Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose.
Bug: 285854379
Test: m
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index ddaa7e2..83e3b3d 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -27,4 +27,5 @@
binderfs_logs_stats
drm_forcel3_prop
proc_percpu_pagelist_high_fraction
+ vendor_microdroid_file
))
diff --git a/private/crosvm.te b/private/crosvm.te
index afcaa3d..ed89b87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,7 +27,7 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file).
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
@@ -39,6 +39,7 @@
apex_compos_data_file
apex_virt_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -126,6 +127,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 0861fa5..2f107dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -610,6 +610,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index b7f1a34..32092da 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -412,6 +412,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/shell.te b/private/shell.te
index aa6bef8..e410862 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index d6f0e19..871d3f2 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -94,6 +94,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);