From f60a1e0b905b5314794547ac792b347af1517985 Mon Sep 17 00:00:00 2001 From: Seungjae Yoo Date: Mon, 20 May 2024 14:15:22 +0900 Subject: [PATCH] Set sepolicy for vmnic in AVF Bug: 340376951 Test: Presubmit Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466 --- apex/com.android.virt-file_contexts | 3 +++ build/soong/service_fuzzer_bindings.go | 1 + flagging/Android.bp | 1 + private/service.te | 3 +++ private/service_contexts | 3 +++ private/virtualizationservice.te | 6 ++++++ private/vmnic.te | 18 ++++++++++++++++++ 7 files changed, 35 insertions(+) create mode 100644 private/vmnic.te diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts index 78720aa2f..d8fc8df7d 100644 --- a/apex/com.android.virt-file_contexts +++ b/apex/com.android.virt-file_contexts @@ -6,3 +6,6 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` /bin/vfio_handler u:object_r:vfio_handler_exec:s0 ') +is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` + /bin/vmnic u:object_r:vmnic_exec:s0 +') diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index 139c2d507..bb832eb4e 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -188,6 +188,7 @@ var ( "android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice": EXCEPTION_NO_FUZZER, "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER, + "android.system.virtualizationservice_internal.IVmnic": EXCEPTION_NO_FUZZER, "android.system.virtualizationmaintenance": EXCEPTION_NO_FUZZER, "ambient_context": EXCEPTION_NO_FUZZER, "app_binding": EXCEPTION_NO_FUZZER, diff --git a/flagging/Android.bp b/flagging/Android.bp index 41a286162..2d0bb6841 100644 --- a/flagging/Android.bp +++ b/flagging/Android.bp @@ -20,6 +20,7 @@ se_flags { "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES", "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT", "RELEASE_AVF_ENABLE_LLPVM_CHANGES", + "RELEASE_AVF_ENABLE_NETWORK", "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE", "RELEASE_UNLOCKED_STORAGE_API", ], diff --git a/private/service.te b/private/service.te index d777e53c4..1fb4d1d03 100644 --- a/private/service.te +++ b/private/service.te @@ -30,6 +30,9 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` type virtualization_maintenance_service, service_manager_type; ') +is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` + type vmnic_service, service_manager_type; +') type uce_service, service_manager_type; type wearable_sensing_service, app_api_service, system_server_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index f4b331e28..c7917f121 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -170,6 +170,9 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0 ') +is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` + android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0 +') ambient_context u:object_r:ambient_context_service:s0 app_binding u:object_r:app_binding_service:s0 app_hibernation u:object_r:app_hibernation_service:s0 diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 99c2a3b94..a72f30fb5 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -24,6 +24,12 @@ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` binder_call(virtualizationservice, vfio_handler) ') +is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` + # Let virtualizationservice find and communicate with vmnic. + allow virtualizationservice vmnic_service:service_manager find; + binder_call(virtualizationservice, vmnic) +') + # Allow the virtualizationservice domain to serve a remotely provisioned component for # pVM remote attestation. hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf) diff --git a/private/vmnic.te b/private/vmnic.te new file mode 100644 index 000000000..bd4991d05 --- /dev/null +++ b/private/vmnic.te @@ -0,0 +1,18 @@ +is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` + # vmnic is a helper service for network tasks, like creating TAP network interface. + # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks. + type vmnic, domain, coredomain; + type vmnic_exec, system_file_type, exec_type, file_type; + + # When init runs a file labelled with vmnic_exec, run it in the vmnic domain. + init_daemon_domain(vmnic) + + # Let the vmnic domain register the vmnic_service with ServiceManager. + add_service(vmnic, vmnic_service) + + # Let the vmnic domain use Binder. + binder_use(vmnic) + + # Only virtualizationservice can communicate to vmnic + neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call; +') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)