Sepolicy setting for crosvm virtiofs mounts
With this change, crosvm won't be accessing priv_app internal storage
from crosvm domain. crosvm will be run from app domain.
Bug: 378451265
Test: Launch terminal app - verify virtiofs mount points
Change-Id: Id7801a79651a80b5482ad52694047fa0ea32ebd4
Signed-off-by: Akilesh Kailash <akailash@google.com>
diff --git a/private/crosvm.te b/private/crosvm.te
index 71a35d9..750df24 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -112,11 +112,6 @@
allow crosvm virtualization_service:service_manager find;
allow crosvm virtualizationservice:binder { call transfer };
- # Allow crosvm to mount Terminal app internal storage directory
- # to guest VM over virtiofs
- allow crosvm privapp_data_file:dir { getattr open read search };
- allow crosvm privapp_data_file:file { open };
-
# Allow crosvm to play sound.
binder_call(crosvm, audioserver)
allow crosvm audioserver_service:service_manager find;
@@ -179,14 +174,12 @@
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
-#
-# crosvm requires access to terminal app internal storage; the directory
-# is passed as a mount point to guest VM over virtiofs.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
apk_data_file
app_data_file
+ privapp_data_file
is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
userdebug_or_eng(`-shell_data_file')
@@ -221,10 +214,12 @@
}:file read;
# Only virtualizationmanager can run crosvm
+# Allow vmlauncher app to launch crosvm for virtiofs
neverallow {
domain
-crosvm
-virtualizationmanager
+ -vmlauncher_app
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
} crosvm_exec:file no_x_file_perms;