private/crosvm.te

type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;

# Let crosvm open VM manager devices such as /dev/kvm.
allow crosvm vm_manager_device_type:chr_file rw_file_perms;

# TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
# directly. It should be removed once the KeyMint VM can be started with early_virtmgr
is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, init_daemon_domain(crosvm))

# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };

# Most other domains shouldn't access other vm managers either.
# These restrictions need to be slightly looser than for kvm_device to allow
# for different implementations.
neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;

# Let crosvm create temporary files.
tmpfs_domain(crosvm)

# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationmanager:fd use;

# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
allow crosvm virtualizationmanager:fifo_file write;

# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
  virtualizationservice_data_file
  staging_data_file
  apk_data_file
  app_data_file
  privapp_data_file
  apex_compos_data_file
  apex_virt_data_file
  shell_data_file
  vendor_microdroid_file
}:file { getattr read ioctl lock };

# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;

# When running a VM as root we get spurious capability denials.
# Suppress them.
userdebug_or_eng(`
  dontaudit crosvm self:capability ipc_lock;
')

# Allow crosvm to tune for performance.
allow crosvm self:global_capability_class_set sys_nice;

# Let crosvm access its control socket as created by VS.
#   read, write, getattr: listener socket polling
#   accept: listener socket accepting new connection
# Note that the open permission is not given as the socket is passed by FD.
allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };

# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
userdebug_or_eng(`
  allow crosvm shell_data_file:dir search;
  allow crosvm shell_data_file:file open;
')

# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
  virtualizationservice_data_file
  app_data_file
  privapp_data_file
  apex_compos_data_file
  apex_virt_data_file
}:file write;

# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };
allow crosvm devpts:chr_file { read write getattr ioctl };

is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
  # Allow crosvm to draw screen in the surface
  allow crosvm device:dir { read open };
  allow crosvm same_process_hal_file:file { read open getattr map execute };
  allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
  allow crosvm hal_graphics_allocator:fd use;
  allow crosvm hal_graphics_allocator_server:binder call;
  allow crosvm surfaceflinger:fd use;
  hal_client_domain(crosvm, hal_graphics_allocator)

  # To provide display service to an app to get surface.
  # TODO(b/332677707): remove them when display service uses binder RPC.
  allow crosvm vmlauncher_app:binder { transfer call };
  allow crosvm servicemanager:binder { call transfer };
  allow crosvm virtualization_service:service_manager find;
  allow crosvm virtualizationservice:binder { call transfer };

  # Allow crosvm to play sound.
  binder_call(crosvm, audioserver)
  allow crosvm audioserver_service:service_manager find;
')

# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;

# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
# compliance tests and demo apps. Write access to instance.img is particularily important because
# the VM has to initialize the disk image on its first boot. Note that open access is still not
# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
allow crosvm shell_data_file:file write;

# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
# forward console/log to the host logcat).
# crosvm only needs write permission, so dontaudit read
dontaudit crosvm virtualizationmanager:fifo_file { read getattr };

# Required for crosvm to start gdb-server to enable debugging of guest kernel.
allow crosvm self:tcp_socket { bind create read setopt write accept listen };
allow crosvm port:tcp_socket name_bind;
allow crosvm adbd:unix_stream_socket ioctl;
allow crosvm node:tcp_socket node_bind;

# Allow crosvm to interact to VFIO device
allow crosvm vfio_device:chr_file rw_file_perms;
allow crosvm vfio_device:dir r_dir_perms;

# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
allow crosvm virtualizationmanager:fd use;
allow crosvm virtualizationservice_data_file:file read;

is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
    # Allow crosvm to deal with file descriptors of TAP interfaces.
    allow crosvm tun_device:chr_file rw_file_perms;
    allowxperm crosvm tun_device:chr_file ioctl { TUNGETIFF TUNSETOFFLOAD TUNSETVNETHDRSZ };
    allow crosvm self:udp_socket create_socket_perms;
    allowxperm crosvm self:udp_socket ioctl SIOCGIFMTU;
    allow crosvm vmnic:fd use;
')

# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
  virtualizationservice_data_file
  staging_data_file
  apk_data_file
  app_data_file
  privapp_data_file
  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
  userdebug_or_eng(`-shell_data_file')
}:file open;

# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
  neverallow crosvm {
    vendor_file_type
    -vendor_vm_file
    -vendor_vm_data_file
    # These types are not required for crosvm, but the access is granted to globally in domain.te
    # thus should be exempted here.
    -vendor_configs_file
    -vendor_microdroid_file
    -vndk_sp_file
    -vendor_task_profiles_file
    is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-same_process_hal_file')
  }:file *;
')

# Only allow crosvm to read app data files for clients that can start
# VMs. Note that the use of app data files is further restricted
# inside the virtualizationservice by checking the label of all disk
# image files.
neverallow crosvm {
  app_data_file_type
  -app_data_file
  -privapp_data_file
  -shell_data_file
}:file read;

# Only virtualizationmanager can run crosvm
neverallow {
  domain
  -crosvm
  -virtualizationmanager
  # TODO(b/357025924): This is a temporary workaround to allow the KeyMint VM to use crosvm
  # directly. It should be removed once the KeyMint VM can be started with early_virtmgr
  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-init')
} crosvm_exec:file no_x_file_perms;