Add labels and permissions for /mnt/vm
It will be used as a storage for early boot virtmgr.
Bug: 354059281
Test: boot and check /early-vm
Change-Id: Ida44cdb3de3a42daf210cc2c4100615e6aab77e3
diff --git a/contexts/plat_file_contexts_test b/contexts/plat_file_contexts_test
index 4c8f9cb..29225ce 100644
--- a/contexts/plat_file_contexts_test
+++ b/contexts/plat_file_contexts_test
@@ -37,6 +37,7 @@
/sys sysfs
/apex apex_mnt_dir
/bootstrap-apex apex_mnt_dir
+/mnt/vm vm_data_file
/postinstall postinstall_mnt_dir
/postinstall/apex postinstall_apex_mnt_dir
diff --git a/private/crosvm.te b/private/crosvm.te
index 0c2acb9..6f07391 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -40,10 +40,14 @@
apex_virt_data_file
shell_data_file
vendor_microdroid_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
-allow crosvm virtualizationservice_data_file:dir search;
+allow crosvm {
+ virtualizationservice_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
+}:dir search;
# When running a VM as root we get spurious capability denials.
# Suppress them.
@@ -74,6 +78,7 @@
privapp_data_file
apex_compos_data_file
apex_virt_data_file
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
@@ -153,6 +158,7 @@
app_data_file
privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
+ is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
}:file open;
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 20341e4..13b7b9f 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -537,6 +537,7 @@
linkerconfig_file
mirror_data_file
mnt_user_file
+ vm_data_file
}:dir getattr;
# Allow dumpstate to talk to bufferhubd over binder
diff --git a/private/early_virtmgr.te b/private/early_virtmgr.te
index 4e332f6..484077c 100644
--- a/private/early_virtmgr.te
+++ b/private/early_virtmgr.te
@@ -5,4 +5,15 @@
type early_virtmgr_exec, system_file_type, exec_type, file_type;
use_bootstrap_libs(early_virtmgr)
+
+ allow early_virtmgr vm_data_file:dir create_dir_perms;
+ allow early_virtmgr vm_data_file:file create_file_perms;
+
+ ###
+ ### Neverallow rules
+ ###
+
+ # Only crosvm and early_virtmgr can access vm_data_file
+ neverallow { domain -crosvm -early_virtmgr -init } vm_data_file:dir no_w_dir_perms;
+ neverallow { domain -crosvm -early_virtmgr } vm_data_file:file no_rw_file_perms;
')
diff --git a/private/file.te b/private/file.te
index d30465b..038e899 100644
--- a/private/file.te
+++ b/private/file.te
@@ -117,6 +117,9 @@
# virtualizationmanager, which runs at a more constrained MLS level.
type virtualizationservice_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
+# /mnt/vm
+type vm_data_file, file_type, core_data_file_type;
+
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/private/file_contexts b/private/file_contexts
index ce5ed96..f5da4af 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -922,3 +922,7 @@
# dexopt_chroot_setup inside chroot, in addition to the files and directories
# matching the pattern below.
/mnt/pre_reboot_dexopt(/.*)? u:object_r:pre_reboot_dexopt_file:s0
+
+#############################
+# For early boot VM
+/mnt/vm u:object_r:vm_data_file:s0
diff --git a/private/init.te b/private/init.te
index e4bafd8..8ab1aab 100644
--- a/private/init.te
+++ b/private/init.te
@@ -115,6 +115,8 @@
userdebug_or_eng(`
allow init kmsg_debug_device:chr_file { open write relabelto };
')
+# /mnt/vm, also permissions to mkdir / mount / chmod / chown
+allow init vm_data_file:dir { add_name create search write getattr setattr relabelto mounton };
# allow init to mount and unmount debugfs in debug builds
userdebug_or_eng(`
@@ -305,6 +307,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-misc_logd_file
@@ -324,6 +327,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-credstore_data_file
-exec_type
@@ -351,6 +355,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -383,6 +388,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -408,6 +414,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-bpffs_type
-exec_type
-gsi_data_file
@@ -439,6 +446,7 @@
-storage_area_app_dir
-storage_area_content_file
')
+ -vm_data_file
-privapp_data_file
}:dir_file_class_set relabelto;