39f497013c
Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
72 lines
2.5 KiB
Text
72 lines
2.5 KiB
Text
type crosvm, domain, coredomain;
|
|
type crosvm_exec, system_file_type, exec_type, file_type;
|
|
type crosvm_tmpfs, file_type;
|
|
|
|
# Let crosvm open /dev/kvm.
|
|
allow crosvm kvm_device:chr_file rw_file_perms;
|
|
|
|
# Most other domains shouldn't access /dev/kvm.
|
|
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
|
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
|
|
|
# Let crosvm create temporary files.
|
|
tmpfs_domain(crosvm)
|
|
|
|
# Let crosvm receive file descriptors from VirtualizationService.
|
|
allow crosvm virtualizationservice:fd use;
|
|
|
|
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
|
|
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
|
|
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
|
|
# the files are passed as file descriptors.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
apex_compos_data_file
|
|
userdebug_or_eng(`shell_data_file')
|
|
}:file { getattr read ioctl lock };
|
|
|
|
# Allow searching the directory where the composite disk images are.
|
|
allow crosvm virtualizationservice_data_file:dir search;
|
|
|
|
# Don't allow crosvm to open files that it doesn't own.
|
|
neverallow crosvm {
|
|
virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
userdebug_or_eng(`-shell_data_file')
|
|
}:file open;
|
|
|
|
# The instance image and the composite image should be writable as well because they could represent
|
|
# mutable disks.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
app_data_file
|
|
apex_compos_data_file
|
|
}:file write;
|
|
|
|
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
|
|
allow crosvm adbd:fd use;
|
|
allow crosvm adbd:unix_stream_socket { read write };
|
|
allow crosvm appdomain:fifo_file { read write };
|
|
|
|
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
|
|
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
|
|
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
|
|
|
|
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
|
|
full_treble_only(`
|
|
neverallow crosvm {
|
|
vendor_file_type
|
|
-vendor_vm_file
|
|
-vendor_vm_data_file
|
|
# These types are not required for crosvm, but the access is granted to globally in domain.te
|
|
# thus should be exempted here.
|
|
-vendor_configs_file
|
|
-vndk_sp_file
|
|
-vendor_task_profiles_file
|
|
}:file *;
|
|
')
|