3fee5a43c1
There can be VM disk images that are specific to the underlying SoC. e.g. in case where SoC-specific hardware is dedicated to a VM and the VM needs drivers (or HALs) for the hardware. Don't prevent crosvm from reading such a SoC-specific VM disk images. Note that this doesn't actually allow crosvm to do that in AOSP. Such an allow rule could be added in downstreams where such use cases exist. Bug: 193605879 Test: m Change-Id: If19c0b6adae4c91676b142324c2903879548a135
77 lines
2.7 KiB
Text
77 lines
2.7 KiB
Text
type crosvm, domain, coredomain;
|
|
type crosvm_exec, system_file_type, exec_type, file_type;
|
|
type crosvm_tmpfs, file_type;
|
|
|
|
# Let crosvm open /dev/kvm.
|
|
allow crosvm kvm_device:chr_file rw_file_perms;
|
|
|
|
# Most other domains shouldn't access /dev/kvm.
|
|
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
|
|
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
|
|
|
|
# Let crosvm create temporary files.
|
|
tmpfs_domain(crosvm)
|
|
|
|
# Let crosvm receive file descriptors from VirtualizationService.
|
|
allow crosvm virtualizationservice:fd use;
|
|
|
|
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
|
|
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
|
|
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
|
|
# the files are passed as file descriptors.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
apex_compos_data_file
|
|
userdebug_or_eng(`shell_data_file')
|
|
}:file { getattr read ioctl lock };
|
|
|
|
# Allow searching the directory where the composite disk images are.
|
|
allow crosvm virtualizationservice_data_file:dir search;
|
|
|
|
# TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for
|
|
# the GPT headers of the composite disks.
|
|
allow crosvm virtualizationservice_data_file:file open;
|
|
|
|
# Don't allow crosvm to open files that it doesn't own.
|
|
neverallow crosvm {
|
|
#TODO(b/193402941) uncomment the following line
|
|
#virtualizationservice_data_file
|
|
staging_data_file
|
|
apk_data_file
|
|
app_data_file
|
|
userdebug_or_eng(`-shell_data_file')
|
|
}:file open;
|
|
|
|
# The instance image and the composite image should be writable as well because they could represent
|
|
# mutable disks.
|
|
allow crosvm {
|
|
virtualizationservice_data_file
|
|
app_data_file
|
|
apex_compos_data_file
|
|
}:file write;
|
|
|
|
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
|
|
allow crosvm { adbd appdomain }:fd use;
|
|
allow crosvm adbd:unix_stream_socket { read write };
|
|
allow crosvm appdomain:fifo_file { read write };
|
|
|
|
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
|
|
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
|
|
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
|
|
|
|
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
|
|
full_treble_only(`
|
|
neverallow crosvm {
|
|
vendor_file_type
|
|
-vendor_vm_file
|
|
-vendor_vm_data_file
|
|
# These types are not required for crosvm, but the access is granted to globally in domain.te
|
|
# thus should be exempted here.
|
|
-vendor_configs_file
|
|
-vndk_sp_file
|
|
-vendor_task_profiles_file
|
|
}:file *;
|
|
')
|