From a9f1dc970879c38efd922ccb79a7f5b4d508ee5e Mon Sep 17 00:00:00 2001 From: Shikha Panwar Date: Thu, 24 Mar 2022 09:05:59 +0000 Subject: [PATCH] Selinux configs for enabling tombstones be passed to host For Guest: tombstone_tranmit needs permissions for: 1. keeping track of files being written on /data/tombstones. 2. creating vsock socket to talk to virtualizationservice (to forward these tombstones) These permissions will be similar to tombstone_tarnsmit on cuttlefish (device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp) For Host (virtualizationservice) needs: 1. permission to connect to tombstoned. 2. permission to use fd belonging to tombstoned. 3. append and related permissions on tombstone_data file. Test: Tested by crashing a process in guest (started using microdroid demo) Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d --- microdroid/system/private/file_contexts | 1 + microdroid/system/private/property_contexts | 1 + microdroid/system/private/tombstone_transmit.te | 8 ++++++++ private/virtualizationservice.te | 7 +++++++ 4 files changed, 17 insertions(+) create mode 100644 microdroid/system/private/tombstone_transmit.te diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts index 4f7a0ff70..83eceb092 100644 --- a/microdroid/system/private/file_contexts +++ b/microdroid/system/private/file_contexts @@ -103,6 +103,7 @@ /system/lib(64)?(/.*)? u:object_r:system_lib_file:s0 /system/lib(64)?/bootstrap(/.*)? u:object_r:system_bootstrap_lib_file:s0 /system/bin/apexd u:object_r:apexd_exec:s0 +/system/bin/tombstone_transmit.microdroid u:object_r:tombstone_transmit_exec:s0 /system/bin/linker(64)? u:object_r:system_linker_exec:s0 /system/bin/linkerconfig u:object_r:linkerconfig_exec:s0 /system/bin/bootstrap/linker(64)? u:object_r:system_linker_exec:s0 diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts index 3c8027303..e4f0bb09e 100644 --- a/microdroid/system/private/property_contexts +++ b/microdroid/system/private/property_contexts @@ -92,6 +92,7 @@ ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string +ro.boot.tombstone_transmit.enabled u:object_r:bootloader_prop:s0 exact bool ro.boot.vbmeta.avb_version u:object_r:bootloader_prop:s0 exact string ro.boot.vbmeta.device_state u:object_r:bootloader_prop:s0 exact string ro.boot.vbmeta.digest u:object_r:bootloader_prop:s0 exact string diff --git a/microdroid/system/private/tombstone_transmit.te b/microdroid/system/private/tombstone_transmit.te new file mode 100644 index 000000000..588ebff95 --- /dev/null +++ b/microdroid/system/private/tombstone_transmit.te @@ -0,0 +1,8 @@ +type tombstone_transmit, domain, coredomain; +type tombstone_transmit_exec, exec_type, system_file_type, file_type; + +init_daemon_domain(tombstone_transmit) + +r_dir_file(tombstone_transmit, tombstone_data_file) + +allow tombstone_transmit self:{ vsock_socket } create_socket_perms_no_ioctl; diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 05e1664b6..c369a9067 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -70,6 +70,13 @@ get_prop(virtualizationservice, hypervisor_prop) # Allow writing stats to statsd unix_socket_send(virtualizationservice, statsdw, statsd) +# Allow virtualization service to talk to tombstoned to push guest tombstones +unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) + +# Append to tombstone files passed as fds from tombstoned +allow virtualizationservice tombstone_data_file:file { append getattr }; +allow virtualizationservice tombstoned:fd use; + neverallow { domain -init