| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 1 | type virtualizationservice, domain, coredomain; |
| 2 | type virtualizationservice_exec, system_file_type, exec_type, file_type; |
| 3 | |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 4 | # The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of |
| 5 | # the virtualizationmanager domain running at a more constrained MLS level. |
| 6 | typeattribute virtualizationservice mlstrustedsubject; |
| 7 | |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 8 | # When init runs a file labelled with virtualizationservice_exec, run it in the |
| 9 | # virtualizationservice domain. |
| 10 | init_daemon_domain(virtualizationservice) |
| 11 | |
| 12 | # Let the virtualizationservice domain use Binder. |
| 13 | binder_use(virtualizationservice) |
| 14 | |
| Alan Stokes | 38131e7 | 2024-02-20 11:06:37 +0000 | [diff] [blame] | 15 | # Register our services with ServiceManager. |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 16 | add_service(virtualizationservice, virtualization_service) |
| Alan Stokes | 38131e7 | 2024-02-20 11:06:37 +0000 | [diff] [blame] | 17 | is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` |
| 18 | add_service(virtualizationservice, virtualization_maintenance_service) |
| 19 | ') |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 20 | |
| Jeongik Cha | f09f43c | 2024-04-02 14:50:14 +0900 | [diff] [blame] | 21 | is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` |
| Inseob Kim | 094e8e8 | 2023-11-17 18:03:46 +0900 | [diff] [blame] | 22 | # Let virtualizationservice find and communicate with vfio_handler. |
| 23 | allow virtualizationservice vfio_handler_service:service_manager find; |
| 24 | binder_call(virtualizationservice, vfio_handler) |
| 25 | ') |
| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 26 | |
| Seungjae Yoo | f60a1e0 | 2024-05-20 14:15:22 +0900 | [diff] [blame] | 27 | is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` |
| 28 | # Let virtualizationservice find and communicate with vmnic. |
| 29 | allow virtualizationservice vmnic_service:service_manager find; |
| 30 | binder_call(virtualizationservice, vmnic) |
| Seungjae Yoo | c9df293 | 2024-06-17 00:38:19 +0000 | [diff] [blame] | 31 | allow virtualizationservice vm_tethering_service:service_manager find; |
| Seungjae Yoo | f60a1e0 | 2024-05-20 14:15:22 +0900 | [diff] [blame] | 32 | ') |
| 33 | |
| Alice Wang | e79bbf9 | 2023-11-14 07:38:18 +0000 | [diff] [blame] | 34 | # Allow the virtualizationservice domain to serve a remotely provisioned component for |
| 35 | # pVM remote attestation. |
| 36 | hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf) |
| 37 | |
| Alice Wang | 3d9ce1a | 2024-06-07 09:07:34 +0000 | [diff] [blame] | 38 | # Allow the virtualizationservice to inspect whether remote attestation is supported |
| 39 | # through the system property. |
| 40 | get_prop(virtualizationservice, avf_virtualizationservice_prop) |
| 41 | |
| David Brazdil | ccf9164 | 2023-01-12 21:10:33 +0000 | [diff] [blame] | 42 | # Allow calling into the system server to find "permission_service". |
| 43 | binder_call(virtualizationservice, system_server) |
| 44 | allow virtualizationservice permission_service:service_manager find; |
| 45 | |
| Alice Wang | 260daf5 | 2024-01-18 16:18:47 +0000 | [diff] [blame] | 46 | # Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd. |
| Alice Wang | f7fc9f9 | 2024-05-15 14:33:36 +0000 | [diff] [blame] | 47 | binder_call(virtualizationservice, remote_provisioning_service_server) |
| Alice Wang | 260daf5 | 2024-01-18 16:18:47 +0000 | [diff] [blame] | 48 | allow virtualizationservice remote_provisioning_service:service_manager find; |
| 49 | |
