Set sepolicy for vmnic in AVF
Bug: 340376951
Test: Presubmit
Change-Id: I5f48ff4a459805de2f74d160c1b61473c6de0466
diff --git a/private/service.te b/private/service.te
index d777e53..1fb4d1d 100644
--- a/private/service.te
+++ b/private/service.te
@@ -30,6 +30,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
type virtualization_maintenance_service, service_manager_type;
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ type vmnic_service, service_manager_type;
+')
type uce_service, service_manager_type;
type wearable_sensing_service, app_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index f4b331e..c7917f1 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -170,6 +170,9 @@
is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, `
android.system.virtualizationmaintenance u:object_r:virtualization_maintenance_service:s0
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ android.system.virtualizationservice_internal.IVmnic u:object_r:vmnic_service:s0
+')
ambient_context u:object_r:ambient_context_service:s0
app_binding u:object_r:app_binding_service:s0
app_hibernation u:object_r:app_hibernation_service:s0
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 99c2a3b..a72f30f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -24,6 +24,12 @@
binder_call(virtualizationservice, vfio_handler)
')
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # Let virtualizationservice find and communicate with vmnic.
+ allow virtualizationservice vmnic_service:service_manager find;
+ binder_call(virtualizationservice, vmnic)
+')
+
# Allow the virtualizationservice domain to serve a remotely provisioned component for
# pVM remote attestation.
hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
diff --git a/private/vmnic.te b/private/vmnic.te
new file mode 100644
index 0000000..bd4991d
--- /dev/null
+++ b/private/vmnic.te
@@ -0,0 +1,18 @@
+is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
+ # vmnic is a helper service for network tasks, like creating TAP network interface.
+ # vmnic is separated from virtualizationservice as vmnic requires more permission to do network related tasks.
+ type vmnic, domain, coredomain;
+ type vmnic_exec, system_file_type, exec_type, file_type;
+
+ # When init runs a file labelled with vmnic_exec, run it in the vmnic domain.
+ init_daemon_domain(vmnic)
+
+ # Let the vmnic domain register the vmnic_service with ServiceManager.
+ add_service(vmnic, vmnic_service)
+
+ # Let the vmnic domain use Binder.
+ binder_use(vmnic)
+
+ # Only virtualizationservice can communicate to vmnic
+ neverallow { domain -virtualizationservice -servicemanager } vmnic:binder call;
+') # is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK)