Merge "SEPolicy for compos_verify_key."

apex/com.android.compos-file_contexts

@@ -1,2 +1,3 @@
 (/.*)?                   u:object_r:system_file:s0
 /bin/compsvc             u:object_r:compos_exec:s0
+/bin/compos_verify_key   u:object_r:compos_verify_key_exec:s0

private/app.te

@@ -103,8 +103,3 @@ neverallow {
   -system_data_file # shared libs in apks
   -apk_data_file
 }:file no_x_file_perms;
-
-# Allow apps to read/write vsock created by virtualizationservice to communicate with
-# the VM that the app created. Notice that the app doesn't have permission to create
-# a vsock by itself; it can't connect to other VMs that it doesn't own.
-allow appdomain virtualizationservice:vsock_socket { getattr read write };

private/compos_verify_key.te

@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOs instance's keys.
+type compos_verify_key, domain, coredomain;
+
+type compos_verify_key_exec, exec_type, file_type, system_file_type;
+
+binder_use(compos_verify_key);
+virtualizationservice_use(compos_verify_key);
+
+# Access the image & key files, delete on failure, rename pending to current
+allow compos_verify_key apex_module_data_file:dir search;
+allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
+allow compos_verify_key apex_compos_data_file:file create_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify_key odsign:fd use;
+allow compos_verify_key odsign_devpts:chr_file { read write };
+
+# TODO: Remove this!
+allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify_key:process transition;
+neverallow * compos_verify_key:process dyntransition;

private/crosvm.te

@@ -49,7 +49,7 @@ allow crosvm {
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
-allow crosvm { adbd appdomain }:fd use;
+allow crosvm adbd:fd use;
 allow crosvm adbd:unix_stream_socket { read write };
 allow crosvm appdomain:fifo_file { read write };
 

private/odsign.te

@@ -45,8 +45,8 @@ allow odsign apex_art_data_file:dir { rw_dir_perms rmdir rename };
 allow odsign apex_art_data_file:file { rw_file_perms unlink };
 
 # For CompOS instance & key files
-allow odsign apex_compos_data_file:dir rw_dir_perms;
-allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
+allow odsign apex_compos_data_file:dir { getattr search };
+allow odsign apex_compos_data_file:file r_file_perms;
 
 # Run odrefresh to refresh ART artifacts
 domain_auto_trans(odsign, odrefresh_exec, odrefresh)
@@ -54,6 +54,9 @@ domain_auto_trans(odsign, odrefresh_exec, odrefresh)
 # Run fsverity_init to add key to fsverity keyring
 domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
 
+# Run compos_verify_key to verify CompOs instances
+domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+
 # only odsign can set odsign sysprop
 set_prop(odsign, odsign_prop)
 neverallow { domain -odsign -init } odsign_prop:property_service set;

private/shell.te

@@ -217,6 +217,6 @@ read_fstab(shell)
 # Allow shell read access to /apex/apex-info-list.xml for CTS.
 allow shell apex_info_file:file r_file_perms;
 
-# Allow shell (the vm tool) the access to vsock created by virtualization
-# service
-allow shell virtualizationservice:vsock_socket { read write };
+# Let the shell user call virtualizationservice (and
+# virtualizationservice call back to shell) for debugging.
+virtualizationservice_use(shell)

private/untrusted_app_all.te

@@ -170,3 +170,8 @@ userdebug_or_eng(`
   # according to the heuristic of lockdown.
   allow untrusted_app_all self:lockdown integrity;
 ')
+
+# Allow running a VM for test/demo purposes
+userdebug_or_eng(`
+  virtualizationservice_use(untrusted_app_all)
+')

private/virtualizationservice.te

@@ -30,23 +30,6 @@ allow virtualizationservice crosvm:process sigkill;
 allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
 allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
 
-# virtualizationservice_use(client)
-define(`virtualizationservice_use', `
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice.
-allow virtualizationservice $1:fd use;
-')
-
-# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
-# debugging.
-virtualizationservice_use(shell)
-
-# Let apps use virtualizationservice.
-virtualizationservice_use(appdomain)
-
 # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
 # crosvm to the console
 allow virtualizationservice adbd:fd use;

public/te_macros

@@ -178,6 +178,26 @@ neverallow { domain -$1 } $1_userfaultfd:anon_inode *;
 neverallow $1 ~$1_userfaultfd:anon_inode *;
 ')
 
+####################################
+# virtualizationservice_use(domain)
+# Allow domain to create and communicate with a virtual machine using
+# virtualizationservice.
+define(`virtualizationservice_use', `
+allow $1 virtualization_service:service_manager find;
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
+# Let the client pass file descriptors to virtualizationservice and on
+# to crosvm
+allow { virtualizationservice crosvm } $1:fd use;
+# Allow client to read/write vsock created by virtualizationservice to
+# communicate with the VM that it created. Notice that we do not grant
+# permission to create a vsock; the client can only connect to VMs
+# that it owns.
+allow $1 virtualizationservice:vsock_socket { getattr read write };
+')
+
 #####################################
 # app_domain(domain)
 # Allow a base set of permissions required for all apps.