Set sepolicy for vmnic in AVF

Bug: 340376951
Test: Presubmit
Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466

apex/com.android.virt-file_contexts

@@ -6,3 +6,6 @@
 is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
     /bin/vfio_handler          u:object_r:vfio_handler_exec:s0
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    /bin/vmnic u:object_r:vmnic_exec:s0
+')

build/soong/service_fuzzer_bindings.go

@@ -188,6 +188,7 @@ var (
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/avf": EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
+		"android.system.virtualizationservice_internal.IVmnic":            EXCEPTION_NO_FUZZER,
 		"android.system.virtualizationmaintenance":                        EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,
 		"app_binding":                                                     EXCEPTION_NO_FUZZER,

flagging/Android.bp

@@ -20,6 +20,7 @@ se_flags {
         "RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES",
         "RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT",
         "RELEASE_AVF_ENABLE_LLPVM_CHANGES",
+        "RELEASE_AVF_ENABLE_NETWORK",
         "RELEASE_HARDWARE_BLUETOOTH_RANGING_SERVICE",
         "RELEASE_UNLOCKED_STORAGE_API",
     ],

private/service.te

@@ -30,6 +30,9 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
 is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
     type virtualization_maintenance_service, service_manager_type;
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    type vmnic_service, service_manager_type;
+')
 
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      app_api_service, system_server_service, service_manager_type;

private/service_contexts

@@ -170,6 +170,9 @@ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
 is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
     android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
 ')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+')
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0

private/virtualizationservice.te

@@ -24,6 +24,12 @@ is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
     binder_call(virtualizationservice, vfio_handler)
 ')
 
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    # Let virtualizationservice find and communicate with vmnic.
+    allow virtualizationservice vmnic_service:service_manager find;
+    binder_call(virtualizationservice, vmnic)
+')
+
 # Allow the virtualizationservice domain to serve a remotely provisioned component for
 # pVM remote attestation.
 hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)

private/vmnic.te

@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+    # vmnic is a helper service for network tasks, like creating TAP network interface.
+    # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks.
+    type vmnic, domain, coredomain;
+    type vmnic_exec, system_file_type, exec_type, file_type;
+
+    # When init runs a file labelled with vmnic_exec, run it in the vmnic domain.
+    init_daemon_domain(vmnic)
+
+    # Let the vmnic domain register the vmnic_service with ServiceManager.
+    add_service(vmnic, vmnic_service)
+
+    # Let the vmnic domain use Binder.
+    binder_use(vmnic)
+
+    # Only virtualizationservice can communicate to vmnic
+    neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)