Flag-guard vfio_handler policies
vfio_handler will be active only if device assignment feature is turned
on.
Bug: 306563735
Test: microdroid tests with and without the flag
Change-Id: I5559dfca1a29852b65481c95f37edc9977ee9d7d
diff --git a/apex/Android.bp b/apex/Android.bp
index 21054fc..04fd5f6 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -205,11 +205,10 @@
],
}
-filegroup {
+file_contexts {
name: "com.android.virt-file_contexts",
- srcs: [
- "com.android.virt-file_contexts",
- ],
+ defaults: ["contexts_flags_defaults"],
+ srcs: ["com.android.virt-file_contexts"],
}
filegroup {
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index afe9f51..78720aa 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,4 +3,6 @@
/bin/fd_server u:object_r:fd_server_exec:s0
/bin/virtmgr u:object_r:virtualizationmanager_exec:s0
/bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
-/bin/vfio_handler u:object_r:vfio_handler_exec:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ /bin/vfio_handler u:object_r:vfio_handler_exec:s0
+')
diff --git a/flagging/Android.bp b/flagging/Android.bp
index babd034..b61b41d 100644
--- a/flagging/Android.bp
+++ b/flagging/Android.bp
@@ -16,14 +16,14 @@
se_policy_conf_defaults {
name: "se_policy_conf_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
- flags: [],
+ flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
}
contexts_defaults {
name: "contexts_flags_defaults",
srcs: [":sepolicy_flagging_macros"],
neverallow_files: [":sepolicy_flagging_macros"], // for seapp_contexts
- flags: [],
+ flags: ["RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT"],
}
filegroup {
diff --git a/private/coredomain.te b/private/coredomain.te
index f9b47df..289e15f 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -150,7 +150,7 @@
-apexd
-init
-ueventd
- -vfio_handler
+ is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `-vfio_handler')
-vold
} sysfs:file no_rw_file_perms;
diff --git a/private/service.te b/private/service.te
index 861afb3..b52aec4 100644
--- a/private/service.te
+++ b/private/service.te
@@ -21,6 +21,10 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type transparency_service, system_server_service, service_manager_type;
-type vfio_handler_service, service_manager_type;
+
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ type vfio_handler_service, service_manager_type;
+')
+
type uce_service, service_manager_type;
type wearable_sensing_service, system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 898cb14..6d0851c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -152,7 +152,9 @@
android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
android.system.composd u:object_r:compos_service:s0
android.system.virtualizationservice u:object_r:virtualization_service:s0
-android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
index 1b553e9..963809e 100644
--- a/private/vfio_handler.te
+++ b/private/vfio_handler.te
@@ -1,35 +1,37 @@
-# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
-# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
-type vfio_handler, domain, coredomain;
-type vfio_handler_exec, system_file_type, exec_type, file_type;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+ # vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+ type vfio_handler, domain, coredomain;
+ type vfio_handler_exec, system_file_type, exec_type, file_type;
-# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
-init_daemon_domain(vfio_handler)
+ # When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+ init_daemon_domain(vfio_handler)
-# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
-add_service(vfio_handler, vfio_handler_service)
+ # Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+ add_service(vfio_handler, vfio_handler_service)
-# Let the vfio_handler domain use Binder.
-binder_use(vfio_handler)
+ # Let the vfio_handler domain use Binder.
+ binder_use(vfio_handler)
-# Allow vfio_handler to check if VFIO is supported
-allow vfio_handler vfio_device:chr_file getattr;
-allow vfio_handler vfio_device:dir r_dir_perms;
+ # Allow vfio_handler to check if VFIO is supported
+ allow vfio_handler vfio_device:chr_file getattr;
+ allow vfio_handler vfio_device:dir r_dir_perms;
-# Allow vfio_handler to bind/unbind platform devices
-allow vfio_handler sysfs:dir r_dir_perms;
-allow vfio_handler sysfs:file rw_file_perms;
+ # Allow vfio_handler to bind/unbind platform devices
+ allow vfio_handler sysfs:dir r_dir_perms;
+ allow vfio_handler sysfs:file rw_file_perms;
-# Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
-allow vfio_handler virtualizationservice:fd use;
-allow vfio_handler virtualizationservice_data_file:file write;
+ # Allow vfio_handler to write to VM DTBO via a file created by virtualizationservice.
+ allow vfio_handler virtualizationservice:fd use;
+ allow vfio_handler virtualizationservice_data_file:file write;
-# vfio_handler can only use fd from virtualizationservice, and can't open files itself
-neverallow vfio_handler virtualizationservice_data_file:file { open create };
+ # vfio_handler can only use fd from virtualizationservice, and cannot open files itself
+ neverallow vfio_handler virtualizationservice_data_file:file { open create };
-# Allow vfio_handler to search /dev/block for accessing dtbo.img
-allow vfio_handler block_device:dir search;
-allow vfio_handler dtbo_block_device:blk_file r_file_perms;
+ # Allow vfio_handler to search /dev/block for accessing dtbo.img
+ allow vfio_handler block_device:dir search;
+ allow vfio_handler dtbo_block_device:blk_file r_file_perms;
-# Only vfio_handler can add vfio_handler_service
-neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+ # Only vfio_handler can add vfio_handler_service
+ neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT)
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 93cd04c..21d77b0 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,9 +15,11 @@
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
-# Let virtualizationservice find and communicate with vfio_handler.
-allow virtualizationservice vfio_handler_service:service_manager find;
-binder_call(virtualizationservice, vfio_handler)
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Let virtualizationservice find and communicate with vfio_handler.
+ allow virtualizationservice vfio_handler_service:service_manager find;
+ binder_call(virtualizationservice, vfio_handler)
+')
# Allow calling into the system server to find "permission_service".
binder_call(virtualizationservice, system_server)
@@ -97,5 +99,7 @@
-virtualizationservice
}:process setrlimit;
-# Only virtualizationservice can communicate to vfio_handler
-neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
+ # Only virtualizationservice can communicate to vfio_handler
+ neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
+')