tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/crosvm.te

148 lines
5.8 KiB
Text
Raw Normal View History

Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
Introduce vm_manager_device_type for crosvm Introduce hypervisor-generic type for VM managers: vm_manager_device_type. Bug: 274758531 Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c Suggested-by: Steven Moreland <smoreland@google.com> Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
2023-03-23 01:31:35 +01:00
# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
virtualizationservice no longer tries to check for pKVM extension. This was fixed in https://r.android.com/1963701, as it never worked. This partially reverts commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1. Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
2022-01-28 16:42:48 +01:00
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
Allow virtualizationservice to check for PKVM extension Bug: 210803811 Test: watch TH for all our tests Change-Id: Iac4528fa2a0dbebeca4504469624f50832689f43
2021-12-28 13:26:03 +01:00
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
Introduce vm_manager_device_type for crosvm Introduce hypervisor-generic type for VM managers: vm_manager_device_type. Bug: 274758531 Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c Suggested-by: Steven Moreland <smoreland@google.com> Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
2023-03-23 01:31:35 +01:00
# Most other domains shouldn't access other vm managers either.
# These restrictions need to be slightly looser than for kvm_device to allow
# for different implementations.
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
Rename VirtManager to VirtualizationService. Bug: 188042280 Test: atest VirtualizationTestCases Change-Id: Ia46a0dda923cb30382cbcba64aeb569685041d2b
2021-05-21 15:21:43 +02:00
# Let crosvm receive file descriptors from VirtualizationService.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:fd use;
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
dontaudit crosvm reading VM's pipe Bug: 238593451 Test: boot microdroid and see console Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
2023-01-13 06:08:16 +01:00
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:fifo_file write;
Allow piping VM failure reason Allow crosvm to write a VM failure reason to virtualizationservice via the pipe provided. Fixes this denial: avc: denied { write } for path="pipe:[95872]" dev="pipefs" ino=95872 scontext=u:r:crosvm:s0 tcontext=u:r:virtualizationservice:s0 tclass=fifo_file Bug: 220071963 Test: Run VM, no denial. Change-Id: I3beedc5e715aa33209d3df0cae05f45f31e79e66
2022-03-09 15:05:18 +01:00
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
# the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
privapp_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
crosvm can access data_shell_file on user builds Some of our CTS tests require that crosvm to have read/write access to files on /data/local/tmp/virt which is labeled as data_shell_file. Since CTS tests should pass on user builds, grant the access in user builds as well. Note that the open access is still disallowed in user builds. Bug: 222013014 Test: run cts Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
2022-04-19 04:48:32 +02:00
shell_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
}:file { getattr read ioctl lock };
Add crosvm domain and give virtmanager and crosvm necessary permissions. Bug: 183583115 Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-03-29 19:19:12 +02:00
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
# Allow crosvm to mlock guest memory.
allow crosvm self:capability ipc_lock;
Allow virtualizationservice to create and manage socket files in its data folder ...and crosvm to access a listener socket when passed to it by file descriptor from virtualizationservice. Bug: 235579465 Test: Start a VM Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
2022-07-11 16:27:40 +02:00
# Let crosvm access its control socket as created by VS.
# read, write, getattr: listener socket polling
# accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
Allow virtualizationservice to create and manage socket files in its data folder ...and crosvm to access a listener socket when passed to it by file descriptor from virtualizationservice. Bug: 235579465 Test: Start a VM Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
2022-07-11 16:27:40 +02:00
Allow crosvm to open test artifacts in shell_data_file Test: Try open /data/local/tmp/a from crovm Bug: 260802656, Bug: 243672257 Change-Id: I90e2fe892f1028ea5add91a41389e2f7e812f988
2022-12-07 08:18:18 +01:00
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
allow crosvm shell_data_file:dir search;
allow crosvm shell_data_file:file open;
')
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
privapp_data_file
Allow CompOS to start a VM with its instance image. The image will be stored under /data/misc/apexdata/com.android.compos. Grant crosvm & virtualization service read/write but not open access. This fixes these denials: avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1 Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img Test: Works in enforcing mode, no denials seen. Bug: 193603140 Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 15:05:25 +02:00
apex_compos_data_file
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
SEPolicy for compos_verify_key. Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-02 12:10:59 +02:00
allow crosvm adbd:fd use;