| David Drysdale | 3242c6a | 2024-02-16 18:05:32 +0000 | [diff] [blame] | 50 | # Allow virtualizationservice to manage VM secrets via Secretkeeper. |
| 51 | hal_client_domain(virtualizationservice, hal_secretkeeper) |
| 52 | |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 53 | # Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary |
| 54 | # to mlock VM memory and page tables. |
| David Brazdil | 88f98d9 | 2022-10-28 13:57:58 +0100 | [diff] [blame] | 55 | allow virtualizationservice self:capability sys_resource; |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 56 | allow virtualizationservice virtualizationmanager:process setrlimit; |
| David Brazdil | 88f98d9 | 2022-10-28 13:57:58 +0100 | [diff] [blame] | 57 | |
| Jeongik Cha | f09f43c | 2024-04-02 14:50:14 +0900 | [diff] [blame] | 58 | is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` |
| 59 | # To provide display service to an app to get surface. |
| 60 | # TODO(b/332677707): remove them when display service uses binder RPC. |
| Jeongik Cha | 77a3ca6 | 2024-04-09 15:02:28 +0900 | [diff] [blame] | 61 | allow virtualizationservice vmlauncher_app:binder transfer; |
| Jeongik Cha | f09f43c | 2024-04-02 14:50:14 +0900 | [diff] [blame] | 62 | ') |
| 63 | |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 64 | # Let virtualizationservice set the owner of a VM's temporary directory. |
| 65 | allow virtualizationservice self:capability chown; |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 66 | |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 67 | # Let virtualizationservice create and delete temporary directories of VMs. To remove old |
| 68 | # directories, it needs the permission to unlink the files created by virtualizationmanager. |
| Andrew Walbran | 4b80a3f | 2021-05-21 13:21:43 +0000 | [diff] [blame] | 69 | allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; |
| Seungjae Yoo | f0aaa15 | 2023-09-07 15:37:40 +0900 | [diff] [blame] | 70 | allow virtualizationservice virtualizationservice_data_file:sock_file unlink; |
| 71 | allow virtualizationservice virtualizationservice_data_file:file create_file_perms; |
| Keir Fraser | ad58b8d | 2022-07-11 14:27:40 +0000 | [diff] [blame] | 72 | |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 73 | # Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from |
| 74 | # crosvm to the console |
| 75 | allow virtualizationservice adbd:fd use; |
| 76 | allow virtualizationservice adbd:unix_stream_socket { read write }; |
| Andrew Walbran | 9b2fa1b | 2021-07-01 15:58:26 +0000 | [diff] [blame] | 77 | |
| Alice Wang | 40519f7 | 2023-08-31 11:37:30 +0000 | [diff] [blame] | 78 | # Allow to connnect to and run VirtMgr to start the service VM for remote attestation. |
| 79 | virtualizationservice_use(virtualizationservice) |
| 80 | |
| 81 | # Allow virtualizationservice to read and write in the apex data directory |
| David Drysdale | a9d70d7 | 2024-02-19 17:44:08 +0000 | [diff] [blame] | 82 | # /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory |
| 83 | # (needed for SQLite database creation). |
| 84 | allow virtualizationservice apex_module_data_file:dir { search getattr }; |
| Alice Wang | 40519f7 | 2023-08-31 11:37:30 +0000 | [diff] [blame] | 85 | allow virtualizationservice apex_virt_data_file:dir create_dir_perms; |
| 86 | allow virtualizationservice apex_virt_data_file:file create_file_perms; |
| 87 | |
| Alan Stokes | 88207c4 | 2024-06-18 17:06:36 +0100 | [diff] [blame] | 88 | # Accept vsock connection from the guest VMs to singleton services |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 89 | # such as the guest tombstone server. |
| Alan Stokes | 88207c4 | 2024-06-18 17:06:36 +0100 | [diff] [blame] | 90 | allow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept }; |
