Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3fee5a43c1e84038cb389e6974b03a147155282a^! / .
commit3fee5a43c1e84038cb389e6974b03a147155282a[log] [tgz]
authorJiyong Park <jiyong@google.com>Mon Aug 09 09:24:45 2021 +0900
committerJiyong Park <jiyong@google.com>Mon Aug 09 11:13:54 2021 +0900
tree769456e3d7591a965e604510f9c2327cf39c705b
parentcb779773b7016d61100b7d741fb18835435f88d3 [diff]
Don't prevent crosvm from accessing vendor-owned VM disk images

There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.

Don't prevent crosvm from reading such a SoC-specific VM disk images.

Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.

Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 72994dd..6b89805 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil

@@ -19,4 +19,6 @@
     untrusted_app_30
     proc_vendor_sched
     sysfs_vendor_sched
+    vendor_vm_file
+    vendor_vm_data_file
   ))

diff --git a/private/crosvm.te b/private/crosvm.te
index 7426ef9..70ab655 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -61,3 +61,17 @@
 # The console log can also be written to /data/local/tmp. This is not safe as the log then can be
 # visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
 userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
+
+# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
+full_treble_only(`
+  neverallow crosvm {
+    vendor_file_type
+    -vendor_vm_file
+    -vendor_vm_data_file
+    # These types are not required for crosvm, but the access is granted to globally in domain.te
+    # thus should be exempted here.
+    -vendor_configs_file
+    -vndk_sp_file
+    -vendor_task_profiles_file
+  }:file *;
+')

diff --git a/private/domain.te b/private/domain.te
index 9eeee88..56e2ef0 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -476,6 +476,7 @@
     coredomain
     # TODO(b/37168747): clean up fwk access to /vendor
     -crash_dump
+    -crosvm # loads vendor-specific disk images
     -init # starts vendor executables
     -iorap_inode2filename
     -iorap_prefetcherd

diff --git a/public/file.te b/public/file.te
index 9bb1ff9..251c418 100644
--- a/public/file.te
+++ b/public/file.te

@@ -246,6 +246,11 @@
 type vendor_keychars_file, vendor_file_type, file_type;
 type vendor_idc_file, vendor_file_type, file_type;
 
+# SoC-specific virtual machine disk files
+type vendor_vm_file, vendor_file_type, file_type;
+# SoC-specific virtual machine disk files that are mutable
+type vendor_vm_data_file, vendor_file_type, file_type;
+
 # /metadata partition itself
 type metadata_file, file_type;
 # Vold files within /metadata