Add rules for virtualizationservice and crosvm The test for the services has been running with selinux disabled. To turn selinux on, required rules are allowed. Below is the summary of the added rules. * crosvm can read the composite disk files and other files (APKs, APEXes) that serve as backing store of the composite disks. * virtualizationservice has access to several binder services - permission_service: to check Android permission - apexd: to get apex files list (this will be removed eventually) * Both have read access to shell_data_file (/data/local/tmp/...) for testing purpose. This is not allowed for the user build. * virtualizationservice has access to the pseudo terminal opened by adbd so that it can write output to the terminal when the 'vm' tool is invoked in shell. Bug: 168588769 Test: /apex/com.android.virt/bin/vm run-app --log /dev/null /data/local/tmp/virt/MicrodroidDemoApp.apk /data/local/tmp/virt/MicrodroidDemoApp.apk.idsig /data/local/tmp/virt/instance.img assets/vm_config.json without disabling selinux. Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-12 14:11:33 +02:00
allow crosvm adbd:unix_stream_socket { read write };
Allow VMs to log to shell pts If we run a VM from an adb shell, e.g. via `vm run`, then we would like to get the VM console & log sent to the shell console. That doesn't work unless virtualization manager & crosvm can write to devpts. Bug: 286355623 Test: Manual: adb shell, /apex/com.android.virt/bin/vm run-microdroid --debug full Change-Id: I01b233bc6ad5fba8f333f379af62a03806ae8949
2023-06-08 14:13:08 +02:00
allow crosvm devpts:chr_file { read write getattr ioctl };
Allow virtualizationservice and crosvm to access shell_data_file files. This is necessary to run tests or run VMs manually with SELinux enforcement enabled. Bug: 192256642 Test: atest VirtualizationTestCases Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4
2021-07-01 17:58:26 +02:00
crosvm: dontaudit netlink perms for acpi Currently experiencing these neverallows, but they're intentional. Fixes: 228077254 Test: N/A Change-Id: I79f8caaf1695e91d695b8cecbc5f01df09e4e2d2
2022-04-04 22:20:24 +02:00
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
Allow crosvm to write shell_data_file The compliance tests rely on this. Bug: 230660133 Test: run MicrodroidHostTests on a user build Merged-In: Ic061632d80285182ec2ae7d31f3527948702cf32 Change-Id: Ic061632d80285182ec2ae7d31f3527948702cf32
2022-05-02 06:23:50 +02:00
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
dontaudit crosvm reading VM's pipe Bug: 238593451 Test: boot microdroid and see console Change-Id: I46712759240a9f091936c6a81bb02679c267b8b8
2023-01-13 06:08:16 +01:00
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file read;
Sepolicy rules to allow crosvm to start a gdb-server Bug: 242057159 Test: see another change in this topic Change-Id: Ie5116c8891a62096e767500b90a19fc5975c3599
2023-02-15 00:17:55 +01:00
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
allow crosvm port:tcp_socket name_bind;
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;
Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
2023-08-01 04:00:49 +02:00
# Allow crosvm to interact to VFIO device
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;
# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
allow crosvm vfio_handler:fd use;
allow crosvm vfio_handler:fifo_file r_file_perms;
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
userdebug_or_eng(`-shell_data_file')
}:file open;
Don't prevent crosvm from accessing vendor-owned VM disk images There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 02:24:45 +02:00
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
vendor_file_type
-vendor_vm_file
-vendor_vm_data_file
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
')
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
neverallow crosvm {
app_data_file_type
-app_data_file
Allow priv apps to use virtualizationservice And allow VS and crosvm access to privapp_data_file, to the same extent as app_data_file. Update some comments, move a neverallow to the bottom of the file with the others. Bug: 255286871 Test: Install demo app to system/priv-app, see it work without explicit grant. Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
2022-10-24 13:32:34 +02:00
-privapp_data_file
crosvm can access data_shell_file on user builds Some of our CTS tests require that crosvm to have read/write access to files on /data/local/tmp/virt which is labeled as data_shell_file. Since CTS tests should pass on user builds, grant the access in user builds as well. Note that the open access is still disallowed in user builds. Bug: 222013014 Test: run cts Change-Id: I4f93ac64d72cfe63275f04f2c5ea6fb99e9b5874
2022-04-19 04:48:32 +02:00
-shell_data_file
app_data_file is the only app_data_file_type that is allowed for crosvm Bug: 204852957 Test: monitor TH Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-25 16:59:07 +01:00
}:file read;
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
# Only virtualizationmanager can run crosvm
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
neverallow {
domain
-crosvm
Start using virtmgr for running VMs Split virtualizationservice policy into rules that should remain with the global service and rules that now apply to virtmgr - a child process of the client that runs the VM on its behalf. The virtualizationservice domain remains responsible for: * allocating CIDs (access to props) * creating temporary VM directories (virtualization_data_file, chown) * receiving tombstones from VMs * pushing atoms to statsd * removing memlock rlimit from virtmgr The new virtualizationmanager domain becomes responsible for: * executing crosvm * creating vsock connections, handling callbacks * preparing APEXes * pushing ramdumps to tombstoned * collecting stats for telemetry atoms The `virtualizationservice_use` macro is changed to allow client domains to transition to the virtmgr domain upon executing it as their child, and to allow communication over UDS. Clients are not allowed to communicate with virtualizationservice via Binder, only virtmgr is now allowed to do that. Bug: 250685929 Test: atest -p packages/modules/Virtualization:avf-presubmit Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
2022-12-15 14:38:42 +01:00
-virtualizationmanager
Neverallow domains other than VS from executing VM Bug: 216610937 Test: atest MicrodroidTests Change-Id: I2ecea6974cb6650f8a7aa8b706ae38e1822805cd
2022-02-03 07:30:26 +01:00
} crosvm_exec:file no_x_file_perms;
Reference in a new issue Copy permalink