Allow CompOS to start a VM with its instance image.
The image will be stored under
/data/misc/apexdata/com.android.compos. Grant crosvm & virtualization
service read/write but not open access.
This fixes these denials:
avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img
Test: Works in enforcing mode, no denials seen.
Bug: 193603140
Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
This commit is contained in:
Alan Stokes
parent
1f87fbd9fa
commit
e2a002cd8c
2 changed files with 7 additions and 1 deletions
|
|
@ -24,6 +24,7 @@ allow crosvm {
|
|||
staging_data_file
|
||||
apk_data_file
|
||||
app_data_file
|
||||
apex_compos_data_file
|
||||
userdebug_or_eng(`shell_data_file')
|
||||
}:file { getattr read ioctl lock };
|
||||
|
||||
|
|
@ -49,6 +50,7 @@ neverallow crosvm {
|
|||
allow crosvm {
|
||||
virtualizationservice_data_file
|
||||
app_data_file
|
||||
apex_compos_data_file
|
||||
}:file write;
|
||||
|
||||
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
|
||||
|
|
|
|||
|
|
@ -54,7 +54,11 @@ allow virtualizationservice adbd:unix_stream_socket { read write };
|
|||
# directly as they must be passed over Binder by the client.
|
||||
allow virtualizationservice apk_data_file:file { getattr read };
|
||||
# Write access is needed for mutable partitions like instance.img
|
||||
allow virtualizationservice app_data_file:file { getattr read write };
|
||||
allow virtualizationservice {
|
||||
app_data_file
|
||||
apex_compos_data_file
|
||||
}:file { getattr read write };
|
||||
|
||||
# shell_data_file is used for automated tests and manual debugging.
|
||||
allow virtualizationservice shell_data_file:file { getattr read write };
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue