Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8a881c14bfffa4f7ffc02bd4552b8ea4f7b2d2b8^! / . / private
commit8a881c14bfffa4f7ffc02bd4552b8ea4f7b2d2b8[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Fri Jan 21 12:18:08 2022 +0000
committerAlan Stokes <alanstokes@google.com>Fri Jan 21 13:44:38 2022 +0000
tree444f3e1a7d6ec20505d06a95f37060f0b0efbdfa
parent001b47c5478434cfa5210e7e5842d16e4197c57f [diff]
Fix virtualizationservice denials

Allow logging to statsd - see
commit 3ffa832c6325bc9640baea66192e4e2c64349bc8.

Allow ioctl on /dev/kvm (allowxperm isn't enough) - see
commit 2dd48d0400ad214948d7d5863e5d90b18a07dcb1.

Ignore spurious errors on /proc/fd/1 when running derive_classpath - see
commit 3fad86bb8a055f06123fce561531f64c6429572c.

This fixes these denials:
avc: denied { write } for name="statsdw" dev="tmpfs" ino=984 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0
avc: denied { ioctl } for path="/dev/kvm" dev="tmpfs" ino=766 ioctlcmd=0xae03 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:kvm_device:s0 tclass=chr_file permissive=0
avc: denied { write } for name="fd" dev="proc" ino=63285 scontext=u:r:virtualizationservice:s0 tcontext=u:r:virtualizationservice:s0 tclass=dir permissive=0

Bug: 209008347
Bug: 210472252
Bug: 210803811
Test: Start VM, don't see denials.
Change-Id: I4c67746c1312553ee1155098ac27fc0d46c6f521

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index d304ae6..c4f2cd9 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -55,17 +55,22 @@
 # Run derive_classpath in our domain
 allow virtualizationservice derive_classpath_exec:file rx_file_perms;
 allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
+# Ignore harmless denials on /proc/self/fd
+dontaudit virtualizationservice self:dir write;
 
 # Let virtualizationservice to accept vsock connection from the guest VMs
 allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
-allow virtualizationservice kvm_device:chr_file { open read write };
+allow virtualizationservice kvm_device:chr_file { open read write ioctl };
 allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
 
 # Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
 set_prop(virtualizationservice, virtualizationservice_prop)
 
+# Allow writing stats to statsd
+unix_socket_send(virtualizationservice, statsdw, statsd)
+
 neverallow {
   domain
   -init