| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 1 | type crosvm, domain, coredomain; |
| 2 | type crosvm_exec, system_file_type, exec_type, file_type; |
| 3 | type crosvm_tmpfs, file_type; |
| 4 | |
| Andrew Walbran | a995e84 | 2021-03-29 17:19:12 +0000 | [diff] [blame] | 5 | # Let crosvm open /dev/kvm. |
| 6 | allow crosvm kvm_device:chr_file rw_file_perms; |
| 7 | |
| 8 | # Most other domains shouldn't access /dev/kvm. |
| 9 | neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; |
| Andrew Walbran | 2f27f96 | 2022-01-28 15:42:48 +0000 | [diff] [blame] | 10 | neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; |
| Jiyong Park | 2dd48d0 | 2021-12-28 21:26:03 +0900 | [diff] [blame] | 11 | neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION }; |
| Andrew Walbran | 9b2fa1b | 2021-07-01 15:58:26 +0000 | [diff] [blame] | 12 | |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 13 | # Let crosvm create temporary files. |
| 14 | tmpfs_domain(crosvm) |
| 15 | |
| 16 | # Let crosvm receive file descriptors from VirtualizationService. |
| 17 | allow crosvm virtualizationservice:fd use; |
| 18 | |
| Alan Stokes | b02ac32 | 2022-03-09 14:05:18 +0000 | [diff] [blame] | 19 | # Allow sending VirtualizationService the failure reason from the VM via pipe. |
| 20 | allow crosvm virtualizationservice:fifo_file write; |
| 21 | |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 22 | # Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes |
| 23 | # (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in |
| 24 | # /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as |
| 25 | # the files are passed as file descriptors. |
| 26 | allow crosvm { |
| 27 | virtualizationservice_data_file |
| 28 | staging_data_file |
| 29 | apk_data_file |
| 30 | app_data_file |
| Alan Stokes | 3060852 | 2022-10-24 12:32:34 +0100 | [diff] [blame] | 31 | privapp_data_file |
| Alan Stokes | e2a002c | 2021-07-28 14:05:25 +0100 | [diff] [blame] | 32 | apex_compos_data_file |
| Jiyong Park | cdd5e07 | 2022-04-19 11:48:32 +0900 | [diff] [blame] | 33 | shell_data_file |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 34 | }:file { getattr read ioctl lock }; |
| 35 | |
| 36 | # Allow searching the directory where the composite disk images are. |
| 37 | allow crosvm virtualizationservice_data_file:dir search; |
| 38 | |
| Keir Fraser | ad58b8d | 2022-07-11 14:27:40 +0000 | [diff] [blame] | 39 | # Let crosvm access its control socket as created by VS. |
| 40 | # read, write, getattr: listener socket polling |
| 41 | # accept: listener socket accepting new connection |
| 42 | # Note that the open permission is not given as the socket is passed by FD. |
| Steven Moreland | 34f6b26 | 2022-10-11 01:13:29 +0000 | [diff] [blame] | 43 | allow crosvm virtualizationservice:unix_stream_socket { accept read write getattr getopt }; |
| Keir Fraser | ad58b8d | 2022-07-11 14:27:40 +0000 | [diff] [blame] | 44 | |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 45 | # The instance image and the composite image should be writable as well because they could represent |
| 46 | # mutable disks. |
| 47 | allow crosvm { |
| 48 | virtualizationservice_data_file |
| 49 | app_data_file |
| Alan Stokes | 3060852 | 2022-10-24 12:32:34 +0100 | [diff] [blame] | 50 | privapp_data_file |
| Alan Stokes | e2a002c | 2021-07-28 14:05:25 +0100 | [diff] [blame] | 51 | apex_compos_data_file |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 52 | }:file write; |
| 53 | |
| 54 | # Allow crosvm to pipe console log to shell or app which could be the owner of a VM. |
