27b515e70a
We are adding the ability for apps to create "storage areas", which are transparently encrypted directories that can only be opened when the device is unlocked. This CL makes the required SELinux policy changes. First, assign the type "system_userdir_file" to the new top-level directory /data/storage_area (non-recursively). This is the same type used by the other top-level directories containing app data, such as /data/user, and it restricts access to the directory in the desired way. Second, add new types to represent an app's directory of storage areas, the storage areas themselves, and their contents: `storage_area_app_dir`, `storage_area_dir`, and `storage_area_content_file` respectively. All are `app_data_file_type`s. The directory structure and their associated labels is as follows (note that they also all get the categories of the user+package): /data/storage_area/userId/pkgName storage_area_app_dir /data/storage_area/userId/pkgName/storageAreaName storage_area_dir /data/storage_area/userId/pkgName/storageAreaName/myFile.txt storage_area_content_file /data/storage_area/userId/pkgName/storageAreaName/mySubDir storage_area_content_file These new types allow us to restrict how and which processes interact with storage areas. The new type for the contents of storage areas allows us to add new, desirable restrictions that we cannot add to the more general `app_data_file` type in order to maintain backwards-compatibility, e.g., we block apps from executing any files in their storage areas. Third, allow: -- vold_prepare_subdirs to create and delete storage areas on behalf of apps, and assign them the SElinux type `storage_area_dir` i.e. create directories /data/storage_area/$userId/$pkgName/$storageAreaName -- vold to assign encryption policies to storage area directories -- installd to create an app's directory of storage areas on app install, and delete them on app uninstall, and assign them the SElinux type `storage_area_app_dir`, i.e. directories /data/storage_area/$userId/$pkgName We also add a new SELinux type to represent the storage area encryption keys: `storage_area_key_file`. The keys are created by vold on storage area creation, and deleted either by vold if an app calls the `deleteStorageArea` API function explicitly, or by installd on app uninstall. These keys are stored in `/data/misc_ce/$userId/storage_area_keys`, and only installd and vold have access to them. Bug: 325121608 Test: atest StorageAreaTest Change-Id: I74805d249f59226fc6963693f682c70949bfad93
178 lines
7.3 KiB
Text
178 lines
7.3 KiB
Text
type crosvm, domain, coredomain;
|
|
type crosvm_exec, system_file_type, exec_type, file_type;
|
|
type crosvm_tmpfs, file_type;
|
|
|
|
# Let crosvm open VM manager devices such as /dev/kvm.
|
|
allow crosvm vm_manager_device_type:chr_file rw_file_perms;
|
|
|
|
# Most other domains shouldn't access /dev/kvm.
|
|
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
|
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
|
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
|
|
|
|
# Most other domains shouldn't access other vm managers either.
|
|
# These restrictions need to be slightly looser than for kvm_device to allow
|
|
# for different implementations.
|
|
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
|
|
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
|
|
|
|
# Let crosvm create temporary files.
|
|
tmpfs_domain(crosvm)
|
|
|
|
# Let crosvm receive file descriptors from VirtualizationService.
|
|
allow crosvm virtualizationmanager:fd use;
|
|
|
|
# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
|
|
allow crosvm virtualizationmanager:fifo_file write;
|
|
|
|
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
|
|
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
|
|
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
|
|
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
|
|
# Note that the open permission is not given as the files are passed as file descriptors.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
privapp_data_file
|
|
apex_compos_data_file
|
|
apex_virt_data_file
|
|
shell_data_file
|
|
vendor_microdroid_file
|
|
}:file { getattr read ioctl lock };
|
|
|
|
# Allow searching the directory where the composite disk images are.
|
|
allow crosvm virtualizationservice_data_file:dir search;
|
|
|
|
# When running a VM as root we get spurious capability denials.
|
|
# Suppress them.
|
|
userdebug_or_eng(`
|
|
dontaudit crosvm self:capability ipc_lock;
|
|
')
|
|
|
|
# Allow crosvm to tune for performance.
|
|
allow crosvm self:global_capability_class_set sys_nice;
