From a995e84c181eaef307344366e354658c8990730d Mon Sep 17 00:00:00 2001
From: Andrew Walbran <qwandor@google.com>
Date: Mon, 29 Mar 2021 17:19:12 +0000
Subject: [PATCH] Add crosvm domain and give virtmanager and crosvm necessary
 permissions.

Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
---
 apex/com.android.virt-file_contexts |  1 +
 private/crosvm.te                   | 16 ++++++++++++++++
 private/file.te                     |  3 +++
 private/file_contexts               |  2 ++
 private/init.te                     |  9 +++++++++
 private/vendor_init.te              | 10 ++++++++++
 private/virtmanager.te              |  9 +++++++++
 public/init.te                      |  8 --------
 public/vendor_init.te               |  9 ---------
 9 files changed, 50 insertions(+), 17 deletions(-)
 create mode 100644 private/crosvm.te

diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index fe91fa215..4703eba29 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,2 +1,3 @@
 (/.*)?                   u:object_r:system_file:s0
+/bin/crosvm              u:object_r:crosvm_exec:s0
 /bin/virtmanager         u:object_r:virtmanager_exec:s0
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 000000000..5d7080a49
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/file.te b/private/file.te
index 984a7b68c..4d43c13be 100644
--- a/private/file.te
+++ b/private/file.te
@@ -56,3 +56,6 @@ type odsign_data_file, file_type, data_file_type, core_data_file_type;
 
 # /data/system/environ
 type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 378614761..8140606bb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -125,6 +125,7 @@
 /dev/pvrsrvkm		u:object_r:gpu_device:s0
 /dev/kmsg		u:object_r:kmsg_device:s0
 /dev/kmsg_debug	u:object_r:kmsg_debug_device:s0
+/dev/kvm		u:object_r:kvm_device:s0
 /dev/null		u:object_r:null_device:s0
 /dev/nvhdcp1		u:object_r:video_device:s0
 /dev/random		u:object_r:random_device:s0
@@ -189,6 +190,7 @@
 /dev/urandom		u:object_r:random_device:s0
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/v4l-touch[0-9]*	u:object_r:input_device:s0
+/dev/vhost-vsock	u:object_r:kvm_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
 /dev/vndbinder		u:object_r:vndbinder_device:s0
 /dev/watchdog		u:object_r:watchdog_device:s0
diff --git a/private/init.te b/private/init.te
index 2627addd3..3315a35ad 100644
--- a/private/init.te
+++ b/private/init.te
@@ -89,3 +89,12 @@ neverallow { domain -init } keystore_listen_prop:property_service set;
 
 # Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
 allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+  dev_type
+  -hw_random_device
+  -keychord_device
+  -kvm_device
+  -port_device
+}:chr_file setattr;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 83f001d6a..2e616f363 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -8,3 +8,13 @@ allow vendor_init system_data_root_file:dir rw_dir_perms;
 
 # Let vendor_init set service.adb.tcp.port.
 set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+  dev_type
+  -keychord_device
+  -kvm_device
+  -port_device
+  -lowpan_device
+  -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
index b2331d41b..467f7d4f9 100644
--- a/private/virtmanager.te
+++ b/private/virtmanager.te
@@ -1,8 +1,17 @@
 type virtmanager, domain, coredomain;
 type virtmanager_exec, system_file_type, exec_type, file_type;
 
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
 init_daemon_domain(virtmanager)
 
+# Let the virtmanager domain use Binder.
 binder_use(virtmanager)
 
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
 add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/public/init.te b/public/init.te
index 1287ca3e3..893573e1c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,14 +320,6 @@ allow init {
   zero_device
 }:chr_file { read open };
 
-# chown/chmod on devices.
-allow init {
-  dev_type
-  -hw_random_device
-  -keychord_device
-  -port_device
-}:chr_file setattr;
-
 # Unlabeled file access for upgrades from 4.2.
 allow init unlabeled:dir { create_dir_perms relabelfrom };
 allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb57..2aa61b737 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,15 +155,6 @@ allow vendor_init {
   -proc_uid_concurrent_policy_time
 }:dir  { open read setattr search };
 
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
-  dev_type
-  -keychord_device
-  -port_device
-  -lowpan_device
-  -hw_random_device
-}:chr_file setattr;
-
 allow vendor_init dev_type:blk_file getattr;
 
 # Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.