From 825056de9ab6c5d8231cd0039e12280eb5b0ea10 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Tue, 1 Aug 2023 11:00:49 +0900 Subject: [PATCH] Add permission for VFIO device binding vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272 --- apex/com.android.virt-file_contexts | 1 + build/soong/service_fuzzer_bindings.go | 2 ++ private/compat/34.0/34.0.cil | 2 +- private/coredomain.te | 1 + private/crosvm.te | 8 ++++++++ private/file_contexts | 1 + private/service.te | 1 + private/service_contexts | 1 + private/vfio_handler.te | 24 ++++++++++++++++++++++++ private/virtualizationmanager.te | 4 ++++ private/virtualizationservice.te | 15 +++++++++++++++ public/device.te | 3 +++ 12 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 private/vfio_handler.te diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts index 9c13bd5cb..afe9f51c4 100644 --- a/apex/com.android.virt-file_contexts +++ b/apex/com.android.virt-file_contexts @@ -3,3 +3,4 @@ /bin/fd_server u:object_r:fd_server_exec:s0 /bin/virtmgr u:object_r:virtualizationmanager_exec:s0 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0 +/bin/vfio_handler u:object_r:vfio_handler_exec:s0 diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index f7e67d854..3ed86c1f5 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -170,7 +170,9 @@ var ( "android.security.metrics": EXCEPTION_NO_FUZZER, "android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"}, "android.system.composd": EXCEPTION_NO_FUZZER, + // TODO(b/294158658): add fuzzer "android.system.virtualizationservice": EXCEPTION_NO_FUZZER, + "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER, "ambient_context": EXCEPTION_NO_FUZZER, "app_binding": EXCEPTION_NO_FUZZER, "app_hibernation": EXCEPTION_NO_FUZZER, diff --git a/private/compat/34.0/34.0.cil b/private/compat/34.0/34.0.cil index 80d48da8b..aa8a56c1f 100644 --- a/private/compat/34.0/34.0.cil +++ b/private/compat/34.0/34.0.cil @@ -1604,7 +1604,7 @@ (typeattributeset default_android_vndservice_34_0 (default_android_vndservice)) (typeattributeset default_prop_34_0 (default_prop)) (typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant)) -(typeattributeset device_34_0 (device)) +(typeattributeset device_34_0 (device vfio_device)) (typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop)) (typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop)) (typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop)) diff --git a/private/coredomain.te b/private/coredomain.te index 83930a50a..f9b47dfb8 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -150,6 +150,7 @@ full_treble_only(` -apexd -init -ueventd + -vfio_handler -vold } sysfs:file no_rw_file_perms; diff --git a/private/crosvm.te b/private/crosvm.te index 8a6bd24d6..3f392016f 100644 --- a/private/crosvm.te +++ b/private/crosvm.te @@ -92,6 +92,14 @@ allow crosvm port:tcp_socket name_bind; allow crosvm adbd:unix_stream_socket ioctl; allow crosvm node:tcp_socket node_bind; +# Allow crosvm to interact to VFIO device +allow crosvm vfio_device:chr_file rw_file_perms; +allow crosvm vfio_device:dir r_dir_perms; + +# Allow crosvm to access VM DTBO via a pipe created by vfio handler. +allow crosvm vfio_handler:fd use; +allow crosvm vfio_handler:fifo_file r_file_perms; + # Don't allow crosvm to open files that it doesn't own. # This is important because a malicious application could try to start a VM with a composite disk # image referring by name to files which it doesn't have permission to open, trying to get crosvm to diff --git a/private/file_contexts b/private/file_contexts index 0bae96ed8..c2a626941 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -190,6 +190,7 @@ /dev/urandom u:object_r:random_device:s0 /dev/usb_accessory u:object_r:usbaccessory_device:s0 /dev/v4l-touch[0-9]* u:object_r:input_device:s0 +/dev/vfio(/.