Merge "Allow priv apps to use virtualizationservice" am: 6a80e5c6fd
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2267863 Change-Id: I684e9fda234e2699d8b5f6086b52beb729b5a7a8 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
0a67513a63
4 changed files with 34 additions and 22 deletions
|
@ -31,6 +31,7 @@ allow crosvm {
|
|||
staging_data_file
|
||||
apk_data_file
|
||||
app_data_file
|
||||
privapp_data_file
|
||||
apex_compos_data_file
|
||||
shell_data_file
|
||||
}:file { getattr read ioctl lock };
|
||||
|
@ -44,24 +45,12 @@ allow crosvm virtualizationservice_data_file:dir search;
|
|||
# Note that the open permission is not given as the socket is passed by FD.
|
||||
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
|
||||
|
||||
# Don't allow crosvm to open files that it doesn't own.
|
||||
# This is important because a malicious application could try to start a VM with a composite disk
|
||||
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
||||
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
|
||||
# potential privilege escalation. See http://b/192453819 for more discussion.
|
||||
neverallow crosvm {
|
||||
virtualizationservice_data_file
|
||||
staging_data_file
|
||||
apk_data_file
|
||||
app_data_file
|
||||
userdebug_or_eng(`-shell_data_file')
|
||||
}:file open;
|
||||
|
||||
# The instance image and the composite image should be writable as well because they could represent
|
||||
# mutable disks.
|
||||
allow crosvm {
|
||||
virtualizationservice_data_file
|
||||
app_data_file
|
||||
privapp_data_file
|
||||
apex_compos_data_file
|
||||
}:file write;
|
||||
|
||||
|
@ -79,6 +68,20 @@ dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|||
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
|
||||
allow crosvm shell_data_file:file write;
|
||||
|
||||
# Don't allow crosvm to open files that it doesn't own.
|
||||
# This is important because a malicious application could try to start a VM with a composite disk
|
||||
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
||||
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
|
||||
# potential privilege escalation. See http://b/192453819 for more discussion.
|
||||
neverallow crosvm {
|
||||
virtualizationservice_data_file
|
||||
staging_data_file
|
||||
apk_data_file
|
||||
app_data_file
|
||||
privapp_data_file
|
||||
userdebug_or_eng(`-shell_data_file')
|
||||
}:file open;
|
||||
|
||||
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
|
||||
full_treble_only(`
|
||||
neverallow crosvm {
|
||||
|
@ -93,13 +96,14 @@ full_treble_only(`
|
|||
}:file *;
|
||||
')
|
||||
|
||||
# app_data_file and shell_data_file is the only app_data_file_type that is
|
||||
# allowed for crosvm to read. Note that the use of app_data_file is allowed
|
||||
# only for the instance disk image. This is enforced inside the
|
||||
# virtualizationservice by checking the file context of all disk image files.
|
||||
# Only allow crosvm to read app data files for clients that can start
|
||||
# VMs. Note that the use of app data files is further restricted
|
||||
# inside the virtualizationservice by checking the label of all disk
|
||||
# image files.
|
||||
neverallow crosvm {
|
||||
app_data_file_type
|
||||
-app_data_file
|
||||
-privapp_data_file
|
||||
-shell_data_file
|
||||
}:file read;
|
||||
|
||||
|
|
|
@ -201,6 +201,11 @@ domain_auto_trans(priv_app, rs_exec, rs)
|
|||
# created by things like renderscript or via other mechanisms.
|
||||
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
|
||||
|
||||
# Allow privileged apps to create a VM. Note that access is still
|
||||
# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
|
||||
# permission.
|
||||
virtualizationservice_use(priv_app)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
@ -171,11 +171,13 @@ userdebug_or_eng(`
|
|||
allow untrusted_app_all self:lockdown integrity;
|
||||
')
|
||||
|
||||
# Allow running a VM for test/demo purposes. Note that access the service is
|
||||
# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
|
||||
# permission. The protection level of the permission is `signature|development`
|
||||
# so that it can only be granted to either platform-key signed apps or
|
||||
# test-only apps having `android:testOnly="true"` in its manifest.
|
||||
# Allow running a VM for test/demo purposes. Note that access to the
|
||||
# service is still guarded with the
|
||||
# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
|
||||
# protection level of the permission is
|
||||
# `signature|privileged|development` so that it can only be granted to
|
||||
# either platform-key signed apps, privileged apps, or test-only apps
|
||||
# having `android:testOnly="true"` in their manifest.
|
||||
virtualizationservice_use(untrusted_app_all)
|
||||
|
||||
with_native_coverage(`
|
||||
|
|
|
@ -44,6 +44,7 @@ allow virtualizationservice apk_data_file:file { getattr read };
|
|||
allow virtualizationservice {
|
||||
app_data_file
|
||||
apex_compos_data_file
|
||||
privapp_data_file
|
||||
}:file { getattr read write };
|
||||
|
||||
# shell_data_file is used for automated tests and manual debugging.
|
||||
|
|
Loading…
Reference in a new issue