Selinux configs for enabling tombstones be passed to host

For Guest: tombstone_tranmit needs permissions for: 1. keeping track of files being written on /data/tombstones. 2. creating vsock socket to talk to virtualizationservice (to forward these tombstones) These permissions will be similar to tombstone_tarnsmit on cuttlefish (device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp) For Host (virtualizationservice) needs: 1. permission to connect to tombstoned. 2. permission to use fd belonging to tombstoned. 3. append and related permissions on tombstone_data file. Test: Tested by crashing a process in guest (started using microdroid demo) Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d
2022-03-24 09:05:59 +00:00 · 2022-03-24 09:05:59 +00:00 · a9f1dc9708
commit a9f1dc9708
parent 45b594f5ef
4 changed files with 17 additions and 0 deletions
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@ -103,6 +103,7 @@
 /system/lib(64)?(/.*)?         u:object_r:system_lib_file:s0
 /system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0
 /system/bin/apexd                u:object_r:apexd_exec:s0
+/system/bin/tombstone_transmit.microdroid   u:object_r:tombstone_transmit_exec:s0
 /system/bin/linker(64)? u:object_r:system_linker_exec:s0
 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0
 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@ -92,6 +92,7 @@ ro.boot.logd.enabled               u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.app_debuggable  u:object_r:bootloader_prop:s0 exact bool
 ro.boot.microdroid.debuggable      u:object_r:bootloader_prop:s0 exact bool
 ro.boot.slot_suffix                u:object_r:bootloader_prop:s0 exact string
+ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool
 ro.boot.vbmeta.avb_version         u:object_r:bootloader_prop:s0 exact string
 ro.boot.vbmeta.device_state        u:object_r:bootloader_prop:s0 exact string
 ro.boot.vbmeta.digest              u:object_r:bootloader_prop:s0 exact string
--- a/microdroid/system/private/tombstone_transmit.te
+++ b/microdroid/system/private/tombstone_transmit.te
@ -0,0 +1,8 @@
+type tombstone_transmit, domain, coredomain;
+type tombstone_transmit_exec, exec_type, system_file_type, file_type;
+
+init_daemon_domain(tombstone_transmit)
+
+r_dir_file(tombstone_transmit, tombstone_data_file)
+
+allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl;
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@ -70,6 +70,13 @@ get_prop(virtualizationservice, hypervisor_prop)
 # Allow writing stats to statsd
 unix_socket_send(virtualizationservice, statsdw, statsd)

+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
 neverallow {
  domain
  -init