Merge "Rename neverallow_test.go to sepolicy_neverallow"
diff --git a/Android.mk b/Android.mk
index dfaca5a..e235bde 100644
--- a/Android.mk
+++ b/Android.mk
@@ -527,31 +527,6 @@
include $(BUILD_PHONY_PACKAGE)
-#################################
-
-ifeq ($(mixed_sepolicy_build),true)
-ver := $(BOARD_SEPOLICY_VERS)
-reqd_policy_$(ver) := $(BOARD_REQD_MASK_POLICY)
-plat_public_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/public
-plat_private_policy_$(ver) := $(LOCAL_PATH)/prebuilts/api/$(ver)/private
-system_ext_public_policy_$(ver) := $(BOARD_SYSTEM_EXT_PUBLIC_PREBUILT_DIRS)
-system_ext_private_policy_$(ver) := $(BOARD_SYSTEM_EXT_PRIVATE_PREBUILT_DIRS)
-product_public_policy_$(ver) := $(BOARD_PRODUCT_PUBLIC_PREBUILT_DIRS)
-product_private_policy_$(ver) := $(BOARD_PRODUCT_PRIVATE_PREBUILT_DIRS)
-ver :=
-else
-reqd_policy_$(PLATFORM_SEPOLICY_VERSION) := $(REQD_MASK_POLICY)
-plat_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/public
-plat_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(LOCAL_PATH)/private
-system_ext_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PUBLIC_POLICY)
-system_ext_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(SYSTEM_EXT_PRIVATE_POLICY)
-product_public_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PUBLIC_POLICY)
-product_private_policy_$(PLATFORM_SEPOLICY_VERSION) := $(PRODUCT_PRIVATE_POLICY)
-endif
-
-built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
-built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
-
##################################
# Policy files are now built with Android.bp. Grab them from intermediate.
# See Android.bp for details of policy files.
@@ -584,6 +559,8 @@
endif
built_sepolicy := $(call intermediates-dir-for,ETC,precompiled_sepolicy)/precompiled_sepolicy
+built_sepolicy_neverallows := $(call intermediates-dir-for,ETC,sepolicy_neverallows)/sepolicy_neverallows
+built_sepolicy_neverallows += $(call intermediates-dir-for,ETC,sepolicy_neverallows_vendor)/sepolicy_neverallows_vendor
#################################
# sepolicy is also built with Android.bp.
diff --git a/private/clatd.te b/private/clatd.te
index 104121e..da6820c 100644
--- a/private/clatd.te
+++ b/private/clatd.te
@@ -18,5 +18,4 @@
allow clatd self:global_capability_class_set { net_admin net_raw setuid setgid };
allow clatd self:netlink_route_socket nlmsg_write;
-allow clatd self:{ packet_socket rawip_socket } create_socket_perms_no_ioctl;
allow clatd tun_device:chr_file rw_file_perms;
diff --git a/private/composd.te b/private/composd.te
index 5b8f586..dd61e39 100644
--- a/private/composd.te
+++ b/private/composd.te
@@ -16,6 +16,7 @@
# Prepare staging directory for odrefresh
allow composd apex_art_data_file:dir { create_dir_perms relabelfrom };
allow composd apex_art_staging_data_file:dir { create_dir_perms relabelto };
+allow composd apex_art_staging_data_file:file { getattr unlink };
# Delete files in the odrefresh target directory
allow composd apex_art_data_file:file unlink;
diff --git a/private/crosvm.te b/private/crosvm.te
index 90addc8..5106f87 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -7,7 +7,8 @@
# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
-neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
+neverallow { domain -crosvm -ueventd -virtualizationservice } kvm_device:chr_file ~getattr;
+neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
# Let crosvm create temporary files.
tmpfs_domain(crosvm)
@@ -32,6 +33,10 @@
allow crosvm virtualizationservice_data_file:dir search;
# Don't allow crosvm to open files that it doesn't own.
+# This is important because a malicious application could try to start a VM with a composite disk
+# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
+# open them on its behalf. By preventing crosvm from opening any other files we prevent this
+# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -73,7 +78,7 @@
# app_data_file (and shell_data_file for debuggable builds) is the only
# app_data_file_type that is allowed for crosvm to read. Note that the use of
-# app_data_file is allowed only for the intance disk image. This is enforced
+# app_data_file is allowed only for the instance disk image. This is enforced
# inside the virtualizationservice by checking the file context of all disk
# image files.
neverallow crosvm {
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 1e00dcd..1418642 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -55,6 +55,10 @@
# Let virtualizationservice to accept vsock connection from the guest VMs
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
+allow virtualizationservice kvm_device:chr_file { open read write };
+allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
+
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
set_prop(virtualizationservice, virtualizationservice_prop)
neverallow {