Add rules for virtualizationservice and crosvm
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.
Below is the summary of the added rules.
* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
- permission_service: to check Android permission
- apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json
without disabling selinux.
Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
diff --git a/private/app.te b/private/app.te
index 2b3554f..a33b6a0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -103,3 +103,8 @@
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
+
+# Allow apps to read/write vsock created by virtualizationservice to communicate with
+# the VM that the app created. Notice that the app doesn't have permission to create
+# a vsock by itself; it can't connect to other VMs that it doesn't own.
+allow appdomain virtualizationservice:vsock_socket { getattr read write };
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5c41b02..eb93529 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -114,9 +114,13 @@
ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
- alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+ alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
} *;
+# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
+# but nothing more than that (e.g. creating a new vsock, etc.)
+neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+
# Disallow sending RTM_GETLINK messages on netlink sockets.
neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };
diff --git a/private/crosvm.te b/private/crosvm.te
index b139286..42e5181 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,12 +2,6 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm create temporary files.
-tmpfs_domain(crosvm)
-
-# Let crosvm receive file descriptors from VirtualizationService.
-allow crosvm virtualizationservice:fd use;
-
# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;
@@ -15,9 +9,53 @@
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
-# Let crosvm read and write files from clients of virtualizationservice, but not open them directly
-# as they must be passed via virtualizationservice.
-allow crosvm apk_data_file:file { getattr read };
-allow crosvm app_data_file:file { getattr read write };
-# shell_data_file is used for automated tests and manual debugging.
-allow crosvm shell_data_file:file { getattr read write };
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from VirtualizationService.
+allow crosvm virtualizationservice:fd use;
+
+# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
+# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
+# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
+# the files are passed as file descriptors.
+allow crosvm {
+ virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ userdebug_or_eng(`shell_data_file')
+}:file { getattr read ioctl lock };
+
+# Allow searching the directory where the composite disk images are.
+allow crosvm virtualizationservice_data_file:dir search;
+
+# TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for
+# the GPT headers of the composite disks.
+allow crosvm virtualizationservice_data_file:file open;
+
+# Don't allow crosvm to open files that it doesn't own.
+neverallow crosvm {
+ #TODO(b/193402941) uncomment the following line
+ #virtualizationservice_data_file
+ staging_data_file
+ apk_data_file
+ app_data_file
+ userdebug_or_eng(`-shell_data_file')
+}:file open;
+
+# The instance image and the composite image should be writable as well because they could represent
+# mutable disks.
+allow crosvm {
+ virtualizationservice_data_file
+ app_data_file
+}:file write;
+
+# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
+allow crosvm { adbd appdomain }:fd use;
+allow crosvm adbd:unix_stream_socket { read write };
+allow crosvm appdomain:fifo_file { read write };
+
+# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
+# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
+userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')
diff --git a/private/domain.te b/private/domain.te
index 7f4401d..9eeee88 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -216,6 +216,7 @@
-iorap_inode2filename
-priv_app
-virtualizationservice
+ -crosvm
} staging_data_file:file *;
neverallow { domain -init -system_server -installd} staging_data_file:dir no_w_dir_perms;
# apexd needs the link and unlink permissions, so list every `no_w_file_perms`
@@ -553,3 +554,18 @@
-tracefs_type
}:file no_rw_file_perms;
')
+
+# Restrict write access to shell owned files. The /data/local/tmp directory is
+# untrustworthy, and non-allowed domains should not be trusting any content in
+# those directories. We allow shell files to be passed around by file
+# descriptor, but not directly opened.
+neverallow {
+ domain
+ -adbd
+ -appdomain
+ -dumpstate
+ -installd
+ userdebug_or_eng(`-uncrypt')
+ userdebug_or_eng(`-virtualizationservice')
+ userdebug_or_eng(`-crosvm')
+} shell_data_file:file open;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 4efe355..837fc59 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -7,6 +7,14 @@
# Let the virtualizationservice domain use Binder.
binder_use(virtualizationservice)
+# ... and host a binder service
+binder_service(virtualizationservice)
+# It needs to call back to app
+binder_call(virtualizationservice, appdomain)
+
+# Allow calling into the system server so that it can check permissions.
+binder_call(virtualizationservice, system_server)
+allow virtualizationservice permission_service:service_manager find;
# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
add_service(virtualizationservice, virtualization_service)
@@ -32,22 +40,28 @@
allow virtualizationservice $1:fd use;
')
-# Let the shell user call virtualizationservice for debugging.
+# Let the shell user call virtualizationservice (and virtualizationservice call back to shell) for
+# debugging.
virtualizationservice_use(shell)
+binder_call(virtualizationservice, shell)
+
+# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
+# crosvm to the console
+allow virtualizationservice adbd:fd use;
+allow virtualizationservice adbd:unix_stream_socket { read write };
# Let virtualizationservice read and write files from its various clients, but not open them
# directly as they must be passed over Binder by the client.
allow virtualizationservice apk_data_file:file { getattr read };
+# Write access is needed for mutable partitions like instance.img
allow virtualizationservice app_data_file:file { getattr read write };
# shell_data_file is used for automated tests and manual debugging.
allow virtualizationservice shell_data_file:file { getattr read write };
-# Allow virtualizationservice to access apex files in /data/apex/{active,decompressed}
+# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there.
+allow virtualizationservice apex_info_file:file r_file_perms;
allow virtualizationservice apex_data_file:dir search;
allow virtualizationservice staging_data_file:file r_file_perms;
-# Allow virtualizationservice to read apex-info-list.xml
-allow virtualizationservice apex_info_file:file r_file_perms;
-
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
diff --git a/public/domain.te b/public/domain.te
index 799a2f1..3643d8c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1227,17 +1227,6 @@
userdebug_or_eng(`-uncrypt')
} shell_data_file:dir { open search };
-# Same as above for /data/local/tmp files. We allow shell files
-# to be passed around by file descriptor, but not directly opened.
-neverallow {
- domain
- -adbd
- -appdomain
- -dumpstate
- -installd
- userdebug_or_eng(`-uncrypt')
-} shell_data_file:file open;
-
# servicemanager and vndservicemanager are the only processes which handle the
# service_manager list request
neverallow * ~{
diff --git a/public/service.te b/public/service.te
index 5e94477..6a80c8d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -43,7 +43,7 @@
type system_suspend_control_service, service_manager_type;
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
-type virtualization_service, service_manager_type;
+type virtualization_service, app_api_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;