Add plumbing for new tee_service_contexts This will be used to enable some VMs to issue custom vendor-defined SMCs. On the Android host side, the allow list of what VMs can access what SMC services via selinux. In short the implementation will look like these: * new tee_service_contexts defines all SMC services available to VMs and their mapping to selinux labels * sepolicy defines what VMs can access what SMC services. The access control is defined at the "VM owner process" (i.e. process using AVF APIs to start a VM). * virtmngr will enforce the access control by reading the mapping from /system/ect/selinux_tee_service_contexts and the using selinux_check_access function from libselinux to check if the VM owner is allowed to access requested SMC services. Since SMC is an arm concept, we use a more generic "tee_service" name to define it. More information available at go/pkvm-pvm-allow-vendor-tz-services-access Follow up patch will define an example tee_service that can be used to test these feature end-to-end. Bug: 360102915 Test: build & flasg Test: adb shell ls -alZ /system/etc/selinux/tee_service_contexts Change-Id: I14976767ae1817688584f8f225dc8127647c13cc

commit: 48966b6105be61ea89f42310532582a2059f2b89 [log] [tgz]
author: Nikita Ioffe <ioffe@google.com> Tue Oct 22 14:01:17 2024 +0000
committer: Nikita Ioffe <ioffe@google.com> Tue Nov 12 15:37:53 2024 +0000
tree: ef50713f5289b84f5b838a589822972a371be8a9
parent: 292fc6fe12a64e02a101f3db5e4bb60032cb00b0 [diff]
diff --git a/private/access_vectors b/private/access_vectors
index 9d82ac8..f91c1a4 100644
--- a/private/access_vectors
+++ b/private/access_vectors

@@ -807,3 +807,8 @@
 {
 	create
 }
+
+class tee_service
+{
+	use
+}

diff --git a/private/attributes b/private/attributes
index 7e25e94..13479c9 100644
--- a/private/attributes
+++ b/private/attributes

@@ -27,3 +27,7 @@
 # WARNING: USING THE update_provider ATTRIBUTE WILL CAUSE CTS TO FAIL!
 attribute update_provider;
 expandattribute update_provider false;
+
+until_board_api(202504, `
+    attribute tee_service_type;
+')

diff --git a/private/file.te b/private/file.te
index 60aa5d5..df17906 100644
--- a/private/file.te
+++ b/private/file.te

@@ -244,5 +244,10 @@
     # boot otas for 16KB developer option
     type vendor_boot_ota_file, vendor_file_type, file_type;
 ')
+
+until_board_api(202504, `
+    type tee_service_contexts_file, system_file_type, file_type;
+')
+
 ## END Types added in 202504 in public/file.te
 

diff --git a/private/file_contexts b/private/file_contexts
index a957f24..20ef9b8 100644
--- a/private/file_contexts
+++ b/private/file_contexts

@@ -83,6 +83,7 @@
 /vendor_seapp_contexts      u:object_r:seapp_contexts_file:s0
 /plat_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /sepolicy           u:object_r:sepolicy_file:s0
+/plat_tee_service_contexts   u:object_r:tee_service_contexts_file:s0
 /plat_service_contexts   u:object_r:service_contexts_file:s0
 /plat_hwservice_contexts   u:object_r:hwservice_contexts_file:s0
 /plat_keystore2_key_contexts u:object_r:keystore2_key_contexts_file:s0
@@ -377,6 +378,7 @@
 /system/etc/selinux/mapping/[0-9]+\.[0-9]+(\.compat)?\.cil       u:object_r:sepolicy_file:s0
 /system/etc/selinux/plat_mac_permissions\.xml u:object_r:mac_perms_file:s0
 /system/etc/selinux/plat_property_contexts  u:object_r:property_contexts_file:s0
+/system/etc/selinux/plat_tee_service_contexts  u:object_r:tee_service_contexts_file:s0
 /system/etc/selinux/plat_service_contexts  u:object_r:service_contexts_file:s0
 /system/etc/selinux/plat_hwservice_contexts  u:object_r:hwservice_contexts_file:s0
 /system/etc/selinux/plat_keystore2_key_contexts  u:object_r:keystore2_key_contexts_file:s0
@@ -493,6 +495,7 @@
 /(odm|vendor/odm)/etc/selinux/odm_hwservice_contexts            u:object_r:hwservice_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_keystore2_key_contexts        u:object_r:keystore2_key_contexts_file:s0
 /(odm|vendor/odm)/etc/selinux/odm_mac_permissions\.xml          u:object_r:mac_perms_file:s0
+/(odm|vendor/odm)/etc/selinux/odm_tee_service_contexts          u:object_r:tee_service_contexts_file:s0
 
