Commit graph

10 commits

Author SHA1 Message Date
Jiyong Park
028e722934 app_data_file is the only app_data_file_type that is allowed for crosvm
Bug: 204852957
Test: monitor TH
Change-Id: Ie92aa25336087519661002624b486cb35740cda6
2021-11-26 01:20:20 +09:00
Alan Stokes
39f497013c SEPolicy for compos_verify_key.
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.

Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.

Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.

As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).

I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)

Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-03 16:31:02 +01:00
Andrew Walbran
21d1710c32 Merge "crosvm now takes all files by FD." 2021-08-12 16:25:50 +00:00
Jiyong Park
3fee5a43c1 Don't prevent crosvm from accessing vendor-owned VM disk images
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.

Don't prevent crosvm from reading such a SoC-specific VM disk images.

Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.

Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
2021-08-09 11:13:54 +09:00
Andrew Walbran
c0b4a91a90 crosvm now takes all files by FD.
Bug: 192256642
Test: `atest VirtualizationTestCases MicrodroidHostTestCases` on Cuttlefish
Change-Id: I8de557269ba56095b0264a65035296627fba8145
2021-08-06 13:57:17 +00:00
Alan Stokes
e2a002cd8c Allow CompOS to start a VM with its instance image.
The image will be stored under
/data/misc/apexdata/com.android.compos. Grant crosvm & virtualization
service read/write but not open access.

This fixes these denials:

avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1

avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1

Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img
Test: Works in enforcing mode, no denials seen.
Bug: 193603140
Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6
2021-07-28 14:17:20 +01:00
Jiyong Park
5e20d83cfb Add rules for virtualizationservice and crosvm
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.

Below is the summary of the added rules.

* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
  - permission_service: to check Android permission
  - apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.

Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json

without disabling selinux.

Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
2021-07-26 10:45:08 +09:00
Andrew Walbran
9b2fa1b94a Allow virtualizationservice and crosvm to access shell_data_file files.
This is necessary to run tests or run VMs manually with SELinux
enforcement enabled.

Bug: 192256642
Test: atest VirtualizationTestCases
Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4
2021-07-07 11:11:19 +00:00
Andrew Walbran
4b80a3fc3d Rename VirtManager to VirtualizationService.
Bug: 188042280
Test: atest VirtualizationTestCases
Change-Id: Ia46a0dda923cb30382cbcba64aeb569685041d2b
2021-05-21 14:47:30 +00:00
Andrew Walbran
a995e84c18 Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
2021-04-13 09:30:20 +00:00