tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add virtualization_maintenance_service

Browse source 
This is an AIDL service exposed by Virtualization Service to system
server (VirtualizationSystemService).

The implementation is Rust so no fuzzer is required.

I've put this behind the flag on general principle.

Bug: 294177871
Test: atest MicrodroidTests
Change-Id: Ia867fe27fb2e76d9688e4ba650ebf7b3f51ee597
This commit is contained in:
Alan Stokes 2024-02-20 11:06:37 +00:00
parent 3242c6a271
commit 38131e7ba8
7 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
build/soong/service_fuzzer_bindings.go
View file

@ -186,6 +186,7 @@ var (
"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER, "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
"android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER,
"ambient_context": EXCEPTION_NO_FUZZER, "ambient_context": EXCEPTION_NO_FUZZER,
"app_binding": EXCEPTION_NO_FUZZER, "app_binding": EXCEPTION_NO_FUZZER,
"app_hibernation": EXCEPTION_NO_FUZZER, "app_hibernation": EXCEPTION_NO_FUZZER,

1
flagging/Android.bp
View file

@ -18,6 +18,7 @@ se_flags {
name: "aosp_selinux_flags", name: "aosp_selinux_flags",
flags: [ flags: [
"RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT", "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
"RELEASE_AVF_ENABLE_LLPVM_CHANGES",
"RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE", "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
], ],
export_to: ["all_selinux_flags"], export_to: ["all_selinux_flags"],

3
private/service.te
View file

@ -26,6 +26,9 @@ type transparency_service, system_server_service, service_manager_type;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
type vfio_handler_service, service_manager_type; type vfio_handler_service, service_manager_type;
') ')
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
type virtualization_maintenance_service, service_manager_type;
')
type uce_service, service_manager_type; type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type; type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;

3
private/service_contexts
View file

@ -165,6 +165,9 @@ android.system.virtualizationservice u:object_r:virtualization_service:s0
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0 android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
') ')
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
')
ambient_context u:object_r:ambient_context_service:s0 ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0 app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0 app_hibernation u:object_r:app_hibernation_service:s0

3
private/system_server.te
View file

@ -982,6 +982,9 @@ allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find; allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find; allow system_server update_engine_service:service_manager find;
allow system_server virtual_camera_service:service_manager find; allow system_server virtual_camera_service:service_manager find;
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
allow system_server virtualization_maintenance_service:service_manager find;
')
allow system_server vold_service:service_manager find; allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find; allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find; allow system_server logd_service:service_manager find;

3
private/vfio_handler.te
View file

@ -31,7 +31,4 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
# Allow vfio_handler to search /dev/block for accessing dtbo.img # Allow vfio_handler to search /dev/block for accessing dtbo.img
allow vfio_handler block_device:dir search; allow vfio_handler block_device:dir search;
allow vfio_handler dtbo_block_device:blk_file r_file_perms; allow vfio_handler dtbo_block_device:blk_file r_file_perms;
# Only vfio_handler can add vfio_handler_service
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT) ') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)

5
private/virtualizationservice.te
View file

@ -12,8 +12,11 @@ init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder. # Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice) binder_use(virtualizationservice)
# Let the virtualizationservice domain register the virtualization_service with ServiceManager. # Register our services with ServiceManager.
add_service(virtualizationservice, virtualization_service) add_service(virtualizationservice, virtualization_service)
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
add_service(virtualizationservice, virtualization_maintenance_service)
')
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
# Let virtualizationservice find and communicate with vfio_handler. # Let virtualizationservice find and communicate with vfio_handler.