Allow priv apps to use virtualizationservice
And allow VS and crosvm access to privapp_data_file, to the same
extent as app_data_file.
Update some comments, move a neverallow to the bottom of the file with
the others.
Bug: 255286871
Test: Install demo app to system/priv-app, see it work without explicit grant.
Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
diff --git a/private/crosvm.te b/private/crosvm.te
index c750b50..5971b91 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -31,6 +31,7 @@
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
apex_compos_data_file
shell_data_file
}:file { getattr read ioctl lock };
@@ -44,24 +45,12 @@
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
-# Don't allow crosvm to open files that it doesn't own.
-# This is important because a malicious application could try to start a VM with a composite disk
-# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
-# open them on its behalf. By preventing crosvm from opening any other files we prevent this
-# potential privilege escalation. See http://b/192453819 for more discussion.
-neverallow crosvm {
- virtualizationservice_data_file
- staging_data_file
- apk_data_file
- app_data_file
- userdebug_or_eng(`-shell_data_file')
-}:file open;
-
# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
virtualizationservice_data_file
app_data_file
+ privapp_data_file
apex_compos_data_file
}:file write;
@@ -79,6 +68,20 @@
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;
+# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
+neverallow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ privapp_data_file
+ userdebug_or_eng(`-shell_data_file')
+}:file open;
+
# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
neverallow crosvm {
@@ -93,13 +96,14 @@
}:file *;
')
-# app_data_file and shell_data_file is the only app_data_file_type that is
-# allowed for crosvm to read. Note that the use of app_data_file is allowed
-# only for the instance disk image. This is enforced inside the
-# virtualizationservice by checking the file context of all disk image files.
+# Only allow crosvm to read app data files for clients that can start
+# VMs. Note that the use of app data files is further restricted
+# inside the virtualizationservice by checking the label of all disk
+# image files.
neverallow crosvm {
app_data_file_type
-app_data_file
+ -privapp_data_file
-shell_data_file
}:file read;
diff --git a/private/priv_app.te b/private/priv_app.te
index 9d7a0f6..4dcd1fb 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -201,6 +201,11 @@
# created by things like renderscript or via other mechanisms.
allow priv_app app_exec_data_file:file { r_file_perms execute unlink };
+# Allow privileged apps to create a VM. Note that access is still
+# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
+# permission.
+virtualizationservice_use(priv_app)
+
###
### neverallow rules
###
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 26077f3..0b4b919 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -171,11 +171,13 @@
allow untrusted_app_all self:lockdown integrity;
')
-# Allow running a VM for test/demo purposes. Note that access the service is
-# still guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
-# permission. The protection level of the permission is `signature|development`
-# so that it can only be granted to either platform-key signed apps or
-# test-only apps having `android:testOnly="true"` in its manifest.
+# Allow running a VM for test/demo purposes. Note that access to the
+# service is still guarded with the
+# `android.permission.MANAGE_VIRTUAL_MACHINE` permission. The
+# protection level of the permission is
+# `signature|privileged|development` so that it can only be granted to
+# either platform-key signed apps, privileged apps, or test-only apps
+# having `android:testOnly="true"` in their manifest.
virtualizationservice_use(untrusted_app_all)
with_native_coverage(`
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 6e6b459..3e057fe 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -44,6 +44,7 @@
allow virtualizationservice {
app_data_file
apex_compos_data_file
+ privapp_data_file
}:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.