SEPolicy for compos_verify_key.
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
diff --git a/apex/com.android.compos-file_contexts b/apex/com.android.compos-file_contexts
index 35d20c0..ecec6b5 100644
--- a/apex/com.android.compos-file_contexts
+++ b/apex/com.android.compos-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
/bin/compsvc u:object_r:compos_exec:s0
+/bin/compos_verify_key u:object_r:compos_verify_key_exec:s0
diff --git a/private/app.te b/private/app.te
index a33b6a0..2b3554f 100644
--- a/private/app.te
+++ b/private/app.te
@@ -103,8 +103,3 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
-
-# Allow apps to read/write vsock created by virtualizationservice to communicate with
-# the VM that the app created. Notice that the app doesn't have permission to create
-# a vsock by itself; it can't connect to other VMs that it doesn't own.
-allow appdomain virtualizationservice:vsock_socket { getattr read write };
diff --git a/private/compos_verify_key.te b/private/compos_verify_key.te
new file mode 100644
index 0000000..5601f64
--- /dev/null
+++ b/private/compos_verify_key.te
@@ -0,0 +1,23 @@
+# Run by odsign to verify a CompOs instance's keys.
+type compos_verify_key, domain, coredomain;
+
+type compos_verify_key_exec, exec_type, file_type, system_file_type;
+
+binder_use(compos_verify_key);
+virtualizationservice_use(compos_verify_key);
+
+# Access the image & key files, delete on failure, rename pending to current
+allow compos_verify_key apex_module_data_file:dir search;
+allow compos_verify_key apex_compos_data_file:dir create_dir_perms;
+allow compos_verify_key apex_compos_data_file:file create_file_perms;
+
+# Allow odsign to redirect our stdout/stderr to log
+allow compos_verify_key odsign:fd use;
+allow compos_verify_key odsign_devpts:chr_file { read write };
+
+# TODO: Remove this!
+allow compos_verify_key self:vsock_socket create_socket_perms_no_ioctl;
+
+# Only odsign can enter the domain via exec
+neverallow { domain -odsign } compos_verify_key:process transition;
+neverallow * compos_verify_key:process dyntransition;
diff --git a/private/crosvm.te b/private/crosvm.te
index 6f3ab3d..5ec50b5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -49,7 +49,7 @@
}:file write;
# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
-allow crosvm { adbd appdomain }:fd use;
+allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm appdomain:fifo_file { read write };
diff --git a/private/odsign.te b/private/odsign.te
index 3297af7..bf097d7 100644
--- a/private/odsign.te
+++ b/private/odsign.te
@@ -45,8 +45,8 @@
allow odsign apex_art_data_file:file { rw_file_perms unlink };
# For CompOS instance & key files
-allow odsign apex_compos_data_file:dir rw_dir_perms;
-allow odsign apex_compos_data_file:file { r_file_perms unlink rename };
+allow odsign apex_compos_data_file:dir { getattr search };
+allow odsign apex_compos_data_file:file r_file_perms;
# Run odrefresh to refresh ART artifacts
domain_auto_trans(odsign, odrefresh_exec, odrefresh)
@@ -54,6 +54,9 @@
# Run fsverity_init to add key to fsverity keyring
domain_auto_trans(odsign, fsverity_init_exec, fsverity_init)
+# Run compos_verify_key to verify CompOs instances
+domain_auto_trans(odsign, compos_verify_key_exec, compos_verify_key)
+
# only odsign can set odsign sysprop
set_prop(odsign, odsign_prop)
neverallow { domain -odsign -init } odsign_prop:property_service set;
diff --git a/private/shell.te b/private/shell.te
index 08cf8ff..709e0b7 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -217,6 +217,6 @@
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;
-# Allow shell (the vm tool) the access to vsock created by virtualization
-# service
-allow shell virtualizationservice:vsock_socket { read write };
+# Let the shell user call virtualizationservice (and
+# virtualizationservice call back to shell) for debugging.
+virtualizationservice_use(shell)
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f7dfdeb..b4561fa 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -170,3 +170,8 @@
# according to the heuristic of lockdown.
allow untrusted_app_all self:lockdown integrity;
')
+
+# Allow running a VM for test/demo purposes
+userdebug_or_eng(`
+ virtualizationservice_use(untrusted_app_all)
+')
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index c51b995..0c09509 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -30,23 +30,6 @@
allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
-# virtualizationservice_use(client)
-define(`virtualizationservice_use', `
-# Let the client call virtualizationservice.
-binder_call($1, virtualizationservice)
-# Let virtualizationservice call back to the client.
-binder_call(virtualizationservice, $1)
-# Let the client pass file descriptors to virtualizationservice.
-allow virtualizationservice $1:fd use;
-')
-
-# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
-# debugging.
-virtualizationservice_use(shell)
-
-# Let apps use virtualizationservice.
-virtualizationservice_use(appdomain)
-
# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
# crosvm to the console
allow virtualizationservice adbd:fd use;
diff --git a/public/te_macros b/public/te_macros
index 1bdf039..4cd7e53 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -178,6 +178,26 @@
neverallow $1 ~$1_userfaultfd:anon_inode *;
')
+####################################
+# virtualizationservice_use(domain)
+# Allow domain to create and communicate with a virtual machine using
+# virtualizationservice.
+define(`virtualizationservice_use', `
+allow $1 virtualization_service:service_manager find;
+# Let the client call virtualizationservice.
+binder_call($1, virtualizationservice)
+# Let virtualizationservice call back to the client.
+binder_call(virtualizationservice, $1)
+# Let the client pass file descriptors to virtualizationservice and on
+# to crosvm
+allow { virtualizationservice crosvm } $1:fd use;
+# Allow client to read/write vsock created by virtualizationservice to
+# communicate with the VM that it created. Notice that we do not grant
+# permission to create a vsock; the client can only connect to VMs
+# that it owns.
+allow $1 virtualizationservice:vsock_socket { getattr read write };
+')
+
#####################################
# app_domain(domain)
# Allow a base set of permissions required for all apps.