Blame - private/virtualizationservice.te - android_system_sepolicy

blob: 4d8ac6bb36ed788f303eb5e866bf1b7e24ee5d18 [file] [log] [blame]

Andrew Walbran	4b80a3f	2021-05-21 13:21:43 +0000	[diff] [blame]	1	type virtualizationservice, domain, coredomain;
				2	type virtualizationservice_exec, system_file_type, exec_type, file_type;
				3
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	4	# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of
				5	# the virtualizationmanager domain running at a more constrained MLS level.
				6	typeattribute virtualizationservice mlstrustedsubject;
				7
Andrew Walbran	4b80a3f	2021-05-21 13:21:43 +0000	[diff] [blame]	8	# When init runs a file labelled with virtualizationservice_exec, run it in the
				9	# virtualizationservice domain.
				10	init_daemon_domain(virtualizationservice)
				11
				12	# Let the virtualizationservice domain use Binder.
				13	binder_use(virtualizationservice)
				14
				15	# Let the virtualizationservice domain register the virtualization_service with ServiceManager.
				16	add_service(virtualizationservice, virtualization_service)
				17
Inseob Kim	094e8e8	2023-11-17 18:03:46 +0900	[diff] [blame]	18	is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
				19	# Let virtualizationservice find and communicate with vfio_handler.
				20	allow virtualizationservice vfio_handler_service:service_manager find;
				21	binder_call(virtualizationservice, vfio_handler)
				22	')
Inseob Kim	825056d	2023-08-01 11:00:49 +0900	[diff] [blame]	23
Alice Wang	e79bbf9	2023-11-14 07:38:18 +0000	[diff] [blame]	24	# Allow the virtualizationservice domain to serve a remotely provisioned component for
				25	# pVM remote attestation.
				26	hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf)
				27
David Brazdil	ccf9164	2023-01-12 21:10:33 +0000	[diff] [blame]	28	# Allow calling into the system server to find "permission_service".
				29	binder_call(virtualizationservice, system_server)
				30	allow virtualizationservice permission_service:service_manager find;
				31
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	32	# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary
				33	# to mlock VM memory and page tables.
David Brazdil	88f98d9	2022-10-28 13:57:58 +0100	[diff] [blame]	34	allow virtualizationservice self:capability sys_resource;
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	35	allow virtualizationservice virtualizationmanager:process setrlimit;
David Brazdil	88f98d9	2022-10-28 13:57:58 +0100	[diff] [blame]	36
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	37	# Let virtualizationservice set the owner of a VM's temporary directory.
				38	allow virtualizationservice self:capability chown;
Andrew Walbran	4b80a3f	2021-05-21 13:21:43 +0000	[diff] [blame]	39
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	40	# Let virtualizationservice create and delete temporary directories of VMs. To remove old
				41	# directories, it needs the permission to unlink the files created by virtualizationmanager.
Andrew Walbran	4b80a3f	2021-05-21 13:21:43 +0000	[diff] [blame]	42	allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms;
Seungjae Yoo	f0aaa15	2023-09-07 15:37:40 +0900	[diff] [blame]	43	allow virtualizationservice virtualizationservice_data_file:sock_file unlink;
				44	allow virtualizationservice virtualizationservice_data_file:file create_file_perms;
Keir Fraser	ad58b8d	2022-07-11 14:27:40 +0000	[diff] [blame]	45
Jiyong Park	5e20d83	2021-07-12 21:11:33 +0900	[diff] [blame]	46	# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from
				47	# crosvm to the console
				48	allow virtualizationservice adbd:fd use;
				49	allow virtualizationservice adbd:unix_stream_socket { read write };
Andrew Walbran	9b2fa1b	2021-07-01 15:58:26 +0000	[diff] [blame]	50
Alice Wang	40519f7	2023-08-31 11:37:30 +0000	[diff] [blame]	51	# Allow to connnect to and run VirtMgr to start the service VM for remote attestation.
				52	virtualizationservice_use(virtualizationservice)
				53
				54	# Allow virtualizationservice to read and write in the apex data directory
				55	# /data/misc/apexdata/com.android.virt
				56	allow virtualizationservice apex_module_data_file:dir search;
				57	allow virtualizationservice apex_virt_data_file:dir create_dir_perms;
				58	allow virtualizationservice apex_virt_data_file:file create_file_perms;
				59
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	60	# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services
				61	# such as the guest tombstone server.
Jiyong Park	f408371	2021-07-10 14:35:06 +0900	[diff] [blame]	62	allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
Jiyong Park	b804de2	2021-09-16 21:06:20 +0900	[diff] [blame]	63
				64	# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
				65	set_prop(virtualizationservice, virtualizationservice_prop)
Alan Stokes	3fad86b	2022-01-04 17:34:53 +0000	[diff] [blame]	66
Alan Stokes	8a881c1	2022-01-21 12:18:08 +0000	[diff] [blame]	67	# Allow writing stats to statsd
				68	unix_socket_send(virtualizationservice, statsdw, statsd)
				69
Shikha Panwar	a9f1dc9	2022-03-24 09:05:59 +0000	[diff] [blame]	70	# Allow virtualization service to talk to tombstoned to push guest tombstones
				71	unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
				72
				73	# Append to tombstone files passed as fds from tombstoned
				74	allow virtualizationservice tombstone_data_file:file { append getattr };
				75	allow virtualizationservice tombstoned:fd use;
				76
Inseob Kim	825056d	2023-08-01 11:00:49 +0900	[diff] [blame]	77	# Allow virtualizationservice to check if VFIO is supported
				78	allow virtualizationservice vfio_device:chr_file getattr;
				79	allow virtualizationservice vfio_device:dir r_dir_perms;
				80
Inseob Kim	bbe514d	2023-08-03 12:53:48 +0900	[diff] [blame]	81	# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager.
				82	allow virtualizationservice virtualizationmanager:fd use;
Inseob Kim	825056d	2023-08-01 11:00:49 +0900	[diff] [blame]	83
Inseob Kim	d61618b	2023-08-30 14:04:24 +0900	[diff] [blame]	84	# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices.
				85	r_dir_file(virtualizationservice, vendor_configs_file)
				86
Jiyong Park	b804de2	2021-09-16 21:06:20 +0900	[diff] [blame]	87	neverallow {
				88	domain
				89	-init
				90	-virtualizationservice
				91	} virtualizationservice_prop:property_service set;
Alan Stokes	991087c	2022-08-31 16:09:44 +0100	[diff] [blame]	92
				93	neverallow {
				94	domain
				95	-init
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	96	-virtualizationmanager
Alan Stokes	991087c	2022-08-31 16:09:44 +0100	[diff] [blame]	97	-virtualizationservice
				98	} virtualizationservice_data_file:file { open create };
David Brazdil	55d808c	2022-12-15 13:38:42 +0000	[diff] [blame]	99
				100	neverallow virtualizationservice {
				101	domain
				102	-virtualizationmanager
				103	-virtualizationservice
				104	}:process setrlimit;
Inseob Kim	825056d	2023-08-01 11:00:49 +0900	[diff] [blame]	105
Inseob Kim	094e8e8	2023-11-17 18:03:46 +0900	[diff] [blame]	106	is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, `
Inseob Kim	fb0ed7f	2024-01-03 09:32:18 +0900	[diff] [blame^]	107	# Only virtualizationservice and virtualizationmanager can communicate to vfio_handler
				108	neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call;
Inseob Kim	094e8e8	2023-11-17 18:03:46 +0900	[diff] [blame]	109	')