From bbe514d9b3eba926d13d282b999c620636f2590a Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Thu, 3 Aug 2023 12:53:48 +0900
Subject: [PATCH] Use regular file for VM DTBO

Bug: 287379025
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
      --protected --mem 512 --devices \
      /sys/bus/platform/devices/16d00000.eh
Change-Id: Id77c25f5f22672da9281078fc17f45087d893f4d
---
 private/crosvm.te                | 8 ++++----
 private/vfio_handler.te          | 7 +++++++
 private/virtualizationmanager.te | 4 ----
 private/virtualizationservice.te | 6 +++---
 4 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/private/crosvm.te b/private/crosvm.te
index 3f392016f..2d9a68886 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -84,7 +84,7 @@ allow crosvm shell_data_file:file write;
 # crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
 # forward console/log to the host logcat).
 # crosvm only needs write permission, so dontaudit read
-dontaudit crosvm virtualizationmanager:fifo_file read;
+dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
 
 # Required for crosvm to start gdb-server to enable debugging of guest kernel.
 allow crosvm self:tcp_socket { bind create read setopt write accept listen };
@@ -96,9 +96,9 @@ allow crosvm node:tcp_socket node_bind;
 allow crosvm vfio_device:chr_file rw_file_perms;
 allow crosvm vfio_device:dir r_dir_perms;
 
-# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
-allow crosvm vfio_handler:fd use;
-allow crosvm vfio_handler:fifo_file r_file_perms;
+# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
+allow crosvm virtualizationmanager:fd use;
+allow crosvm virtualizationservice_data_file:file read;
 
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 706a6ca22..2a0bd374d 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -20,5 +20,12 @@ allow vfio_handler vfio_device:dir r_dir_perms;
 allow vfio_handler sysfs:dir r_dir_perms;
 allow vfio_handler sysfs:file rw_file_perms;
 
+# Allow vfio_handler to write to VM DTBO via a file created by virtualizationmanager.
+allow vfio_handler virtualizationmanager:fd use;
+allow vfio_handler virtualizationservice_data_file:file write;
+
+# vfio_handler can only use fd from virtualizationmanager, and can't open files itself
+neverallow vfio_handler virtualizationservice_data_file:file { open create };
+
 # Only vfio_handler can add vfio_handler_service
 neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index a8fb202ab..b6bcd9885 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -89,7 +89,3 @@ r_dir_file(virtualizationmanager, crosvm);
 # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
 # a harmless denial for CompOS log files, so ignore that.
 dontaudit virtualizationmanager apex_module_data_file:dir search;
-
-# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationmanager vfio_handler:fd use;
-allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index a4588dc9f..14662fa8a 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -35,6 +35,7 @@ allow virtualizationservice self:capability chown;
 # directories, it needs the permission to unlink the files created by virtualizationmanager.
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
 allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink;
+allow virtualizationservice virtualizationservice_data_file:file write;
 
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
@@ -62,9 +63,8 @@ allow virtualizationservice tombstoned:fd use;
 allow virtualizationservice vfio_device:chr_file getattr;
 allow virtualizationservice vfio_device:dir r_dir_perms;
 
-# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
-allow virtualizationservice vfio_handler:fd use;
-allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
+allow virtualizationservice virtualizationmanager:fd use;
 
 neverallow {
   domain