Implement permission check for VMs that request tee_services
VM can request to access SMC services via new tee_services field in
RawConfig and AppConfig.
The policy on what VMs can access what SMC services is defined in the
sepolicy by specifying allow rules for the processes that starts VMs
("VM owner" processes), e.g.:
```
allow shell test_pkvm_tee_service:tee_service use;
```
The virtmngr will use getprevcon to get the secontext of the VM owner,
and then use libselinux to lookup the mapping from the tee_services
to selinux labels. It then will use selinux_check_permission to check if
the VM owner is allowed the access.
Bug: 360102915
Test: atest MicrodroidTests
Test: AVF presubmit
Test: atest virtualizationmanager_device_test
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
--protected \
--tee-services test_pkvm_tee_service
Change-Id: I4a94df5b897cd6a256d0958c73f57afa3d911b4f
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index cc7cf7c..e63af24 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -21,7 +21,7 @@
use crate::debug_config::DebugConfig;
use crate::dt_overlay::{create_device_tree_overlay, VM_DT_OVERLAY_MAX_SIZE, VM_DT_OVERLAY_PATH};
use crate::payload::{add_microdroid_payload_images, add_microdroid_system_images, add_microdroid_vendor_image};
-use crate::selinux::{getfilecon, getprevcon, SeContext};
+use crate::selinux::{check_tee_service_permission, getfilecon, getprevcon, SeContext};
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
use android_system_virtualizationcommon::aidl::android::system::virtualizationcommon::{
Certificate::Certificate,
@@ -561,6 +561,10 @@
let config = config.as_ref();
*is_protected = config.protectedVm;
+ check_tee_service_permission(&caller_secontext, &config.teeServices)
+ .with_log()
+ .or_binder_exception(ExceptionCode::SECURITY)?;
+
// Check if partition images are labeled incorrectly. This is to prevent random images
// which are not protected by the Android Verified Boot (e.g. bits downloaded by apps) from
// being loaded in a pVM. This applies to everything but the instance image in the raw
diff --git a/android/virtmgr/src/selinux.rs b/android/virtmgr/src/selinux.rs
index 284cd23..a8c895f 100644
--- a/android/virtmgr/src/selinux.rs
+++ b/android/virtmgr/src/selinux.rs
@@ -15,13 +15,30 @@
//! Wrapper to libselinux
use anyhow::{anyhow, bail, Context, Result};
-use std::ffi::{CStr, CString};
+use std::ffi::{c_int, CStr, CString};
use std::fmt;
use std::io;
use std::ops::Deref;
use std::os::fd::AsRawFd;
use std::os::raw::c_char;
use std::ptr;
+use std::sync;
+
+static SELINUX_LOG_INIT: sync::Once = sync::Once::new();
+
+fn redirect_selinux_logs_to_logcat() {
+ let cb =
+ selinux_bindgen::selinux_callback { func_log: Some(selinux_bindgen::selinux_log_callback) };
+ // SAFETY: `selinux_set_callback` assigns the static lifetime function pointer
+ // `selinux_log_callback` to a static lifetime variable.
+ unsafe {
+ selinux_bindgen::selinux_set_callback(selinux_bindgen::SELINUX_CB_LOG as c_int, cb);
+ }
+}
+
+fn init_logger_once() {
+ SELINUX_LOG_INIT.call_once(redirect_selinux_logs_to_logcat)
+}
// Partially copied from system/security/keystore2/selinux/src/lib.rs
/// SeContext represents an SELinux context string. It can take ownership of a raw
@@ -101,6 +118,56 @@
}
}
+/// Takes ownership of context handle returned by `selinux_android_tee_service_context_handle`
+/// and closes it via `selabel_close` when dropped.
+struct TeeServiceSelinuxBackend {
+ handle: *mut selinux_bindgen::selabel_handle,
+}
+
+impl TeeServiceSelinuxBackend {
+ const BACKEND_ID: i32 = selinux_bindgen::SELABEL_CTX_ANDROID_SERVICE as i32;
+
+ /// Creates a new instance representing selinux context handle returned from
+ /// `selinux_android_tee_service_context_handle`.
+ fn new() -> Result<Self> {
+ // SAFETY: selinux_android_tee_service_context_handle is always safe to call. The returned
+ // handle is valid until `selabel_close` is called on it (see the safety comment on the drop
+ // trait).
