private/crosvm.te

type crosvm, domain, coredomain;
type crosvm_exec, system_file_type, exec_type, file_type;
type crosvm_tmpfs, file_type;

# Let crosvm open /dev/kvm.
allow crosvm kvm_device:chr_file rw_file_perms;

# Most other domains shouldn't access /dev/kvm.
neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };

# Let crosvm mlock VM memory and page tables.
allow crosvm self:capability ipc_lock;

# Let crosvm create temporary files.
tmpfs_domain(crosvm)

# Let crosvm receive file descriptors from VirtualizationService.
allow crosvm virtualizationservice:fd use;

# Allow sending VirtualizationService the failure reason from the VM via pipe.
allow crosvm virtualizationservice:fifo_file write;

# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
# the files are passed as file descriptors.
allow crosvm {
  virtualizationservice_data_file
  staging_data_file
  apk_data_file
  app_data_file
  apex_compos_data_file
  userdebug_or_eng(`shell_data_file')
}:file { getattr read ioctl lock };

# Allow searching the directory where the composite disk images are.
allow crosvm virtualizationservice_data_file:dir search;

# Don't allow crosvm to open files that it doesn't own.
# This is important because a malicious application could try to start a VM with a composite disk
# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
# open them on its behalf. By preventing crosvm from opening any other files we prevent this
# potential privilege escalation. See http://b/192453819 for more discussion.
neverallow crosvm {
  virtualizationservice_data_file
  staging_data_file
  apk_data_file
  app_data_file
  userdebug_or_eng(`-shell_data_file')
}:file open;

# The instance image and the composite image should be writable as well because they could represent
# mutable disks.
allow crosvm {
  virtualizationservice_data_file
  app_data_file
  apex_compos_data_file
}:file write;

# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
allow crosvm adbd:fd use;
allow crosvm adbd:unix_stream_socket { read write };

# For ACPI
allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;

# The console log can also be written to /data/local/tmp. This is not safe as the log then can be
# visible to the processes which don't own the VM. Therefore, this is a debugging only feature.
userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;')

# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
full_treble_only(`
  neverallow crosvm {
    vendor_file_type
    -vendor_vm_file
    -vendor_vm_data_file
    # These types are not required for crosvm, but the access is granted to globally in domain.te
    # thus should be exempted here.
    -vendor_configs_file
    -vndk_sp_file
    -vendor_task_profiles_file
  }:file *;
')

# app_data_file (and shell_data_file for debuggable builds) is the only
# app_data_file_type that is allowed for crosvm to read.  Note that the use of
# app_data_file is allowed only for the instance disk image.  This is enforced
# inside the virtualizationservice by checking the file context of all disk
# image files.
neverallow crosvm {
  app_data_file_type
  -app_data_file
  userdebug_or_eng(`-shell_data_file')
}:file read;

# Only virtualizationservice can run crosvm
neverallow {
  domain
  -crosvm
  -virtualizationservice
} crosvm_exec:file no_x_file_perms;