commit 30608520bf24b3e69b8e77a8140f293936deec70
author Alan Stokes <alanstokes@google.com> Mon Oct 24 12:32:34 2022 +0100
committer Alan Stokes <alanstokes@google.com> Mon Oct 24 15:33:02 2022 +0100
tree f1848eab58718d86e33f1cc4ee247bd11b8f126c
parent 7e707248b204b95caf866a5506d7dc2fb7427ea1

Allow priv apps to use virtualizationservice

And allow VS and crosvm access to privapp_data_file, to the same
extent as app_data_file.

Update some comments, move a neverallow to the bottom of the file with
the others.

Bug: 255286871
Test: Install demo app to system/priv-app, see it work without explicit grant.
Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f

private/crosvm.te

diff --git a/private/crosvm.te b/private/crosvm.te
index c750b50..5971b91 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -31,6 +31,7 @@
   staging_data_file
   apk_data_file
   app_data_file
+  privapp_data_file
   apex_compos_data_file
   shell_data_file
 }:file { getattr read ioctl lock };
@@ -44,24 +45,12 @@
 # Note that the open permission is not given as the socket is passed by FD.
 allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
 
-# Don't allow crosvm to open files that it doesn't own.
-# This is important because a malicious application could try to start a VM with a composite disk
-# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
-# open them on its behalf. By preventing crosvm from opening any other files we prevent this
-# potential privilege escalation. See http://b/192453819 for more discussion.
-neverallow crosvm {
-  virtualizationservice_data_file
-  staging_data_file
-  apk_data_file
-  app_data_file
-  userdebug_or_eng(`-shell_data_file')
-}:file open;
-
 # The instance image and the composite image should be writable as well because they could represent
 # mutable disks.
 allow crosvm {
   virtualizationservice_data_file
   app_data_file
+  privapp_data_file
   apex_compos_data_file
 }:file write;
 
@@ -79,6 +68,20 @@
 # when the vm is created by the `vm` tool) and handed over to crosvm as FD.
 allow crosvm shell_data_file:file write;
 
+# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
+neverallow crosvm {
+  virtualizationservice_data_file
+  staging_data_file
+  apk_data_file
+  app_data_file
+  privapp_data_file
+  userdebug_or_eng(`-shell_data_file')
+}:file open;
+
 # Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
 full_treble_only(`
   neverallow crosvm {
@@ -93,13 +96,14 @@
   }:file *;
 ')
 
-# app_data_file and shell_data_file is the only app_data_file_type that is
-# allowed for crosvm to read.  Note that the use of app_data_file is allowed
-# only for the instance disk image.  This is enforced inside the
-# virtualizationservice by checking the file context of all disk image files.
+# Only allow crosvm to read app data files for clients that can start
+# VMs. Note that the use of app data files is further restricted
+# inside the virtualizationservice by checking the label of all disk
+# image files.
 neverallow crosvm {
   app_data_file_type
   -app_data_file
+  -privapp_data_file
   -shell_data_file
 }:file read;