Merge "Add permission for VFIO device binding" into main
This commit is contained in:
commit
6ebc7deb48
12 changed files with 62 additions and 1 deletions
|
@ -3,3 +3,4 @@
|
||||||
/bin/fd_server u:object_r:fd_server_exec:s0
|
/bin/fd_server u:object_r:fd_server_exec:s0
|
||||||
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
|
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
|
||||||
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
|
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
|
||||||
|
/bin/vfio_handler u:object_r:vfio_handler_exec:s0
|
||||||
|
|
|
@ -170,7 +170,9 @@ var (
|
||||||
"android.security.metrics": EXCEPTION_NO_FUZZER,
|
"android.security.metrics": EXCEPTION_NO_FUZZER,
|
||||||
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
|
"android.service.gatekeeper.IGateKeeperService": []string{"gatekeeperd_service_fuzzer"},
|
||||||
"android.system.composd": EXCEPTION_NO_FUZZER,
|
"android.system.composd": EXCEPTION_NO_FUZZER,
|
||||||
|
// TODO(b/294158658): add fuzzer
|
||||||
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
|
"android.system.virtualizationservice": EXCEPTION_NO_FUZZER,
|
||||||
|
"android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER,
|
||||||
"ambient_context": EXCEPTION_NO_FUZZER,
|
"ambient_context": EXCEPTION_NO_FUZZER,
|
||||||
"app_binding": EXCEPTION_NO_FUZZER,
|
"app_binding": EXCEPTION_NO_FUZZER,
|
||||||
"app_hibernation": EXCEPTION_NO_FUZZER,
|
"app_hibernation": EXCEPTION_NO_FUZZER,
|
||||||
|
|
|
@ -1604,7 +1604,7 @@
|
||||||
(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
|
(typeattributeset default_android_vndservice_34_0 (default_android_vndservice))
|
||||||
(typeattributeset default_prop_34_0 (default_prop))
|
(typeattributeset default_prop_34_0 (default_prop))
|
||||||
(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
|
(typeattributeset dev_cpu_variant_34_0 (dev_cpu_variant))
|
||||||
(typeattributeset device_34_0 (device))
|
(typeattributeset device_34_0 (device vfio_device))
|
||||||
(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
|
(typeattributeset device_config_activity_manager_native_boot_prop_34_0 (device_config_activity_manager_native_boot_prop))
|
||||||
(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
|
(typeattributeset device_config_boot_count_prop_34_0 (device_config_boot_count_prop))
|
||||||
(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
|
(typeattributeset device_config_camera_native_prop_34_0 (device_config_camera_native_prop))
|
||||||
|
|
|
@ -150,6 +150,7 @@ full_treble_only(`
|
||||||
-apexd
|
-apexd
|
||||||
-init
|
-init
|
||||||
-ueventd
|
-ueventd
|
||||||
|
-vfio_handler
|
||||||
-vold
|
-vold
|
||||||
} sysfs:file no_rw_file_perms;
|
} sysfs:file no_rw_file_perms;
|
||||||
|
|
||||||
|
|
|
@ -92,6 +92,14 @@ allow crosvm port:tcp_socket name_bind;
|
||||||
allow crosvm adbd:unix_stream_socket ioctl;
|
allow crosvm adbd:unix_stream_socket ioctl;
|
||||||
allow crosvm node:tcp_socket node_bind;
|
allow crosvm node:tcp_socket node_bind;
|
||||||
|
|
||||||
|
# Allow crosvm to interact to VFIO device
|
||||||
|
allow crosvm vfio_device:chr_file rw_file_perms;
|
||||||
|
allow crosvm vfio_device:dir r_dir_perms;
|
||||||
|
|
||||||
|
# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
|
||||||
|
allow crosvm vfio_handler:fd use;
|
||||||
|
allow crosvm vfio_handler:fifo_file r_file_perms;
