Merge "Add crosvm domain and give virtmanager and crosvm necessary permissions." am: 3b6a385137 am: 787c8b3320 am: b52306081a
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1655917 Change-Id: I359389015cba2eed89c2b03c7d65af1c38f49f02
This commit is contained in:
Andrew Walbran
Automerger Merge Worker
commit
92c28f9237
9 changed files with 50 additions and 17 deletions
|
|
@ -1,2 +1,3 @@
|
|||
(/.*)? u:object_r:system_file:s0
|
||||
/bin/crosvm u:object_r:crosvm_exec:s0
|
||||
/bin/virtmanager u:object_r:virtmanager_exec:s0
|
||||
|
|
|
|||
16
private/crosvm.te
Normal file
16
private/crosvm.te
Normal file
|
|
@ -0,0 +1,16 @@
|
|||
type crosvm, domain, coredomain;
|
||||
type crosvm_exec, system_file_type, exec_type, file_type;
|
||||
type crosvm_tmpfs, file_type;
|
||||
|
||||
# Let crosvm create temporary files.
|
||||
tmpfs_domain(crosvm)
|
||||
|
||||
# Let crosvm receive file descriptors from virtmanager.
|
||||
allow crosvm virtmanager:fd use;
|
||||
|
||||
# Let crosvm open /dev/kvm.
|
||||
allow crosvm kvm_device:chr_file rw_file_perms;
|
||||
|
||||
# Most other domains shouldn't access /dev/kvm.
|
||||
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
||||
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
||||
|
|
@ -59,3 +59,6 @@ type odsign_data_file, file_type, data_file_type, core_data_file_type;
|
|||
|
||||
# /data/system/environ
|
||||
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
|
||||
|
||||
# /dev/kvm
|
||||
type kvm_device, dev_type;
|
||||
|
|
|
|||
|
|
@ -126,6 +126,7 @@
|
|||
/dev/pvrsrvkm u:object_r:gpu_device:s0
|
||||
/dev/kmsg u:object_r:kmsg_device:s0
|
||||
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
|
||||
/dev/kvm u:object_r:kvm_device:s0
|
||||
/dev/null u:object_r:null_device:s0
|
||||
/dev/nvhdcp1 u:object_r:video_device:s0
|
||||
/dev/random u:object_r:random_device:s0
|
||||
|
|
@ -190,6 +191,7 @@
|
|||
/dev/urandom u:object_r:random_device:s0
|
||||
/dev/usb_accessory u:object_r:usbaccessory_device:s0
|
||||
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
|
||||
/dev/vhost-vsock u:object_r:kvm_device:s0
|
||||
/dev/video[0-9]* u:object_r:video_device:s0
|
||||
/dev/vndbinder u:object_r:vndbinder_device:s0
|
||||
/dev/watchdog u:object_r:watchdog_device:s0
|
||||
|
|
|
|||
|
|
@ -93,3 +93,12 @@ neverallow { domain -init } keystore_listen_prop:property_service set;
|
|||
|
||||
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
|
||||
allow init debugfs_bootreceiver_tracing:file w_file_perms;
|
||||
|
||||
# chown/chmod on devices.
|
||||
allow init {
|
||||
dev_type
|
||||
-hw_random_device
|
||||
-keychord_device
|
||||
-kvm_device
|
||||
-port_device
|
||||
}:chr_file setattr;
|
||||
|
|
|
|||
|
|
@ -8,3 +8,13 @@ allow vendor_init system_data_root_file:dir rw_dir_perms;
|
|||
|
||||
# Let vendor_init set service.adb.tcp.port.
|
||||
set_prop(vendor_init, adbd_config_prop)
|
||||
|
||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||
allow vendor_init {
|
||||
dev_type
|
||||
-keychord_device
|
||||
-kvm_device
|
||||
-port_device
|
||||
-lowpan_device
|
||||
-hw_random_device
|
||||
}:chr_file setattr;
|
||||
|
|
|
|||
|
|
@ -1,8 +1,17 @@
|
|||
type virtmanager, domain, coredomain;
|
||||
type virtmanager_exec, system_file_type, exec_type, file_type;
|
||||
|
||||
# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
|
||||
init_daemon_domain(virtmanager)
|
||||
|
||||
# Let the virtmanager domain use Binder.
|
||||
binder_use(virtmanager)
|
||||
|
||||
# Let the virtmanager domain register the virtualization_service with ServiceManager.
|
||||
add_service(virtmanager, virtualization_service)
|
||||
|
||||
# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
|
||||
domain_auto_trans(virtmanager, crosvm_exec, crosvm)
|
||||
|
||||
# Let virtmanager kill crosvm.
|
||||
allow virtmanager crosvm:process sigkill;
|
||||
|
|
|
|||
|
|
@ -336,14 +336,6 @@ allow init {
|
|||
zero_device
|
||||
}:chr_file { read open };
|
||||
|
||||
# chown/chmod on devices.
|
||||
allow init {
|
||||
dev_type
|
||||
-hw_random_device
|
||||
-keychord_device
|
||||
-port_device
|
||||
}:chr_file setattr;
|
||||
|
||||
# Unlabeled file access for upgrades from 4.2.
|
||||
allow init unlabeled:dir { create_dir_perms relabelfrom };
|
||||
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
|
||||
|
|
|
|||
|
|
@ -159,15 +159,6 @@ allow vendor_init {
|
|||
-proc_uid_concurrent_policy_time
|
||||
}:dir { open read setattr search };
|
||||
|
||||
# chown/chmod on devices, e.g. /dev/ttyHS0
|
||||
allow vendor_init {
|
||||
dev_type
|
||||
-keychord_device
|
||||
-port_device
|
||||
-lowpan_device
|
||||
-hw_random_device
|
||||
}:chr_file setattr;
|
||||
|
||||
allow vendor_init dev_type:blk_file getattr;
|
||||
|
||||
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.
|
||||
|
|
|
|||
Loading…
Reference in a new issue