Introduce vm_manager_device_type for crosvm
Introduce hypervisor-generic type for VM managers:
vm_manager_device_type.
Bug: 274758531
Change-Id: I0937e2c717ff973eeb61543bd05a7dcc2e5dc19c
Suggested-by: Steven Moreland <smoreland@google.com>
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
diff --git a/private/crosvm.te b/private/crosvm.te
index df97235..f1012b7 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -2,14 +2,20 @@
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;
-# Let crosvm open /dev/kvm.
-allow crosvm kvm_device:chr_file rw_file_perms;
+# Let crosvm open VM manager devices such as /dev/kvm.
+allow crosvm vm_manager_device_type:chr_file rw_file_perms;
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
+# Most other domains shouldn't access other vm managers either.
+# These restrictions need to be slightly looser than for kvm_device to allow
+# for different implementations.
+neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
+neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
+
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
diff --git a/private/file.te b/private/file.te
index 539e63e..f6781b0 100644
--- a/private/file.te
+++ b/private/file.te
@@ -104,7 +104,7 @@
# /dev/kvm
# The type needs to be mlstrustedobject to allow for being accessed from
# crosvm, which runs at a more constrained MLS level.
-type kvm_device, dev_type, mlstrustedobject;
+type kvm_device, dev_type, mlstrustedobject, vm_manager_device_type;
# /apex/com.android.virt/bin/fd_server
type fd_server_exec, system_file_type, exec_type, file_type;
diff --git a/private/init.te b/private/init.te
index 72dedd2..9d3a2c3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -120,6 +120,6 @@
dev_type
-hw_random_device
-keychord_device
- -kvm_device
+ -vm_manager_device_type
-port_device
}:chr_file setattr;
diff --git a/private/vendor_init.te b/private/vendor_init.te
index acbd84e..1680f96 100644
--- a/private/vendor_init.te
+++ b/private/vendor_init.te
@@ -19,7 +19,7 @@
allow vendor_init {
dev_type
-keychord_device
- -kvm_device
+ -vm_manager_device_type
-port_device
-lowpan_device
-hw_random_device
diff --git a/public/attributes b/public/attributes
index 0b5f596..7f27c18 100644
--- a/public/attributes
+++ b/public/attributes
@@ -417,6 +417,9 @@
attribute dmabuf_heap_device_type;
expandattribute dmabuf_heap_device_type false;
+# Types for VM managers
+attribute vm_manager_device_type;
+
# All types used for DSU metadata files.
attribute gsi_metadata_file_type;