Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / f96cd6557e56347002a9121f172a06cae0eb1d05^! / . / private
commitf96cd6557e56347002a9121f172a06cae0eb1d05[log] [tgz]
authorAlan Stokes <alanstokes@google.com>Tue Sep 07 12:25:38 2021 +0100
committerInseob Kim <inseob@google.com>Thu Sep 09 02:30:43 2021 +0000
treeed435e636ab6062aff605c9e494f644cfa487048
parentc71b2c18cc35e9299bd8239e88d37ccb35227372 [diff]
Restrict VM usage to platform_app.

Remove access from untrusted apps and instead grant it to platform_app
(but on user builds as well as debug).

Also restrict any app from creating a vsock_socket; using an already
created one is fine.

Bug: 193373841
Test: Microdroid demo app now gets a denial
Test: Rebuild demo with certifcate: platform, adb install, no denial
Change-Id: I7be011e05244767a42d4c56e26de792db4fe599d

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index eb93529..f33cff9 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -117,9 +117,10 @@
   alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;
 
-# Apps can read/write vsock created by virtualizationservice to communicate with the VM that they own,
-# but nothing more than that (e.g. creating a new vsock, etc.)
-neverallow all_untrusted_apps virtualizationservice:vsock_socket ~{ getattr read write };
+# Apps can read/write an already open vsock (e.g. created by
+# virtualizationservice) but nothing more than that (e.g. creating a
+# new vsock, etc.)
+neverallow all_untrusted_apps *:vsock_socket ~{ getattr read write };
 
 # Disallow sending RTM_GETLINK messages on netlink sockets.
 neverallow all_untrusted_apps domain:netlink_route_socket { bind nlmsg_readpriv };

diff --git a/private/platform_app.te b/private/platform_app.te
index 55ccbde..a69c45e 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te

@@ -108,6 +108,9 @@
 # Allow platform apps to act as Perfetto producers.
 perfetto_producer(platform_app)
 
+# Allow platform apps to create VMs
+virtualizationservice_use(platform_app)
+
 ###
 ### Neverallow rules
 ###

diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index 0128dfe..98d83af 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te

@@ -176,11 +176,6 @@
 # the profiler (which would be profiling the app that is sending the signal).
 allow untrusted_app_all simpleperf:process signal;
 
-# Allow running a VM for test/demo purposes
-userdebug_or_eng(`
-  virtualizationservice_use(untrusted_app_all)
-')
-
 with_native_coverage(`
   # Allow writing coverage information to /data/misc/trace
   allow domain method_trace_data_file:dir create_dir_perms;