From 88f98d96dae3fb2616e93969685cbd737c364a0f Mon Sep 17 00:00:00 2001 From: David Brazdil Date: Fri, 28 Oct 2022 13:57:58 +0100 Subject: [PATCH] Use CAP_SYS_RESOURCE instead of CAP_IPC_LOCK for crosvm Instead of giving CAP_IPC_LOCK to crosvm, give virtualizationservice CAP_SYS_RESOURCE so it can modify the rlimit_memlock of itself and its children. This is done in preparation for running crosvm as a child process of the requestor, in which case it will not have the option to use CAP_IPC_LOCK anymore, but it also allows us to set an upper bound on the amount of pinnable memory if necessary. Bug: 204298056 Bug: 245727626 Test: atest MicrodroidTestApp Change-Id: Ic7f161fe4232440a0dd9924d971f22fc053d973b --- private/crosvm.te | 3 --- private/virtualizationservice.te | 3 +++ 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/private/crosvm.te b/private/crosvm.te index 5971b91ee..9c4513127 100644 --- a/private/crosvm.te +++ b/private/crosvm.te @@ -10,9 +10,6 @@ neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION }; -# Let crosvm mlock VM memory and page tables. -allow crosvm self:capability ipc_lock; - # Let crosvm create temporary files. tmpfs_domain(crosvm) diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 3e057fe07..f41e7ccf7 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -22,6 +22,9 @@ add_service(virtualizationservice, virtualization_service) # When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain. domain_auto_trans(virtualizationservice, crosvm_exec, crosvm) +# Let virtualizationservice (and specifically its children) mlock VM memory and page tables. +allow virtualizationservice self:capability sys_resource; + # Let virtualizationservice kill crosvm. allow virtualizationservice crosvm:process sigkill;