Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 55d808c28c5291cb5f700e2b69cd642c6a687382^! / . / private / crosvm.te
commit55d808c28c5291cb5f700e2b69cd642c6a687382[log] [tgz]
authorDavid Brazdil <dbrazdil@google.com>Thu Dec 15 13:38:42 2022 +0000
committerDavid Brazdil <dbrazdil@google.com>Thu Jan 05 17:39:39 2023 +0000
treed77061f5c480a82d1a687d3e52118ea176299cc6
parentd09a14baee182999fb9f85efa50f225ab900fb5f [diff] [blame]
Start using virtmgr for running VMs

Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.

The virtualizationservice domain remains responsible for:
 * allocating CIDs (access to props)
 * creating temporary VM directories (virtualization_data_file, chown)
 * receiving tombstones from VMs
 * pushing atoms to statsd
 * removing memlock rlimit from virtmgr

The new virtualizationmanager domain becomes responsible for:
 * executing crosvm
 * creating vsock connections, handling callbacks
 * preparing APEXes
 * pushing ramdumps to tombstoned
 * collecting stats for telemetry atoms

The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.

Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.

Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b

diff --git a/private/crosvm.te b/private/crosvm.te
index d4d29b0..c682bb5 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -14,10 +14,10 @@
 tmpfs_domain(crosvm)
 
 # Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
+allow crosvm virtualizationmanager:fd use;
 
 # Allow sending VirtualizationService the failure reason from the VM via pipe.
-allow crosvm virtualizationservice:fifo_file write;
+allow crosvm virtualizationmanager:fifo_file write;
 
 # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
 # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
@@ -36,11 +36,14 @@
 # Allow searching the directory where the composite disk images are.
 allow crosvm virtualizationservice_data_file:dir search;
 
+# Allow crosvm to mlock guest memory.
+allow crosvm self:capability ipc_lock;
+
 # Let crosvm access its control socket as created by VS.
 #   read, write, getattr: listener socket polling
 #   accept: listener socket accepting new connection
 # Note that the open permission is not given as the socket is passed by FD.
-allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt };
+allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
 
 # Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
 userdebug_or_eng(`
@@ -110,9 +113,9 @@
   -shell_data_file
 }:file read;
 
-# Only virtualizationservice can run crosvm
+# Only virtualizationmanager can run crosvm
 neverallow {
   domain
   -crosvm
-  -virtualizationservice
+  -virtualizationmanager
 } crosvm_exec:file no_x_file_perms;