Disallow microdroid from running arbitrary domains

Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I43bf09d85efa4276e929babd854c49ccedfd8058
This commit is contained in:
Inseob Kim 2021-07-23 06:39:27 +00:00
parent 7560aed40a
commit a89d6aa301

View file

@ -15,12 +15,6 @@ allow microdroid_manager vd_device:blk_file r_file_perms;
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app) domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos) domain_auto_trans(microdroid_manager, compos_exec, compos)
# Let microdroid_manager exec other files (e.g. payload command) in the same domain.
# TODO(b/189706019) we need to a domain for the app process.
allow microdroid_manager system_file:file execute_no_trans;
# Until then, allow microdroid_manager to execute the shell or other system executables.
allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
# Let microdroid_manager kernel-log. # Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms; allow microdroid_manager kmsg_device:chr_file w_file_perms;
@ -28,11 +22,12 @@ allow microdroid_manager kmsg_device:chr_file w_file_perms;
set_prop(microdroid_manager, vmsecret_keymint_prop); set_prop(microdroid_manager, vmsecret_keymint_prop);
# Let microdroid_manager read a config file from /mnt/apk (fusefs) # Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below two rules # TODO(b/188400186) remove the below rule
userdebug_or_eng(` userdebug_or_eng(`
allow microdroid_manager fuse:dir r_dir_perms; r_dir_file(microdroid_manager, fuse)
allow microdroid_manager fuse:file rx_file_perms;
') ')
# Let microdroid_manager to create a vsock connection back to the host VM # Let microdroid_manager to create a vsock connection back to the host VM
allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl }; allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;