|
||||||
|
|
||||||
# Don't allow crosvm to open files that it doesn't own.
|
# Don't allow crosvm to open files that it doesn't own.
|
||||||
# This is important because a malicious application could try to start a VM with a composite disk
|
# This is important because a malicious application could try to start a VM with a composite disk
|
||||||
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
||||||
|
|
|
@ -190,6 +190,7 @@
|
||||||
/dev/urandom u:object_r:random_device:s0
|
/dev/urandom u:object_r:random_device:s0
|
||||||
/dev/usb_accessory u:object_r:usbaccessory_device:s0
|
/dev/usb_accessory u:object_r:usbaccessory_device:s0
|
||||||
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
|
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
|
||||||
|
/dev/vfio(/.*)? u:object_r:vfio_device:s0
|
||||||
/dev/vhost-vsock u:object_r:kvm_device:s0
|
/dev/vhost-vsock u:object_r:kvm_device:s0
|
||||||
/dev/video[0-9]* u:object_r:video_device:s0
|
/dev/video[0-9]* u:object_r:video_device:s0
|
||||||
/dev/vndbinder u:object_r:vndbinder_device:s0
|
/dev/vndbinder u:object_r:vndbinder_device:s0
|
||||||
|
|
|
@ -21,4 +21,5 @@ type statscompanion_service, system_server_service, service_manager_type;
|
||||||
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
|
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
|
||||||
type tracingproxy_service, system_server_service, service_manager_type;
|
type tracingproxy_service, system_server_service, service_manager_type;
|
||||||
type transparency_service, system_server_service, service_manager_type;
|
type transparency_service, system_server_service, service_manager_type;
|
||||||
|
type vfio_handler_service, service_manager_type;
|
||||||
type uce_service, service_manager_type;
|
type uce_service, service_manager_type;
|
||||||
|
|
|
@ -147,6 +147,7 @@ android.security.metrics u:object_r:keystore_metrics_service:s0
|
||||||
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
|
||||||
android.system.composd u:object_r:compos_service:s0
|
android.system.composd u:object_r:compos_service:s0
|
||||||
android.system.virtualizationservice u:object_r:virtualization_service:s0
|
android.system.virtualizationservice u:object_r:virtualization_service:s0
|
||||||
|
android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
|
||||||
ambient_context u:object_r:ambient_context_service:s0
|
ambient_context u:object_r:ambient_context_service:s0
|
||||||
app_binding u:object_r:app_binding_service:s0
|
app_binding u:object_r:app_binding_service:s0
|
||||||
app_hibernation u:object_r:app_hibernation_service:s0
|
app_hibernation u:object_r:app_hibernation_service:s0
|
||||||
|
|
24
private/vfio_handler.te
Normal file
24
private/vfio_handler.te
Normal file
|
@ -0,0 +1,24 @@
|
||||||
|
# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
|
||||||
|
# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
|
||||||
|
type vfio_handler, domain, coredomain;
|
||||||
|
type vfio_handler_exec, system_file_type, exec_type, file_type;
|
||||||
|
|
||||||
|
# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
|
||||||
|
init_daemon_domain(vfio_handler)
|
||||||
|
|
||||||
|
# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
|
||||||
|
add_service(vfio_handler, vfio_handler_service)
|
||||||
|
|
||||||
|
# Let the vfio_handler domain use Binder.
|
||||||
|
binder_use(vfio_handler)
|
||||||
|
|
||||||
|
# Allow vfio_handler to check if VFIO is supported
|
||||||
|
allow vfio_handler vfio_device:chr_file getattr;
|
||||||
|
allow vfio_handler vfio_device:dir r_dir_perms;
|
||||||
|
|
||||||
|
# Allow vfio_handler to bind/unbind platform devices
|
||||||
|
allow vfio_handler sysfs:dir r_dir_perms;
|
||||||
|
allow vfio_handler sysfs:file rw_file_perms;
|
||||||
|
|
||||||
|
# Only vfio_handler can add vfio_handler_service
|
||||||
|
neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
|
|
@ -89,3 +89,7 @@ r_dir_file(virtualizationmanager, crosvm);
|
||||||
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
|
# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
|
||||||
# a harmless denial for CompOS log files, so ignore that.
|
# a harmless denial for CompOS log files, so ignore that.
|
||||||
dontaudit virtualizationmanager apex_module_data_file:dir search;
|
dontaudit virtualizationmanager apex_module_data_file:dir search;
|
||||||
|
|
||||||
|
# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
|
||||||
|
allow virtualizationmanager vfio_handler:fd use;
|
||||||
|
allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
|
||||||
|
|
|
@ -15,6 +15,10 @@ binder_use(virtualizationservice)
|
||||||
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
|
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
|
||||||
add_service(virtualizationservice, virtualization_service)
|
add_service(virtualizationservice, virtualization_service)
|
||||||
|
|
||||||
|
# Let virtualizationservice find and communicate with vfio_handler.
|
||||||
|
allow virtualizationservice vfio_handler_service:service_manager find;
|
||||||
|
binder_call(virtualizationservice, vfio_handler)
|
||||||
|
|
||||||
# Allow calling into the system server to find "permission_service".
|
# Allow calling into the system server to find "permission_service".
|
||||||
binder_call(virtualizationservice, system_server)
|
binder_call(virtualizationservice, system_server)
|
||||||
allow virtualizationservice permission_service:service_manager find;
|
allow virtualizationservice permission_service:service_manager find;
|
||||||
|
@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
|
||||||
allow virtualizationservice tombstone_data_file:file { append getattr };
|
allow virtualizationservice tombstone_data_file:file { append getattr };
|
||||||
allow virtualizationservice tombstoned:fd use;
|
allow virtualizationservice tombstoned:fd use;
|
||||||
|
|
||||||
|
# Allow virtualizationservice to check if VFIO is supported
|
||||||
|
allow virtualizationservice vfio_device:chr_file getattr;
|
||||||
|
allow virtualizationservice vfio_device:dir r_dir_perms;
|
||||||
|
|
||||||
|
# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
|
||||||
|
allow virtualizationservice vfio_handler:fd use;
|
||||||
|
allow virtualizationservice vfio_handler:fifo_file r_file_perms;
|
||||||
|
|
||||||
neverallow {
|
neverallow {
|
||||||
domain
|
domain
|
||||||
-init
|
-init
|
||||||
|
@ -72,3 +84,6 @@ neverallow virtualizationservice {
|
||||||
-virtualizationmanager
|
-virtualizationmanager
|
||||||
-virtualizationservice
|
-virtualizationservice
|
||||||
}:process setrlimit;
|
}:process setrlimit;
|
||||||
|
|
||||||
|
# Only virtualizationservice can communicate to vfio_handler
|
||||||
|
neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
|
||||||
|
|
|
@ -129,3 +129,6 @@ type userdata_sysdev, dev_type;
|
||||||
|
|
||||||
# Root disk file for disk tunables
|
# Root disk file for disk tunables
|
||||||
type rootdisk_sysdev, dev_type;
|
type rootdisk_sysdev, dev_type;
|
||||||
|
|
||||||
|
# vfio device
|
||||||
|
type vfio_device, dev_type;
|
||||||
|
|
Loading…
Reference in a new issue