Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
This commit is contained in:
parent
a5463fd4b9
commit
d2a0892121
8 changed files with 16 additions and 1 deletions
|
@ -538,6 +538,8 @@
|
|||
/vendor/framework/test vendor_framework_file
|
||||
/system/vendor/framework vendor_framework_file
|
||||
/system/vendor/framework/test vendor_framework_file
|
||||
/vendor/etc/avf/microdroid vendor_microdroid_file
|
||||
/vendor/etc/avf/microdroid/test vendor_microdroid_file
|
||||
|
||||
/vendor/apex vendor_apex_file
|
||||
/vendor/apex/test vendor_apex_file
|
||||
|
|
|
@ -27,4 +27,5 @@
|
|||
binderfs_logs_stats
|
||||
drm_forcel3_prop
|
||||
proc_percpu_pagelist_high_fraction
|
||||
vendor_microdroid_file
|
||||
))
|
||||
|
|
|
@ -27,7 +27,7 @@ allow crosvm virtualizationmanager:fifo_file write;
|
|||
|
||||
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
|
||||
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
|
||||
# /data/local/tmp), and instance.img (app_data_file).
|
||||
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
|
||||
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
|
||||
# Note that the open permission is not given as the files are passed as file descriptors.
|
||||
allow crosvm {
|
||||
|
@ -39,6 +39,7 @@ allow crosvm {
|
|||
apex_compos_data_file
|
||||
apex_virt_data_file
|
||||
shell_data_file
|
||||
vendor_microdroid_file
|
||||
}:file { getattr read ioctl lock };
|
||||
|
||||
# Allow searching the directory where the composite disk images are.
|
||||
|
@ -126,6 +127,7 @@ full_treble_only(`
|
|||
# These types are not required for crosvm, but the access is granted to globally in domain.te
|
||||
# thus should be exempted here.
|
||||
-vendor_configs_file
|
||||
-vendor_microdroid_file
|
||||
-vndk_sp_file
|
||||
-vendor_task_profiles_file
|
||||
}:file *;
|
||||
|
|
|
@ -610,6 +610,7 @@ full_treble_only(`
|
|||
-vendor_apex_file
|
||||
-vendor_apex_metadata_file
|
||||
-vendor_configs_file
|
||||
-vendor_microdroid_file
|
||||
-vendor_service_contexts_file
|
||||
-vendor_framework_file
|
||||
-vendor_idc_file
|
||||
|
|
|
@ -412,6 +412,7 @@
|
|||
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
|
||||
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
|
||||
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
|
||||
/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
|
||||
|
||||
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
|
||||
|
||||
|
|
|
@ -132,6 +132,9 @@ allow shell remount_exec:file rx_file_perms;
|
|||
allow shell self:perf_event { open read write kernel };
|
||||
neverallow shell self:perf_event ~{ open read write kernel };
|
||||
|
||||
# Allow shell to read microdroid vendor image
|
||||
r_dir_file(shell, vendor_microdroid_file)
|
||||
|
||||
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
|
||||
allow shell apex_info_file:file r_file_perms;
|
||||
allow shell vendor_apex_file:file r_file_perms;
|
||||
|
|
|
@ -94,6 +94,9 @@ userdebug_or_eng(`
|
|||
allow virtualizationmanager shell_data_file:file open;
|
||||
')
|
||||
|
||||
# Allow virtualizationmanager to read microdroid related files in vendor partition
|
||||
r_dir_file(virtualizationmanager, vendor_microdroid_file)
|
||||
|
||||
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
|
||||
r_dir_file(virtualizationmanager, crosvm);
|
||||
|
||||
|
|
|
@ -255,6 +255,8 @@ type vendor_public_lib_file, vendor_file_type, file_type;
|
|||
# Type for all vendor public libraries for system. These libs should only be exposed to
|
||||
# system. ABI stability of these libs is vendor's responsibility.
|
||||
type vendor_public_framework_file, vendor_file_type, file_type;
|
||||
# Type for all microdroid related files in the vendor partition.
|
||||
type vendor_microdroid_file, vendor_file_type, file_type;
|
||||
|
||||
# Input configuration
|
||||
type vendor_keylayout_file, vendor_file_type, file_type;
|
||||
|
|
Loading…
Reference in a new issue