Allow su to access virtualization
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.
Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)
Together this allows a root shell to use `vm run` without getting
spurious denials such as:
avc: denied { ioctl } for comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0
Bug: 316048644
Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
This commit is contained in:
Alan Stokes
parent
cb24b4facf
commit
8b4d612fd7
2 changed files with 5 additions and 4 deletions
|
|
@ -19,8 +19,9 @@ userdebug_or_eng(`
|
|||
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
|
||||
domain_auto_trans(su, perfetto_exec, perfetto)
|
||||
|
||||
# Put the virtmgr command into its domain.
|
||||
domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager)
|
||||
# Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its
|
||||
# own domain.
|
||||
virtualizationservice_use(su)
|
||||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
|
|
|||
|
|
@ -186,13 +186,13 @@ define(`virtualizationservice_use', `
|
|||
# Transition to virtualizationmanager when the client executes it.
|
||||
domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager)
|
||||
# Allow virtualizationmanager to communicate over UDS with the client.
|
||||
allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write };
|
||||
allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write };
|
||||
# Let the client pass file descriptors to virtualizationmanager and on to crosvm.
|
||||
allow { virtualizationmanager crosvm } $1:fd use;
|
||||
# Let the client use file descriptors created by virtualizationmanager.
|
||||
allow $1 virtualizationmanager:fd use;
|
||||
# Allow piping console log to the client
|
||||
allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write };
|
||||
allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write };
|
||||
# Allow client to read/write vsock created by virtualizationmanager to communicate with the VM
|
||||
# that it created. Notice that we do not grant permission to create a vsock;
|
||||
# the client can only connect to VMs that it owns.
|
||||
|
|
|
|||
Loading…
Reference in a new issue