| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 1 | type crosvm, domain, coredomain; |
| 2 | type crosvm_exec, system_file_type, exec_type, file_type; |
| 3 | type crosvm_tmpfs, file_type; |
| 4 | |
| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 5 | # Let crosvm open /dev/kvm. |
| 6 | allow crosvm kvm_device:chr_file rw_file_perms; |
| 7 | |
| 8 | # Most other domains shouldn't access /dev/kvm. |
| 9 | neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; |
| 10 | neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; |
| Andrew Walbran | 9b2fa1b | 2021-07-01 15:58:26 +0000 | [diff] [blame] | 11 | |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 12 | # Let crosvm create temporary files. |
| 13 | tmpfs_domain(crosvm) |
| 14 | |
| 15 | # Let crosvm receive file descriptors from VirtualizationService. |
| 16 | allow crosvm virtualizationservice:fd use; |
| 17 | |
| 18 | # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes |
| 19 | # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in |
| 20 | # /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as |
| 21 | # the files are passed as file descriptors. |
| 22 | allow crosvm { |
| 23 | virtualizationservice_data_file |
| 24 | staging_data_file |
| 25 | apk_data_file |
| 26 | app_data_file |
| Alan Stokes | e2a002c | 2021-07-28 14:05:25 +0100 | [diff] [blame] | 27 | apex_compos_data_file |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 28 | userdebug_or_eng(`shell_data_file') |
| 29 | }:file { getattr read ioctl lock }; |
| 30 | |
| 31 | # Allow searching the directory where the composite disk images are. |
| 32 | allow crosvm virtualizationservice_data_file:dir search; |
| 33 | |
| 34 | # TODO(b/193402941) delete this. This for now is required because crosvm needs to open the files for |
| 35 | # the GPT headers of the composite disks. |
| 36 | allow crosvm virtualizationservice_data_file:file open; |
| 37 | |
| 38 | # Don't allow crosvm to open files that it doesn't own. |
| 39 | neverallow crosvm { |
| 40 | #TODO(b/193402941) uncomment the following line |
| 41 | #virtualizationservice_data_file |
| 42 | staging_data_file |
| 43 | apk_data_file |
| 44 | app_data_file |
| 45 | userdebug_or_eng(`-shell_data_file') |
| 46 | }:file open; |
| 47 | |
| 48 | # The instance image and the composite image should be writable as well because they could represent |
| 49 | # mutable disks. |
| 50 | allow crosvm { |
| 51 | virtualizationservice_data_file |
| 52 | app_data_file |
| Alan Stokes | e2a002c | 2021-07-28 14:05:25 +0100 | [diff] [blame] | 53 | apex_compos_data_file |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 54 | }:file write; |
| 55 | |
| 56 | # Allow crosvm to pipe console log to shell or app which could be the owner of a VM. |
| 57 | allow crosvm { adbd appdomain }:fd use; |
| 58 | allow crosvm adbd:unix_stream_socket { read write }; |
| 59 | allow crosvm appdomain:fifo_file { read write }; |
| 60 | |
| 61 | # The console log can also be written to /data/local/tmp. This is not safe as the log then can be |
| 62 | # visible to the processes which don't own the VM. Therefore, this is a debugging only feature. |
| 63 | userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;') |
| Jiyong Park | 3fee5a4 | 2021-08-09 09:24:45 +0900 | [diff] [blame^] | 64 | |
| 65 | # Don't allow crosvm to have access to ordinary vendor files that are not for VMs. |
| 66 | full_treble_only(` |
| 67 | neverallow crosvm { |
| 68 | vendor_file_type |
| 69 | -vendor_vm_file |
| 70 | -vendor_vm_data_file |
| 71 | # These types are not required for crosvm, but the access is granted to globally in domain.te |
| 72 | # thus should be exempted here. |
| 73 | -vendor_configs_file |
| 74 | -vndk_sp_file |
| 75 | -vendor_task_profiles_file |
| 76 | }:file *; |
| 77 | ') |