Add crosvm domain and give virtmanager and crosvm necessary permissions.
Bug: 183583115
Test: make TARGET_KERNEL_USE=5.4 TARGET_VIM3L=true
Change-Id: I566436fa2d27597566014f2a63198a88d6d2dbd6
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index fe91fa2..4703eba 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -1,2 +1,3 @@
(/.*)? u:object_r:system_file:s0
+/bin/crosvm u:object_r:crosvm_exec:s0
/bin/virtmanager u:object_r:virtmanager_exec:s0
diff --git a/private/crosvm.te b/private/crosvm.te
new file mode 100644
index 0000000..5d7080a
--- /dev/null
+++ b/private/crosvm.te
@@ -0,0 +1,16 @@
+type crosvm, domain, coredomain;
+type crosvm_exec, system_file_type, exec_type, file_type;
+type crosvm_tmpfs, file_type;
+
+# Let crosvm create temporary files.
+tmpfs_domain(crosvm)
+
+# Let crosvm receive file descriptors from virtmanager.
+allow crosvm virtmanager:fd use;
+
+# Let crosvm open /dev/kvm.
+allow crosvm kvm_device:chr_file rw_file_perms;
+
+# Most other domains shouldn't access /dev/kvm.
+neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
+neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
diff --git a/private/file.te b/private/file.te
index 984a7b6..4d43c13 100644
--- a/private/file.te
+++ b/private/file.te
@@ -56,3 +56,6 @@
# /data/system/environ
type environ_system_data_file, file_type, data_file_type, core_data_file_type;
+
+# /dev/kvm
+type kvm_device, dev_type;
diff --git a/private/file_contexts b/private/file_contexts
index 3786147..8140606 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -125,6 +125,7 @@
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
+/dev/kvm u:object_r:kvm_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -189,6 +190,7 @@
/dev/urandom u:object_r:random_device:s0
/dev/usb_accessory u:object_r:usbaccessory_device:s0
/dev/v4l-touch[0-9]* u:object_r:input_device:s0
+/dev/vhost-vsock u:object_r:kvm_device:s0
/dev/video[0-9]* u:object_r:video_device:s0
/dev/vndbinder u:object_r:vndbinder_device:s0
/dev/watchdog u:object_r:watchdog_device:s0
diff --git a/private/init.te b/private/init.te
index 2627add..3315a35 100644
--- a/private/init.te
+++ b/private/init.te
@@ -89,3 +89,12 @@
# Allow accessing /sys/kernel/tracing/instances/bootreceiver to set up tracing.
allow init debugfs_bootreceiver_tracing:file w_file_perms;
+
+# chown/chmod on devices.
+allow init {
+ dev_type
+ -hw_random_device
+ -keychord_device
+ -kvm_device
+ -port_device
+}:chr_file setattr;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index 83f001d..2e616f3 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -8,3 +8,13 @@
# Let vendor_init set service.adb.tcp.port.
set_prop(vendor_init, adbd_config_prop)
+
+# chown/chmod on devices, e.g. /dev/ttyHS0
+allow vendor_init {
+ dev_type
+ -keychord_device
+ -kvm_device
+ -port_device
+ -lowpan_device
+ -hw_random_device
+}:chr_file setattr;
diff --git a/private/virtmanager.te b/private/virtmanager.te
index b2331d4..467f7d4 100644
--- a/private/virtmanager.te
+++ b/private/virtmanager.te
@@ -1,8 +1,17 @@
type virtmanager, domain, coredomain;
type virtmanager_exec, system_file_type, exec_type, file_type;
+# When init runs a file labelled with virtmanager_exec, run it in the virtmanager domain.
init_daemon_domain(virtmanager)
+# Let the virtmanager domain use Binder.
binder_use(virtmanager)
+# Let the virtmanager domain register the virtualization_service with ServiceManager.
add_service(virtmanager, virtualization_service)
+
+# When virtmanager execs a file with the crosvm_exec label, run it in the crosvm domain.
+domain_auto_trans(virtmanager, crosvm_exec, crosvm)
+
+# Let virtmanager kill crosvm.
+allow virtmanager crosvm:process sigkill;
diff --git a/public/init.te b/public/init.te
index 1287ca3..893573e 100644
--- a/public/init.te
+++ b/public/init.te
@@ -320,14 +320,6 @@
zero_device
}:chr_file { read open };
-# chown/chmod on devices.
-allow init {
- dev_type
- -hw_random_device
- -keychord_device
- -port_device
-}:chr_file setattr;
-
# Unlabeled file access for upgrades from 4.2.
allow init unlabeled:dir { create_dir_perms relabelfrom };
allow init unlabeled:notdevfile_class_set { create_file_perms relabelfrom };
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 25d0dcb..2aa61b7 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -155,15 +155,6 @@
-proc_uid_concurrent_policy_time
}:dir { open read setattr search };
-# chown/chmod on devices, e.g. /dev/ttyHS0
-allow vendor_init {
- dev_type
- -keychord_device
- -port_device
- -lowpan_device
- -hw_random_device
-}:chr_file setattr;
-
allow vendor_init dev_type:blk_file getattr;
# Write to /proc/sys/net/ping_group_range and other /proc/sys/net files.