 #############################
 # Product files
@@ -509,6 +512,7 @@
 /(product|system/product)/etc/selinux/product_seapp_contexts     u:object_r:seapp_contexts_file:s0
 /(product|system/product)/etc/selinux/product_service_contexts   u:object_r:service_contexts_file:s0
 /(product|system/product)/etc/selinux/product_mac_permissions\.xml u:object_r:mac_perms_file:s0
+/(product|system/product)/etc/selinux/product_tee_service_contexts  u:object_r:tee_service_contexts_file:s0
 
 /(product|system/product)/lib(64)?(/.*)?                         u:object_r:system_lib_file:s0
 
@@ -545,6 +549,7 @@
 /(system_ext|system/system_ext)/lib(64)?(/.*)?      u:object_r:system_lib_file:s0
 
 /(system_ext|system/system_ext)/etc/aconfig(/.*)?                u:object_r:system_aconfig_storage_file:s0
+/(system_ext|system/system_ext)/etc/selinux/system_ext_tee_service_contexts  u:object_r:tee_service_contexts_file:s0
 
 #############################
 # VendorDlkm files

diff --git a/private/security_classes b/private/security_classes
index 1d13d9f..0537214 100644
--- a/private/security_classes
+++ b/private/security_classes

@@ -172,3 +172,6 @@
 
 class drmservice                # userspace
 # FLASK
+
+# Permissions for VMs to access SMC services
+class tee_service            		# userspace

diff --git a/private/shell.te b/private/shell.te
index 38c5ac8..31bf506 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -483,6 +483,8 @@
   allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
 ')
 
+allow shell tee_service_contexts_file:file r_file_perms;
+
 # Everything is labeled as rootfs in recovery mode. Allow shell to
 # execute them.
 recovery_only(`

diff --git a/private/tee_service_contexts b/private/tee_service_contexts
new file mode 100644
index 0000000..3791876
--- /dev/null
+++ b/private/tee_service_contexts

@@ -0,0 +1,9 @@
+# Tee services contexts.
+#
+# This file defines all tee services available to VMs.
+# This file is read by virtmngr.
+#
+# Format:
+# <tee_service_name> <label>
+#
+# <tee_service_name> must be a string

diff --git a/private/tee_services.te b/private/tee_services.te
new file mode 100644
index 0000000..c6fdb5c
--- /dev/null
+++ b/private/tee_services.te

@@ -0,0 +1,3 @@
+# Specify tee_services in this file.
+# Please keep the names in the alphabetical order and comment each new entry.
+

diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 023e3e9..ca72279 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te

@@ -135,3 +135,10 @@
     allow virtualizationmanager tun_device:chr_file rw_file_perms;
     allow virtualizationmanager vmnic:fd use;
 ')
+
+# virtualizationmanager reads tee_service_contexts_file to determine if VM is allowed
+# to access requested tee services
+allow virtualizationmanager tee_service_contexts_file:file r_file_perms;
+# virtualizationmanager uses libselinux to check if VM is allowed to access requested
+# tee services.
+selinux_check_access(virtualizationmanager)
commit	48966b6105be61ea89f42310532582a2059f2b89	[log] [tgz]
author	Nikita Ioffe <ioffe@google.com>	Tue Oct 22 14:01:17 2024 +0000
committer	Nikita Ioffe <ioffe@google.com>	Tue Nov 12 15:37:53 2024 +0000
tree	ef50713f5289b84f5b838a589822972a371be8a9
parent	292fc6fe12a64e02a101f3db5e4bb60032cb00b0 [diff]