Restrict VM usage to platform_app.
Remove access from untrusted apps and instead grant it to platform_app (but on user builds as well as debug). Also restrict any app from creating a vsock_socket; using an already created one is fine. Bug: 193373841 Test: Microdroid demo app now gets a denial Test: Rebuild demo with certifcate: platform, adb install, no denial Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d
This commit is contained in:
Alan Stokes
Inseob Kim
parent
c71b2c18cc
commit
f96cd6557e
4 changed files with 8 additions and 9 deletions
|
|
@ -117,9 +117,10 @@ neverallow all_untrusted_apps *:{
|
|||
alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
|
||||
} *;
|
||||
|
||||
# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
|
||||
# but nothing more than that (e.g. creating a new vsock, etc.)
|
||||
neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
|
||||
# Apps can read/write an already open vsock (e.g. created by
|
||||
# virtualizationservice) but nothing more than that (e.g. creating a
|
||||
# new vsock, etc.)
|
||||
neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
|
||||
|
||||
# Disallow sending RTM_GETLINK messages on netlink sockets.
|
||||
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
|
||||
|
|
|
|||
|
|
@ -108,6 +108,9 @@ dontaudit platform_app debugfs_tracing:file rw_file_perms;
|
|||
# Allow platform apps to act as Perfetto producers.
|
||||
perfetto_producer(platform_app)
|
||||
|
||||
# Allow platform apps to create VMs
|
||||
virtualizationservice_use(platform_app)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -176,11 +176,6 @@ userdebug_or_eng(`
|
|||
# the profiler (which would be profiling the app that is sending the signal).
|
||||
allow untrusted_app_all simpleperf:process signal;
|
||||
|
||||
# Allow running a VM for test/demo purposes
|
||||
userdebug_or_eng(`
|
||||
virtualizationservice_use(untrusted_app_all)
|
||||
')
|
||||
|
||||
with_native_coverage(`
|
||||
# Allow writing coverage information to /data/misc/trace
|
||||
allow domain method_trace_data_file:dir create_dir_perms;
|
||||
|
|
|
|||
|
|
@ -43,7 +43,7 @@ type system_suspend_control_internal_service, service_manager_type;
|
|||
type system_suspend_control_service, service_manager_type;
|
||||
type update_engine_service, service_manager_type;
|
||||
type update_engine_stable_service, service_manager_type;
|
||||
type virtualization_service, app_api_service, service_manager_type;
|
||||
type virtualization_service, service_manager_type;
|
||||
type virtual_touchpad_service, service_manager_type;
|
||||
type vold_service, service_manager_type;
|
||||
type vr_hwc_service, service_manager_type;
|
||||
|
|
|
|||
Loading…
Reference in a new issue