| Alan Stokes | 39f4970 | 2021-09-02 11:10:59 +0100 | [diff] [blame] | 55 | allow crosvm adbd:fd use; |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 56 | allow crosvm adbd:unix_stream_socket { read write }; |
| Jiyong Park | 5e20d83 | 2021-07-12 21:11:33 +0900 | [diff] [blame] | 57 | |
| Steven Moreland | fd59a2d | 2022-04-04 20:20:24 +0000 | [diff] [blame] | 58 | # crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254) |
| 59 | dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl; |
| 60 | |
| Jiyong Park | 2eab15e | 2022-05-02 13:23:50 +0900 | [diff] [blame] | 61 | # crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by |
| 62 | # compliance tests and demo apps. Write access to instance.img is particularily important because |
| 63 | # the VM has to initialize the disk image on its first boot. Note that open access is still not |
| 64 | # granted because the files are expected to be opened by the owner of the VM (apps or shell in case |
| 65 | # when the vm is created by the `vm` tool) and handed over to crosvm as FD. |
| 66 | allow crosvm shell_data_file:file write; |
| Jiyong Park | 3fee5a4 | 2021-08-09 09:24:45 +0900 | [diff] [blame] | 67 | |
| Alan Stokes | 3060852 | 2022-10-24 12:32:34 +0100 | [diff] [blame] | 68 | # Don't allow crosvm to open files that it doesn't own. |
| 69 | # This is important because a malicious application could try to start a VM with a composite disk |
| 70 | # image referring by name to files which it doesn't have permission to open, trying to get crosvm to |
| 71 | # open them on its behalf. By preventing crosvm from opening any other files we prevent this |
| 72 | # potential privilege escalation. See http://b/192453819 for more discussion. |
| 73 | neverallow crosvm { |
| 74 | virtualizationservice_data_file |
| 75 | staging_data_file |
| 76 | apk_data_file |
| 77 | app_data_file |
| 78 | privapp_data_file |
| 79 | userdebug_or_eng(`-shell_data_file') |
| 80 | }:file open; |
| 81 | |
| Jiyong Park | 3fee5a4 | 2021-08-09 09:24:45 +0900 | [diff] [blame] | 82 | # Don't allow crosvm to have access to ordinary vendor files that are not for VMs. |
| 83 | full_treble_only(` |
| 84 | neverallow crosvm { |
| 85 | vendor_file_type |
| 86 | -vendor_vm_file |
| 87 | -vendor_vm_data_file |
| 88 | # These types are not required for crosvm, but the access is granted to globally in domain.te |
| 89 | # thus should be exempted here. |
| 90 | -vendor_configs_file |
| 91 | -vndk_sp_file |
| 92 | -vendor_task_profiles_file |
| 93 | }:file *; |
| 94 | ') |
| Jiyong Park | 028e722 | 2021-11-26 00:59:07 +0900 | [diff] [blame] | 95 | |
| Alan Stokes | 3060852 | 2022-10-24 12:32:34 +0100 | [diff] [blame] | 96 | # Only allow crosvm to read app data files for clients that can start |
| 97 | # VMs. Note that the use of app data files is further restricted |
| 98 | # inside the virtualizationservice by checking the label of all disk |
| 99 | # image files. |
| Jiyong Park | 028e722 | 2021-11-26 00:59:07 +0900 | [diff] [blame] | 100 | neverallow crosvm { |
| 101 | app_data_file_type |
| 102 | -app_data_file |
| Alan Stokes | 3060852 | 2022-10-24 12:32:34 +0100 | [diff] [blame] | 103 | -privapp_data_file |
| Jiyong Park | cdd5e07 | 2022-04-19 11:48:32 +0900 | [diff] [blame] | 104 | -shell_data_file |
| Jiyong Park | 028e722 | 2021-11-26 00:59:07 +0900 | [diff] [blame] | 105 | }:file read; |
| Inseob Kim | b20cb78 | 2022-02-03 15:30:26 +0900 | [diff] [blame] | 106 | |
| 107 | # Only virtualizationservice can run crosvm |
| 108 | neverallow { |
| 109 | domain |
| 110 | -crosvm |
| 111 | -virtualizationservice |
| 112 | } crosvm_exec:file no_x_file_perms; |