sepolicy for crosvm to support virtiofs
sepolicy settings to mount terminal app internal
storage "/data/data/com.google.android.virtualization.terminal/files"
inside guest VM. Currently, the policy is set
for read-only mounts.
Audits:
avc: denied { search } for comm="v_fs:android:1"
name="com.google.android.virtualization.terminal" dev="dm-57" ino=7989
scontext=u:r:crosvm:s0:c37,c257,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c37,c257,c512,c768 tclass=dir
permissive=0 app=com.google.android.virtualization.terminal
avc: denied { read } for comm="v_fs:android:1"
name="files" dev="dm-57" ino=13404 scontext=u:r:crosvm:s0:c37,c257,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c37,c257,c512,c768 tclass=dir
permissive=0 app=com.google.android.virtualization.terminal
avc: denied { open } for comm="v_fs:android:1"
path="/data/data/com.google.android.virtualization.terminal/files"
dev="dm-57" ino=13404 scontext=u:r:crosvm:s0:c37,c257,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c37,c257,c512,c768
tclass=dir permissive=0 app=com.google.android.virtualization.terminal
avc: denied { getattr } for comm="v_fs:android:1"
path="/data/data/com.google.android.virtualization.terminal/files"
dev="dm-57" ino=13404 scontext=u:r:crosvm:s0:c37,c257,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c37,c257,c512,c768
tclass=dir permissive=0 app=com.google.android.virtualization.terminal
avc: denied { open } for comm="v_fs:android:1"
path="/data/data/com.google.android.virtualization.terminal/files/debian.log"
dev="dm-57" ino=32576 scontext=u:r:crosvm:s0:c37,c257,c512,c768
tcontext=u:object_r:privapp_data_file:s0:c37,c257,c512,c768
tclass=file permissive=0 app=com.google.android.virtualization.terminal
Bug: 372171883
Test: Mount
"/data/data/com.google.android.virtualization.terminal/files" inside
guest VM. Read debian.log - verify no selinux audits
Change-Id: Ia1c71612d6e3ecaf89654e50fb95993276884706
Signed-off-by: Akilesh Kailash <akailash@google.com>
diff --git a/private/crosvm.te b/private/crosvm.te
index f64690f..71a35d9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,6 +112,11 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
+ # Allow crosvm to mount Terminal app internal storage directory
+ # to guest VM over virtiofs
+ allow crosvm privapp_data_file:dir { getattr open read search };
+ allow crosvm privapp_data_file:file { open };
+
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -174,12 +179,14 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
+#
+# crosvm requires access to terminal app internal storage; the directory
+# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
- privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
diff --git a/private/domain.te b/private/domain.te
index 53e1060..38dab17 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -1658,6 +1658,7 @@
-runas
-system_server
-zygote
+ -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file
@@ -1723,6 +1724,7 @@
-artd # compile secondary dex files
-installd
-rs # spawned by appdomain, so carryover the exception above
+ -crosvm # required to access terminal app internal storage
} {
privapp_data_file
app_data_file