Don't prevent crosvm from accessing vendor-owned VM disk images
There can be VM disk images that are specific to the underlying SoC.
e.g. in case where SoC-specific hardware is dedicated to a VM and the VM
needs drivers (or HALs) for the hardware.
Don't prevent crosvm from reading such a SoC-specific VM disk images.
Note that this doesn't actually allow crosvm to do that in AOSP. Such an
allow rule could be added in downstreams where such use cases exist.
Bug: 193605879
Test: m
Change-Id: If19c0b6adae4c91676b142324c2903879548a135
diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 72994dd..6b89805 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -19,4 +19,6 @@
untrusted_app_30
proc_vendor_sched
sysfs_vendor_sched
+ vendor_vm_file
+ vendor_vm_data_file
))
diff --git a/private/crosvm.te b/private/crosvm.te
index 7426ef9..70ab655 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -61,3 +61,17 @@
# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
+
+# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
+full_treble_only(`
+ neverallow crosvm {
+ vendor_file_type
+ -vendor_vm_file
+ -vendor_vm_data_file
+ # These types are not required for crosvm, but the access is granted to globally in domain.te
+ # thus should be exempted here.
+ -vendor_configs_file
+ -vndk_sp_file
+ -vendor_task_profiles_file
+ }:file *;
+')
diff --git a/private/domain.te b/private/domain.te
index 9eeee88..56e2ef0 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -476,6 +476,7 @@
coredomain
# TODO(b/37168747): clean up fwk access to /vendor
-crash_dump
+ -crosvm # loads vendor-specific disk images
-init # starts vendor executables
-iorap_inode2filename
-iorap_prefetcherd