+ let handle = unsafe { selinux_bindgen::selinux_android_tee_service_context_handle() };
+ if handle.is_null() {
+ Err(anyhow!("selinux_android_tee_service_context_handle returned a NULL context"))
+ } else {
+ Ok(TeeServiceSelinuxBackend { handle })
+ }
+ }
+
+ fn lookup(&self, tee_service: &str) -> Result<SeContext> {
+ let mut con: *mut c_char = ptr::null_mut();
+ let c_key = CString::new(tee_service).context("failed to convert to CString")?;
+ // SAFETY: the returned pointer `con` is valid until `freecon` is called on it.
+ match unsafe {
+ selinux_bindgen::selabel_lookup(self.handle, &mut con, c_key.as_ptr(), Self::BACKEND_ID)
+ } {
+ 0 => {
+ if !con.is_null() {
+ Ok(SeContext::Raw(con))
+ } else {
+ Err(anyhow!("selabel_lookup returned a NULL context"))
+ }
+ }
+ _ => Err(anyhow!(io::Error::last_os_error())).context("selabel_lookup failed"),
+ }
+ }
+}
+
+impl Drop for TeeServiceSelinuxBackend {
+ fn drop(&mut self) {
+ // SAFETY: the TeeServiceSelinuxBackend is created only with a pointer is set by
+ // libselinux and has to be freed with `selabel_close`.
+ unsafe { selinux_bindgen::selabel_close(self.handle) };
+ }
+}
+
pub fn getfilecon<F: AsRawFd>(file: &F) -> Result<SeContext> {
let fd = file.as_raw_fd();
let mut con: *mut c_char = ptr::null_mut();
@@ -133,3 +200,74 @@
_ => Err(anyhow!(io::Error::last_os_error())).context("getprevcon failed"),
}
}
+
+// Wrapper around selinux_check_access
+fn check_access(source: &CStr, target: &CStr, tclass: &str, perm: &str) -> Result<()> {
+ let c_tclass = CString::new(tclass).context("failed to convert tclass to CString")?;
+ let c_perm = CString::new(perm).context("failed to convert perm to CString")?;
+
+ // SAFETY: lifecycle of pointers passed to the selinux_check_access outlive the duration of the
+ // call.
+ match unsafe {
+ selinux_bindgen::selinux_check_access(
+ source.as_ptr(),
+ target.as_ptr(),
+ c_tclass.as_ptr(),
+ c_perm.as_ptr(),
+ ptr::null_mut(),
+ )
+ } {
+ 0 => Ok(()),
+ _ => Err(anyhow!(io::Error::last_os_error())).with_context(|| {
+ format!(
+ "check_access: Failed with sctx: {:?} tctx: {:?} tclass: {:?} perm {:?}",
+ source, target, tclass, perm
+ )
+ }),
+ }
+}
+
+pub fn check_tee_service_permission(caller_ctx: &SeContext, tee_services: &[String]) -> Result<()> {
+ init_logger_once();
+
+ let backend = TeeServiceSelinuxBackend::new()?;
+
+ for tee_service in tee_services {
+ let tee_service_ctx = backend.lookup(tee_service)?;
+ check_access(caller_ctx, &tee_service_ctx, "tee_service", "use")
+ .with_context(|| format!("permission denied for {:?}", tee_service))?;
+ }
+
+ Ok(())
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn test_check_tee_service_permission_has_permission() -> Result<()> {
+ if cfg!(not(tee_services_allowlist)) {
+ // Skip test on release configurations without tee_services_allowlist feature enabled.
+ return Ok(());
+ }
+
+ let caller_ctx = SeContext::new("u:r:shell:s0")?;
+ let tee_services = [String::from("test_pkvm_tee_service")];
+ check_tee_service_permission(&caller_ctx, &tee_services)
+ }
+
+ #[test]
+ fn test_check_tee_service_permission_invalid_tee_service() -> Result<()> {
+ if cfg!(not(tee_services_allowlist)) {
+ // Skip test on release configurations without tee_services_allowlist feature enabled.
+ return Ok(());
+ }
+
+ let caller_ctx = SeContext::new("u:r:shell:s0")?;
+ let tee_services = [String::from("test_tee_service_does_not_exist")];
+ let ret = check_tee_service_permission(&caller_ctx, &tee_services);
+ assert!(ret.is_err());
+ Ok(())
+ }
+}