Merge "Introduce vm_manager_device_type for crosvm" am: ccbe862858
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2506662 Change-Id: I2372a6ab50e8e1563e5794460562d0e38acdb63c Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
5c9967917f
5 changed files with 14 additions and 5 deletions
|
@ -2,14 +2,20 @@ type crosvm, domain, coredomain;
|
|||
type crosvm_exec, system_file_type, exec_type, file_type;
|
||||
type crosvm_tmpfs, file_type;
|
||||
|
||||
# Let crosvm open /dev/kvm.
|
||||
allow crosvm kvm_device:chr_file rw_file_perms;
|
||||
# Let crosvm open VM manager devices such as /dev/kvm.
|
||||
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
|
||||
|
||||
# Most other domains shouldn't access /dev/kvm.
|
||||
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
||||
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
||||
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
|
||||
|
||||
# Most other domains shouldn't access other vm managers either.
|
||||
# These restrictions need to be slightly looser than for kvm_device to allow
|
||||
# for different implementations.
|
||||
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
|
||||
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
|
||||
|
||||
# Let crosvm create temporary files.
|
||||
tmpfs_domain(crosvm)
|
||||
|
||||
|
|
|
@ -104,7 +104,7 @@ type bootanim_data_file, file_type, data_file_type, core_data_file_type;
|
|||
# /dev/kvm
|
||||
# The type needs to be mlstrustedobject to allow for being accessed from
|
||||
# crosvm, which runs at a more constrained MLS level.
|
||||
type kvm_device, dev_type, mlstrustedobject;
|
||||
type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
|
||||
|
||||
# /apex/com.android.virt/bin/fd_server
|
||||
type fd_server_exec, system_file_type, exec_type, file_type;
|
||||
|
|
|
@ -120,6 +120,6 @@ allow init {
|
|||
dev_type
|
||||
-hw_random_device
|
||||
-keychord_device
|
||||
-kvm_device
|
||||
-vm_manager_device_type
|
||||
-port_device
|
||||
}:chr_file setattr;
|
||||
|
|
|
@ -19,7 +19,7 @@ get_prop(vendor_init, apex_ready_prop)
|
|||
allow vendor_init {
|
||||
dev_type
|
||||
-keychord_device
|
||||
-kvm_device
|
||||
-vm_manager_device_type
|
||||
-port_device
|
||||
-lowpan_device
|
||||
-hw_random_device
|
||||
|
|
|
@ -417,6 +417,9 @@ attribute super_block_device_type;
|
|||
attribute dmabuf_heap_device_type;
|
||||
expandattribute dmabuf_heap_device_type false;
|
||||
|
||||
# Types for VM managers
|
||||
attribute vm_manager_device_type;
|
||||
|
||||
# All types used for DSU metadata files.
|
||||
attribute gsi_metadata_file_type;
|
||||
|
||||
|
|
Loading…
Reference in a new issue