From d2a0892121ad6feff08fdf4b8ac373c524a1f8da Mon Sep 17 00:00:00 2001 From: Seungjae Yoo Date: Wed, 15 Nov 2023 17:59:30 +0900 Subject: [PATCH] Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a --- contexts/plat_file_contexts_test | 2 ++ private/compat/34.0/34.0.ignore.cil | 1 + private/crosvm.te | 4 +++- private/domain.te | 1 + private/file_contexts | 1 + private/shell.te | 3 +++ private/virtualizationmanager.te | 3 +++ public/file.te | 2 ++ 8 files changed, 16 insertions(+), 1 deletion(-) diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test index 50d9de480..d9767ed03 100644 --- a/contexts/plat_file_contexts_test +++ b/contexts/plat_file_contexts_test @@ -538,6 +538,8 @@ /vendor/framework/test vendor_framework_file /system/vendor/framework vendor_framework_file /system/vendor/framework/test vendor_framework_file +/vendor/etc/avf/microdroid vendor_microdroid_file +/vendor/etc/avf/microdroid/test vendor_microdroid_file /vendor/apex vendor_apex_file /vendor/apex/test vendor_apex_file diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil index ddaa7e2a4..83e3b3de9 100644 --- a/private/compat/34.0/34.0.ignore.cil +++ b/private/compat/34.0/34.0.ignore.cil @@ -27,4 +27,5 @@ binderfs_logs_stats drm_forcel3_prop proc_percpu_pagelist_high_fraction + vendor_microdroid_file )) diff --git a/private/crosvm.te b/private/crosvm.te index afcaa3ded..ed89b8789 100644 --- a/private/crosvm.te +++ b/private/crosvm.te @@ -27,7 +27,7 @@ allow crosvm virtualizationmanager:fifo_file write; # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in -# /data/local/tmp), and instance.img (app_data_file). +# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file). # Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file. # Note that the open permission is not given as the files are passed as file descriptors. allow crosvm { @@ -39,6 +39,7 @@ allow crosvm { apex_compos_data_file apex_virt_data_file shell_data_file + vendor_microdroid_file }:file { getattr read ioctl lock }; # Allow searching the directory where the composite disk images are. @@ -126,6 +127,7 @@ full_treble_only(` # These types are not required for crosvm, but the access is granted to globally in domain.te # thus should be exempted here. -vendor_configs_file + -vendor_microdroid_file -vndk_sp_file -vendor_task_profiles_file }:file *; diff --git a/private/domain.te b/private/domain.te index 0861fa50e..2f107dde0 100644 --- a/private/domain.te +++ b/private/domain.te @@ -610,6 +610,7 @@ full_treble_only(` -vendor_apex_file -vendor_apex_metadata_file -vendor_configs_file + -vendor_microdroid_file -vendor_service_contexts_file -vendor_framework_file -vendor_idc_file diff --git a/private/file_contexts b/private/file_contexts index b7f1a3468..32092daf0 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -412,6 +412,7 @@ /(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0 /(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0 /(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0 +/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0 /(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0 diff --git a/private/shell.te b/private/shell.te index aa6bef899..e410862bb 100644 --- a/private/shell.te +++ b/private/shell.te @@ -132,6 +132,9 @@ allow shell remount_exec:file rx_file_perms; allow shell self:perf_event { open read write kernel }; neverallow shell self:perf_event ~{ open read write kernel }; +# Allow shell to read microdroid vendor image +r_dir_file(shell, vendor_microdroid_file) + # Allow shell to read /apex/apex-info-list.xml and the vendor apexes allow shell apex_info_file:file r_file_perms; allow shell vendor_apex_file:file r_file_perms; diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te index d6f0e19f3..871d3f2c2 100644 --- a/private/virtualizationmanager.te +++ b/private/virtualizationmanager.te @@ -94,6 +94,9 @@ userdebug_or_eng(` allow virtualizationmanager shell_data_file:file open; ') +# Allow virtualizationmanager to read microdroid related files in vendor partition +r_dir_file(virtualizationmanager, vendor_microdroid_file) + # Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM. r_dir_file(virtualizationmanager, crosvm); diff --git a/public/file.te b/public/file.te index 091c557a2..142e16716 100644 --- a/public/file.te +++ b/public/file.te @@ -255,6 +255,8 @@ type vendor_public_lib_file, vendor_file_type, file_type; # Type for all vendor public libraries for system. These libs should only be exposed to # system. ABI stability of these libs is vendor's responsibility. type vendor_public_framework_file, vendor_file_type, file_type; +# Type for all microdroid related files in the vendor partition. +type vendor_microdroid_file, vendor_file_type, file_type; # Input configuration type vendor_keylayout_file, vendor_file_type, file_type;