crosvm open /dev/kvm.
|
|
|
|
allow crosvm kvm_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
# Most other domains shouldn't access /dev/kvm.
|
|
|
|
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
2022-01-28 16:42:48 +01:00
|
|
|
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
2021-12-28 13:26:03 +01:00
|
|
|
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
|
2021-07-12 14:11:33 +02:00
|
|
|
|
2021-03-29 19:19:12 +02:00
|
|
|
# Let crosvm create temporary files.
|
|
|
|
tmpfs_domain(crosvm)
|
|
|
|
|
2021-05-21 15:21:43 +02:00
|
|
|
# Let crosvm receive file descriptors from VirtualizationService.
|
2022-12-15 14:38:42 +01:00
|
|
|
allow crosvm virtualizationmanager:fd use;
|
2021-03-29 19:19:12 +02:00
|
|
|
|
2023-01-13 06:08:16 +01:00
|
|
|
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
|
2022-12-15 14:38:42 +01:00
|
|
|
allow crosvm virtualizationmanager:fifo_file write;
|
2022-03-09 15:05:18 +01:00
|
|
|
|
2021-07-12 14:11:33 +02:00
|
|
|
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
|
|
|
|
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
|
|
|
|
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
|
|
|
|
# the files are passed as file descriptors.
|
|
|
|
allow crosvm {
|
|
|
|
virtualizationservice_data_file
|
|
|
|
staging_data_file
|
|
|
|
apk_data_file
|
|
|
|
app_data_file
|
2022-10-24 13:32:34 +02:00
|
|
|
privapp_data_file
|
2021-07-28 15:05:25 +02:00
|
|
|
apex_compos_data_file
|
2022-04-19 04:48:32 +02:00
|
|
|
shell_data_file
|
2021-07-12 14:11:33 +02:00
|
|
|
}:file { getattr read ioctl lock };
|
2021-03-29 19:19:12 +02:00
|
|
|
|
2021-07-12 14:11:33 +02:00
|
|
|
# Allow searching the directory where the composite disk images are.
|
|
|
|
allow crosvm virtualizationservice_data_file:dir search;
|
|
|
|
|
2022-12-15 14:38:42 +01:00
|
|
|
# Allow crosvm to mlock guest memory.
|
|
|
|
allow crosvm self:capability ipc_lock;
|
|
|
|
|
2022-07-11 16:27:40 +02:00
|
|
|
# Let crosvm access its control socket as created by VS.
|
|
|
|
# read, write, getattr: listener socket polling
|
|
|
|
# accept: listener socket accepting new connection
|
|
|
|
# Note that the open permission is not given as the socket is passed by FD.
|
2022-12-15 14:38:42 +01:00
|
|
|
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
|
2022-07-11 16:27:40 +02:00
|
|
|
|
2022-12-07 08:18:18 +01:00
|
|
|
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow crosvm shell_data_file:dir search;
|
|
|
|
allow crosvm shell_data_file:file open;
|
|
|
|
')
|
|
|
|
|
2021-07-12 14:11:33 +02:00
|
|
|
# The instance image and the composite image should be writable as well because they could represent
|
|
|
|
# mutable disks.
|
|
|
|
allow crosvm {
|
|
|
|
virtualizationservice_data_file
|
|
|
|
app_data_file
|
2022-10-24 13:32:34 +02:00
|
|
|
privapp_data_file
|
2021-07-28 15:05:25 +02:00
|
|
|
apex_compos_data_file
|
2021-07-12 14:11:33 +02:00
|
|
|
}:file write;
|
|
|
|
|
|
|
|
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
|
2021-09-02 12:10:59 +02:00
|
|
|
allow crosvm adbd:fd use;
|
2021-07-12 14:11:33 +02:00
|
|
|
allow crosvm adbd:unix_stream_socket { read write };
|
2021-07-01 17:58:26 +02:00
|
|
|
|
2022-04-04 22:20:24 +02:00
|
|
|
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
|
|
|
|
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
|
2022-05-02 06:23:50 +02:00
|
|
|
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
|
|
|
|
# compliance tests and demo apps. Write access to instance.img is particularily important because
|
|
|
|
# the VM has to initialize the disk image on its first boot. Note that open access is still not
|
|
|
|
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
|
|
|
|
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
|
|
|
|
allow crosvm shell_data_file:file write;
|
2021-08-09 02:24:45 +02:00
|
|
|
|
2023-01-13 06:08:16 +01:00
|
|
|
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
|
|
|
|
# forward console/log to the host logcat).
|
|
|
|
# crosvm only needs write permission, so dontaudit read
|
|
|
|
dontaudit crosvm virtualizationmanager:fifo_file read;
|
|
|
|
|
2022-10-24 13:32:34 +02:00
|
|
|
# Don't allow crosvm to open files that it doesn't own.
|
|
|
|
# This is important because a malicious application could try to start a VM with a composite disk
|
|
|
|
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
|
|
|
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
|
|
|
|
# potential privilege escalation. See http://b/192453819 for more discussion.
|
|
|
|
neverallow crosvm {
|
|
|
|
virtualizationservice_data_file
|
|
|
|
staging_data_file
|
|
|
|
apk_data_file
|
|
|
|
app_data_file
|
|
|
|
privapp_data_file
|
|
|
|
userdebug_or_eng(`-shell_data_file')
|
|
|
|
}:file open;
|
|
|
|
|
2021-08-09 02:24:45 +02:00
|
|
|
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
|
|
|
|
full_treble_only(`
|
|
|
|
neverallow crosvm {
|
|
|
|
vendor_file_type
|
|
|
|
-vendor_vm_file
|
|
|
|
-vendor_vm_data_file
|
|
|
|
# These types are not required for crosvm, but the access is granted to globally in domain.te
|
|
|
|
# thus should be exempted here.
|
|
|
|
-vendor_configs_file
|
|
|
|
-vndk_sp_file
|
|
|
|
-vendor_task_profiles_file
|
|
|
|
}:file *;
|
|
|
|
')
|
2021-11-25 16:59:07 +01:00
|
|
|
|
2022-10-24 13:32:34 +02:00
|
|
|
# Only allow crosvm to read app data files for clients that can start
|
|
|
|
# VMs. Note that the use of app data files is further restricted
|
|
|
|
# inside the virtualizationservice by checking the label of all disk
|
|
|
|
# image files.
|
2021-11-25 16:59:07 +01:00
|
|
|
neverallow crosvm {
|
|
|
|
app_data_file_type
|
|
|
|
-app_data_file
|
2022-10-24 13:32:34 +02:00
|
|
|
-privapp_data_file
|
2022-04-19 04:48:32 +02:00
|
|
|
-shell_data_file
|
2021-11-25 16:59:07 +01:00
|
|
|
}:file read;
|
2022-02-03 07:30:26 +01:00
|
|
|
|
2022-12-15 14:38:42 +01:00
|
|
|
# Only virtualizationmanager can run crosvm
|
2022-02-03 07:30:26 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-crosvm
|
2022-12-15 14:38:42 +01:00
|
|
|
-virtualizationmanager
|
2022-02-03 07:30:26 +01:00
|
|
|
} crosvm_exec:file no_x_file_perms;
|