|
|
|
|
# Let crosvm access its control socket as created by VS.
|
|
# read, write, getattr: listener socket polling
|
|
# accept: listener socket accepting new connection
|
|
# Note that the open permission is not given as the socket is passed by FD.
|
|
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
|
|
|
|
# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
|
|
userdebug_or_eng(`
|
|
allow crosvm shell_data_file:dir search;
|
|
allow crosvm shell_data_file:file open;
|
|
')
|
|
|
|
# The instance image and the composite image should be writable as well because they could represent
|
|
# mutable disks.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
app_data_file
|
|
privapp_data_file
|
|
apex_compos_data_file
|
|
apex_virt_data_file
|
|
}:file write;
|
|
|
|
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
|
|
allow crosvm adbd:fd use;
|
|
allow crosvm adbd:unix_stream_socket { read write };
|
|
allow crosvm devpts:chr_file { read write getattr ioctl };
|
|
|
|
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
|
|
# Allow crosvm to draw screen in the surface
|
|
allow crosvm device:dir { read open };
|
|
allow crosvm same_process_hal_file:file { read open getattr map execute };
|
|
allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
|
|
allow crosvm hal_graphics_allocator:fd use;
|
|
allow crosvm hal_graphics_allocator_server:binder call;
|
|
allow crosvm surfaceflinger:fd use;
|
|
hal_client_domain(crosvm, hal_graphics_allocator)
|
|
|
|
# To provide display service to an app to get surface.
|
|
# TODO(b/332677707): remove them when display service uses binder RPC.
|
|
allow crosvm vmlauncher_app:binder { transfer call };
|
|
allow crosvm servicemanager:binder { call transfer };
|
|
allow crosvm virtualization_service:service_manager find;
|
|
allow crosvm virtualizationservice:binder { call transfer };
|
|
')
|
|
|
|
# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
|
|
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
|
|
# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
|
|
# compliance tests and demo apps. Write access to instance.img is particularily important because
|
|
# the VM has to initialize the disk image on its first boot. Note that open access is still not
|
|
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
|
|
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
|
|
allow crosvm shell_data_file:file write;
|
|
|
|
# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
|
|
# forward console/log to the host logcat).
|
|
# crosvm only needs write permission, so dontaudit read
|
|
dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
|
|
|
|
# Required for crosvm to start gdb-server to enable debugging of guest kernel.
|
|
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
|
|
allow crosvm port:tcp_socket name_bind;
|
|
allow crosvm adbd:unix_stream_socket ioctl;
|
|
allow crosvm node:tcp_socket node_bind;
|
|
|
|
# Allow crosvm to interact to VFIO device
|
|
allow crosvm vfio_device:chr_file rw_file_perms;
|
|
allow crosvm vfio_device:dir r_dir_perms;
|
|
|
|
# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
|
|
allow crosvm virtualizationmanager:fd use;
|
|
allow crosvm virtualizationservice_data_file:file read;
|
|
|
|
# Don't allow crosvm to open files that it doesn't own.
|
|
# This is important because a malicious application could try to start a VM with a composite disk
|
|
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
|
|
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
|
|
# potential privilege escalation. See http://b/192453819 for more discussion.
|
|
neverallow crosvm {
|
|
virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
privapp_data_file
|
|
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
|
|
userdebug_or_eng(`-shell_data_file')
|
|
}:file open;
|
|
|
|
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
|
|
full_treble_only(`
|
|
neverallow crosvm {
|
|
vendor_file_type
|
|
-vendor_vm_file
|
|
-vendor_vm_data_file
|
|
# These types are not required for crosvm, but the access is granted to globally in domain.te
|
|
# thus should be exempted here.
|
|
-vendor_configs_file
|
|
-vendor_microdroid_file
|
|
-vndk_sp_file
|
|
-vendor_task_profiles_file
|
|
is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
|
|
}:file *;
|
|
')
|
|
|
|
# Only allow crosvm to read app data files for clients that can start
|
|
# VMs. Note that the use of app data files is further restricted
|
|
# inside the virtualizationservice by checking the label of all disk
|
|
# image files.
|
|
neverallow crosvm {
|
|
app_data_file_type
|
|
-app_data_file
|
|
-privapp_data_file
|
|
-shell_data_file
|
|
}:file read;
|
|
|
|
# Only virtualizationmanager can run crosvm
|
|
neverallow {
|
|
domain
|
|
-crosvm
|
|
-virtualizationmanager
|
|
} crosvm_exec:file no_x_file_perms;
|