Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 13748d239e930e06fa2214cec9daaf6add8e6ff3^! / . / android / virtmgr / src / aidl.rs
commit13748d239e930e06fa2214cec9daaf6add8e6ff3[log] [tgz]
authorNikita Ioffe <ioffe@google.com>Wed Oct 23 15:10:39 2024 +0000
committerNikita Ioffe <ioffe@google.com>Tue Nov 12 01:40:16 2024 +0000
tree05bfce54b053e92876b98ed079c4e3874b977b91
parent6952187883e54296ab8a30d422d59b922ae5b16b [diff] [blame]
Implement permission check for VMs that request tee_services

VM can request to access SMC services via new tee_services field in
RawConfig and AppConfig.

The policy on what VMs can access what SMC services is defined in the
sepolicy by specifying allow rules for the processes that starts VMs
("VM owner" processes), e.g.:

```
allow shell test_pkvm_tee_service:tee_service use;
```

The virtmngr will use getprevcon to get the secontext of the VM owner,
and then use libselinux to lookup the mapping from the tee_services
to selinux labels. It then will use selinux_check_permission to check if
the VM owner is allowed the access.

Bug: 360102915
Test: atest MicrodroidTests
Test: AVF presubmit
Test: atest virtualizationmanager_device_test
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
  --protected \
  --tee-services test_pkvm_tee_service

Change-Id: I4a94df5b897cd6a256d0958c73f57afa3d911b4f

diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index cc7cf7c..e63af24 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs

@@ -21,7 +21,7 @@
 use crate::debug_config::DebugConfig;
 use crate::dt_overlay::{create_device_tree_overlay, VM_DT_OVERLAY_MAX_SIZE, VM_DT_OVERLAY_PATH};
 use crate::payload::{add_microdroid_payload_images, add_microdroid_system_images, add_microdroid_vendor_image};
-use crate::selinux::{getfilecon, getprevcon, SeContext};
+use crate::selinux::{check_tee_service_permission, getfilecon, getprevcon, SeContext};
 use android_os_permissions_aidl::aidl::android::os::IPermissionController;
 use android_system_virtualizationcommon::aidl::android::system::virtualizationcommon::{
     Certificate::Certificate,
@@ -561,6 +561,10 @@
         let config = config.as_ref();
         *is_protected = config.protectedVm;
 
+        check_tee_service_permission(&caller_secontext, &config.teeServices)
+            .with_log()
+            .or_binder_exception(ExceptionCode::SECURITY)?;
+
         // Check if partition images are labeled incorrectly. This is to prevent random images
         // which are not protected by the Android Verified Boot (e.g. bits downloaded by apps) from
         // being loaded in a pVM. This applies to everything but the instance image in the raw