Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e2a002cd8c92cea3bd9268d9344710fb8e9cf5a8^! / . / private
commite2a002cd8c92cea3bd9268d9344710fb8e9cf5a8[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Wed Jul 28 14:05:25 2021 +0100
committerAlan Stokes <alanstokes@google.com>Wed Jul 28 14:17:20 2021 +0100
tree5fad4bbf1e34a3a598a7253ed737411b11be51f7
parent1f87fbd9fa1bdfb7183cc8da83d6058b84ef5861 [diff]
Allow CompOS to start a VM with its instance image.

The image will be stored under
/data/misc/apexdata/com.android.compos. Grant crosvm & virtualization
service read/write but not open access.

This fixes these denials:

avc: denied { read } for comm="Binder:3283_2" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="virtualizations" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1

avc: denied { read } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1
avc: denied { getattr } for comm="crosvm" path="/data/misc/apexdata/com.android.compos/instance.img" dev="dm-34" ino=5548 scontext=u:r:crosvm:s0 tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=1

Test: compos_key_cmd --start /data/misc/apexdata/com.android.compos/instance.img
Test: Works in enforcing mode, no denials seen.
Bug: 193603140
Change-Id: I1137fddd02e84388af873f0e51dd080b1d803ad6

diff --git a/private/crosvm.te b/private/crosvm.te
index 42e5181..7426ef9 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te

@@ -24,6 +24,7 @@
   staging_data_file
   apk_data_file
   app_data_file
+  apex_compos_data_file
   userdebug_or_eng(`shell_data_file')
 }:file { getattr read ioctl lock };
 
@@ -49,6 +50,7 @@
 allow crosvm {
   virtualizationservice_data_file
   app_data_file
+  apex_compos_data_file
 }:file write;
 
 # Allow crosvm to pipe console log to shell or app which could be the owner of a VM.

diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 837fc59..f92c94f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te

@@ -54,7 +54,11 @@
 # directly as they must be passed over Binder by the client.
 allow virtualizationservice apk_data_file:file { getattr read };
 # Write access is needed for mutable partitions like instance.img
-allow virtualizationservice app_data_file:file { getattr read write };
+allow virtualizationservice {
+  app_data_file
+  apex_compos_data_file
+}:file { getattr read write };
+
 # shell_data_file is used for automated tests and manual debugging.
 allow virtualizationservice shell_data_file:file { getattr read write };