Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / a9f1dc970879c38efd922ccb79a7f5b4d508ee5e^! / . / private / virtualizationservice.te
commita9f1dc970879c38efd922ccb79a7f5b4d508ee5e[log] [tgz]
authorShikha Panwar <shikhapanwar@google.com>Thu Mar 24 09:05:59 2022 +0000
committerShikha Panwar <shikhapanwar@google.com>Tue Apr 05 13:09:04 2022 +0000
treee94d4b1a2a9ea9e77ea984bc76d4e2c27ec68fe6
parent45b594f5efdd45154d0e2cebdf1be6fbc4d61c2f [diff] [blame]
Selinux configs for enabling tombstones be passed to host

For Guest: tombstone_tranmit needs permissions for:
1. keeping track of files being written on /data/tombstones.
2. creating vsock socket to talk to virtualizationservice (to forward
   these tombstones)

These permissions will be similar to tombstone_tarnsmit on cuttlefish
(device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp)

For Host (virtualizationservice) needs:
1. permission to  connect to tombstoned.
2. permission to use fd belonging to tombstoned.
3. append and related permissions on tombstone_data file.

Test: Tested by crashing a process in guest (started using microdroid
demo)

Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 05e1664..c369a90 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -70,6 +70,13 @@
 # Allow writing stats to statsd
 unix_socket_send(virtualizationservice, statsdw, statsd)
 
+# Allow virtualization service to talk to tombstoned to push guest tombstones
+unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
+
+# Append to tombstone files passed as fds from tombstoned
+allow virtualizationservice tombstone_data_file:file { append getattr };
+allow virtualizationservice tombstoned:fd use;
+
 neverallow {
   domain
   -init