Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5e20d83cfbde378ba93c119d1ab27ed0c6716134^! / . / private / app_neverallows.te
commit5e20d83cfbde378ba93c119d1ab27ed0c6716134[log] [tgz]
authorJiyong Park <jiyong@google.com>Mon Jul 12 21:11:33 2021 +0900
committerJiyong Park <jiyong@google.com>Mon Jul 26 10:45:08 2021 +0900
tree73d012b6bc8a5f8bdee3745173d1d85cb77145c0
parentf778a0bd8956a2a846575c6d5802ded9e3be378b [diff] [blame]
Add rules for virtualizationservice and crosvm

The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.

Below is the summary of the added rules.

* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
  - permission_service: to check Android permission
  - apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.

Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json

without disabling selinux.

Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 5c41b02..eb93529 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -114,9 +114,13 @@
   ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
   atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
-  alg_socket nfc_socket vsock_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
+  alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
+# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
+# but nothing more than that (e.g. creating a new vsock, etc.)
+neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };