tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/virtualizationservice.te
Alice Wang e79bbf9cf8 Revert^4 "[avf][rkp] Allow virtualizationservice to register RKP HAL" 
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22

Changes from the reverted cl aosp/2812455:
 - The AIDL service type has been renamed from avf_* to hal_* to be
   consistent with the others.

 - The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
   for the IRPC/avf service, has been set up with the server/client model
   for AIDL Hal. The virtualizationservice is declared as server and
   RKPD is declared as client to access the service instead of raw
   service permission setup as in the reverted cl. This is aligned
   with the AIDL Hal configuration recommendation.

 - Since the existing type for IRPC hal_remotelyprovisionedcomponent is
   already associated with keymint server/client and has specific
   permission requirements, and some of the keymint clients might not
   need the AVF Hal. We decided to create a new AIDL service type
   instead of reusing the exisiting keymint service type.

Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK

Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
2023-11-22 08:21:27 +00:00

109 lines
4.6 KiB
Text
Raw Blame History

type virtualizationservice, domain, coredomain;
type virtualizationservice_exec, system_file_type, exec_type, file_type;
# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
# the virtualizationmanager domain running at a more constrained MLS level.
typeattribute virtualizationservice mlstrustedsubject;
# When init runs a file labelled with virtualizationservice_exec, run it in the
# virtualizationservice domain.
init_daemon_domain(virtualizationservice)
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
# Let virtualizationservice find and communicate with vfio_handler.
allow virtualizationservice vfio_handler_service:service_manager find;
binder_call(virtualizationservice, vfio_handler)
')
# Allow the virtualizationservice domain to serve a remotely provisioned component for
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
allow virtualizationservice permission_service:service_manager find;
# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
# to mlock VM memory and page tables.
allow virtualizationservice self:capability sys_resource;
allow virtualizationservice virtualizationmanager:process setrlimit;
# Let virtualizationservice set the owner of a VM's temporary directory.
allow virtualizationservice self:capability chown;
# Let virtualizationservice create and delete temporary directories of VMs. To remove old
# directories, it needs the permission to unlink the files created by virtualizationmanager.
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
allow virtualizationservice adbd:unix_stream_socket { read write };
# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
virtualizationservice_use(virtualizationservice)
# Allow virtualizationservice to read and write in the apex data directory
# /data/misc/apexdata/com.android.virt
allow virtualizationservice apex_module_data_file:dir search;
allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
allow virtualizationservice apex_virt_data_file:file create_file_perms;
# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
# such as the guest tombstone server.
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
# Allow writing stats to statsd
unix_socket_send(virtualizationservice, statsdw, statsd)
# Allow virtualization service to talk to tombstoned to push guest tombstones
unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
# Append to tombstone files passed as fds from tombstoned
allow virtualizationservice tombstone_data_file:file { append getattr };
allow virtualizationservice tombstoned:fd use;
# Allow virtualizationservice to check if VFIO is supported
allow virtualizationservice vfio_device:chr_file getattr;
allow virtualizationservice vfio_device:dir r_dir_perms;
# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
allow virtualizationservice virtualizationmanager:fd use;
# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
r_dir_file(virtualizationservice, vendor_configs_file)
neverallow {
domain
-init
-virtualizationservice
} virtualizationservice_prop:property_service set;
neverallow {
domain
-init
-virtualizationmanager
-virtualizationservice
} virtualizationservice_data_file:file { open create };
neverallow virtualizationservice {
domain
-virtualizationmanager
-virtualizationservice
}:process setrlimit;
is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
# Only virtualizationservice can communicate to vfio_handler
neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
')
Reference in a new issue View git blame Copy permalink