| 91 | neverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *; |
| Jiyong Park | b804de2 | 2021-09-16 21:06:20 +0900 | [diff] [blame] | 92 | |
| 93 | # Allow virtualizationservice to read/write its own sysprop. Only the process can do so. |
| 94 | set_prop(virtualizationservice, virtualizationservice_prop) |
| Alan Stokes | 3fad86b | 2022-01-04 17:34:53 +0000 | [diff] [blame] | 95 | |
| Alan Stokes | 8a881c1 | 2022-01-21 12:18:08 +0000 | [diff] [blame] | 96 | # Allow writing stats to statsd |
| 97 | unix_socket_send(virtualizationservice, statsdw, statsd) |
| 98 | |
| Shikha Panwar | a9f1dc9 | 2022-03-24 09:05:59 +0000 | [diff] [blame] | 99 | # Allow virtualization service to talk to tombstoned to push guest tombstones |
| 100 | unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) |
| 101 | |
| 102 | # Append to tombstone files passed as fds from tombstoned |
| 103 | allow virtualizationservice tombstone_data_file:file { append getattr }; |
| 104 | allow virtualizationservice tombstoned:fd use; |
| 105 | |
| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 106 | # Allow virtualizationservice to check if VFIO is supported |
| 107 | allow virtualizationservice vfio_device:chr_file getattr; |
| 108 | allow virtualizationservice vfio_device:dir r_dir_perms; |
| 109 | |
| Inseob Kim | bbe514d | 2023-08-03 12:53:48 +0900 | [diff] [blame] | 110 | # Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager. |
| 111 | allow virtualizationservice virtualizationmanager:fd use; |
| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 112 | |
| Inseob Kim | d61618b | 2023-08-30 14:04:24 +0900 | [diff] [blame] | 113 | # Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices. |
| 114 | r_dir_file(virtualizationservice, vendor_configs_file) |
| 115 | |
| Jiyong Park | b804de2 | 2021-09-16 21:06:20 +0900 | [diff] [blame] | 116 | neverallow { |
| 117 | domain |
| 118 | -init |
| 119 | -virtualizationservice |
| 120 | } virtualizationservice_prop:property_service set; |
| Alan Stokes | 991087c | 2022-08-31 16:09:44 +0100 | [diff] [blame] | 121 | |
| 122 | neverallow { |
| 123 | domain |
| 124 | -init |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 125 | -virtualizationmanager |
| Alan Stokes | 991087c | 2022-08-31 16:09:44 +0100 | [diff] [blame] | 126 | -virtualizationservice |
| 127 | } virtualizationservice_data_file:file { open create }; |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 128 | |
| 129 | neverallow virtualizationservice { |
| 130 | domain |
| 131 | -virtualizationmanager |
| 132 | -virtualizationservice |
| Jeongik Cha | f09f43c | 2024-04-02 14:50:14 +0900 | [diff] [blame] | 133 | # TODO(b/332677707): remove them when display service uses binder RPC. |
| 134 | is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `-crosvm') |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 135 | }:process setrlimit; |
| Inseob Kim | 825056d | 2023-08-01 11:00:49 +0900 | [diff] [blame] | 136 | |
| Seungjae Yoo | 80fd618 | 2024-05-20 16:59:02 +0900 | [diff] [blame] | 137 | is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` |
| 138 | # Allow virtualizationservice to deal with file descriptors of TAP interfaces. |
| 139 | allow virtualizationservice tun_device:chr_file rw_file_perms; |
| 140 | allow virtualizationservice vmnic:fd use; |
| 141 | ') |
| 142 | |
| Inseob Kim | 094e8e8 | 2023-11-17 18:03:46 +0900 | [diff] [blame] | 143 | is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` |
| Inseob Kim | fb0ed7f | 2024-01-03 09:32:18 +0900 | [diff] [blame] | 144 | # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler |
| 145 | neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call; |
| Inseob Kim | 094e8e8 | 2023-11-17 18:03:46 +0900 | [diff] [blame] | 146 | ') |