*)? u:object_r:vfio_device:s0 /dev/vhost-vsock u:object_r:kvm_device:s0 /dev/video[0-9]* u:object_r:video_device:s0 /dev/vndbinder u:object_r:vndbinder_device:s0 diff --git a/private/service.te b/private/service.te index f07400b7a..ccb9e17f7 100644 --- a/private/service.te +++ b/private/service.te @@ -21,4 +21,5 @@ type statscompanion_service, system_server_service, service_manager_type; type statsmanager_service, system_api_service, system_server_service, service_manager_type; type tracingproxy_service, system_server_service, service_manager_type; type transparency_service, system_server_service, service_manager_type; +type vfio_handler_service, service_manager_type; type uce_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index 94f913d8d..a85d21dba 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -147,6 +147,7 @@ android.security.metrics u:object_r:keystore_metrics_service:s0 android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 android.system.composd u:object_r:compos_service:s0 android.system.virtualizationservice u:object_r:virtualization_service:s0 +android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0 ambient_context u:object_r:ambient_context_service:s0 app_binding u:object_r:app_binding_service:s0 app_hibernation u:object_r:app_hibernation_service:s0 diff --git a/private/vfio_handler.te b/private/vfio_handler.te new file mode 100644 index 000000000..706a6ca22 --- /dev/null +++ b/private/vfio_handler.te @@ -0,0 +1,24 @@ +# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. +# vfio_handler is separate from virtualizationservice as VFIO tasks require root. +type vfio_handler, domain, coredomain; +type vfio_handler_exec, system_file_type, exec_type, file_type; + +# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. +init_daemon_domain(vfio_handler) + +# Let the vfio_handler domain register the vfio_handler_service with ServiceManager. +add_service(vfio_handler, vfio_handler_service) + +# Let the vfio_handler domain use Binder. +binder_use(vfio_handler) + +# Allow vfio_handler to check if VFIO is supported +allow vfio_handler vfio_device:chr_file getattr; +allow vfio_handler vfio_device:dir r_dir_perms; + +# Allow vfio_handler to bind/unbind platform devices +allow vfio_handler sysfs:dir r_dir_perms; +allow vfio_handler sysfs:file rw_file_perms; + +# Only vfio_handler can add vfio_handler_service +neverallow { domain -vfio_handler } vfio_handler_service:service_manager add; diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te index b6bcd9885..a8fb202ab 100644 --- a/private/virtualizationmanager.te +++ b/private/virtualizationmanager.te @@ -89,3 +89,7 @@ r_dir_file(virtualizationmanager, crosvm); # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers # a harmless denial for CompOS log files, so ignore that. dontaudit virtualizationmanager apex_module_data_file:dir search; + +# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler. +allow virtualizationmanager vfio_handler:fd use; +allow virtualizationmanager vfio_handler:fifo_file r_file_perms; diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 561e7788d..a4588dc9f 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -15,6 +15,10 @@ binder_use(virtualizationservice) # Let the virtualizationservice domain register the virtualization_service with ServiceManager. add_service(virtualizationservice, virtualization_service) +# Let virtualizationservice find and communicate with vfio_handler. +allow virtualizationservice vfio_handler_service:service_manager find; +binder_call(virtualizationservice, vfio_handler) + # Allow calling into the system server to find "permission_service". binder_call(virtualizationservice, system_server) allow virtualizationservice permission_service:service_manager find; @@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) allow virtualizationservice tombstone_data_file:file { append getattr }; allow virtualizationservice tombstoned:fd use; +# Allow virtualizationservice to check if VFIO is supported +allow virtualizationservice vfio_device:chr_file getattr; +allow virtualizationservice vfio_device:dir r_dir_perms; + +# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler. +allow virtualizationservice vfio_handler:fd use; +allow virtualizationservice vfio_handler:fifo_file r_file_perms; + neverallow { domain -init @@ -72,3 +84,6 @@ neverallow virtualizationservice { -virtualizationmanager -virtualizationservice }:process setrlimit; + +# Only virtualizationservice can communicate to vfio_handler +neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call; diff --git a/public/device.te b/public/device.te index fa292565e..36299d38c 100644 --- a/public/device.te +++ b/public/device.te @@ -129,3 +129,6 @@ type userdata_sysdev, dev_type; # Root disk file for disk tunables type rootdisk_sysdev, dev_type; + +# vfio device +type vfio_device, dev_type;