Merge "Allow priv apps to use virtualizationservice" am: 6a80e5c6fd

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2267863

Change-Id: I684e9fda234e2699d8b5f6086b52beb729b5a7a8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2022-10-25 10:00:02 +00:00 committed by Automerger Merge Worker
commit 0a67513a63
4 changed files with 34 additions and 22 deletions

View file

@ -31,6 +31,7 @@ allow crosvm {
staging_data_file
apk_data_file
app_data_file
privapp_data_file
apex_compos_data_file
shell_data_file
}:file { getattr read ioctl lock };
@ -44,24 +45,12 @@ allow crosvm virtualizationservice_data_file:dir search;
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
userdebug_or_eng(`-shell_data_file')
}:file open;
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
privapp_data_file
apex_compos_data_file
}:file write;
@ -79,6 +68,20 @@ dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
privapp_data_file
userdebug_or_eng(`-shell_data_file')
}:file open;
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
@ -93,13 +96,14 @@ full_treble_only(`
}:file *;
')
# app_data_file and shell_data_file is the only app_data_file_type that is
# allowed for crosvm to read. Note that the use of app_data_file is allowed
# only for the instance disk image. This is enforced inside the
# virtualizationservice by checking the file context of all disk image files.
# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
-privapp_data_file
-shell_data_file
}:file read;

View file

@ -201,6 +201,11 @@ domain_auto_trans(priv_app, rs_exec, rs)
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
# Allow privileged apps to create a VM. Note that access is still
# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
# permission.
virtualizationservice_use(priv_app)
###
### neverallow rules
###

View file

@ -171,11 +171,13 @@ userdebug_or_eng(`
allow untrusted_app_all self:lockdown integrity;
')
# Allow running a VM for test/demo purposes. Note that access the service is
# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
# permission. The protection level of the permission is `signature|development`
# so that it can only be granted to either platform-key signed apps or
# test-only apps having `android:testOnly="true"` in its manifest.
# Allow running a VM for test/demo purposes. Note that access to the
# service is still guarded with the
# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
# protection level of the permission is
# `signature|privileged|development` so that it can only be granted to
# either platform-key signed apps, privileged apps, or test-only apps
# having `android:testOnly="true"` in their manifest.
virtualizationservice_use(untrusted_app_all)
with_native_coverage(`

View file

@ -44,6 +44,7 @@ allow virtualizationservice apk_data_file:file { getattr read };
allow virtualizationservice {
app_data_file
apex_compos_data_file
privapp_data_file
}:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.