From a89d6aa301acd4f43b8ac8ec629738732c8d442a Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Fri, 23 Jul 2021 06:39:27 +0000 Subject: [PATCH] Disallow microdroid from running arbitrary domains Test: atest MicrodroidHostTestCases Test: atest ComposHostTestCases Change-Id: I43bf09d85efa4276e929babd854c49ccedfd8058 --- microdroid/system/private/microdroid_manager.te | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te index fa7f12c98..ac81c90c9 100644 --- a/microdroid/system/private/microdroid_manager.te +++ b/microdroid/system/private/microdroid_manager.te @@ -15,12 +15,6 @@ allow microdroid_manager vd_device:blk_file r_file_perms; domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app) domain_auto_trans(microdroid_manager, compos_exec, compos) -# Let microdroid_manager exec other files (e.g. payload command) in the same domain. -# TODO(b/189706019) we need to a domain for the app process. -allow microdroid_manager system_file:file execute_no_trans; -# Until then, allow microdroid_manager to execute the shell or other system executables. -allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms; - # Let microdroid_manager kernel-log. allow microdroid_manager kmsg_device:chr_file w_file_perms; @@ -28,11 +22,12 @@ allow microdroid_manager kmsg_device:chr_file w_file_perms; set_prop(microdroid_manager, vmsecret_keymint_prop); # Let microdroid_manager read a config file from /mnt/apk (fusefs) -# TODO(b/188400186) remove the below two rules +# TODO(b/188400186) remove the below rule userdebug_or_eng(` - allow microdroid_manager fuse:dir r_dir_perms; - allow microdroid_manager fuse:file rx_file_perms; + r_dir_file(microdroid_manager, fuse) ') # Let microdroid_manager to create a vsock connection back to the host VM allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl }; + +neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;