Introduce vendor_microdroid_file for microdroid vendor image
In AVF, virtualizationmanager checks the selinux label of given disk
image for proving whether the given image is edited maliciously.
Existing one(vendor_configs_file, /vendor/etc/*) was too wide to
use for this purpose.
Bug: 325709490
Bug: 285854379
Test: m
Merged-In: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
(cherry picked from commit d2a0892121ad6feff08fdf4b8ac373c524a1f8da)
diff --git a/prebuilts/api/34.0/private/crosvm.te b/prebuilts/api/34.0/private/crosvm.te
index 31d6c19..19f7c96 100644
--- a/prebuilts/api/34.0/private/crosvm.te
+++ b/prebuilts/api/34.0/private/crosvm.te
@@ -27,8 +27,9 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -37,6 +38,7 @@
privapp_data_file
apex_compos_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -122,6 +124,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/prebuilts/api/34.0/private/domain.te b/prebuilts/api/34.0/private/domain.te
index 1b5af99..59d9d8a 100644
--- a/prebuilts/api/34.0/private/domain.te
+++ b/prebuilts/api/34.0/private/domain.te
@@ -611,6 +611,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 3612b67..7e0c34f 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -399,6 +399,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/prebuilts/api/34.0/private/shell.te b/prebuilts/api/34.0/private/shell.te
index 181963c..db35b2d 100644
--- a/prebuilts/api/34.0/private/shell.te
+++ b/prebuilts/api/34.0/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/prebuilts/api/34.0/private/virtualizationmanager.te b/prebuilts/api/34.0/private/virtualizationmanager.te
index 70338ff..145a83d 100644
--- a/prebuilts/api/34.0/private/virtualizationmanager.te
+++ b/prebuilts/api/34.0/private/virtualizationmanager.te
@@ -80,6 +80,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/prebuilts/api/34.0/public/file.te b/prebuilts/api/34.0/public/file.te
index 9d43ccb..e19628b 100644
--- a/prebuilts/api/34.0/public/file.te
+++ b/prebuilts/api/34.0/public/file.te
@@ -251,6 +251,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;
diff --git a/private/crosvm.te b/private/crosvm.te
index 31d6c19..19f7c96 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -27,8 +27,9 @@
# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
-# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as
-# the files are passed as file descriptors.
+# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
+# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
+# Note that the open permission is not given as the files are passed as file descriptors.
allow crosvm {
virtualizationservice_data_file
staging_data_file
@@ -37,6 +38,7 @@
privapp_data_file
apex_compos_data_file
shell_data_file
+ vendor_microdroid_file
}:file { getattr read ioctl lock };
# Allow searching the directory where the composite disk images are.
@@ -122,6 +124,7 @@
# These types are not required for crosvm, but the access is granted to globally in domain.te
# thus should be exempted here.
-vendor_configs_file
+ -vendor_microdroid_file
-vndk_sp_file
-vendor_task_profiles_file
}:file *;
diff --git a/private/domain.te b/private/domain.te
index 1b5af99..59d9d8a 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -611,6 +611,7 @@
-vendor_apex_file
-vendor_apex_metadata_file
-vendor_configs_file
+ -vendor_microdroid_file
-vendor_service_contexts_file
-vendor_framework_file
-vendor_idc_file
diff --git a/private/file_contexts b/private/file_contexts
index 3612b67..7e0c34f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -399,6 +399,7 @@
/(vendor|system/vendor)/etc(/.*)? u:object_r:vendor_configs_file:s0
/(vendor|system/vendor)/etc/cgroups\.json u:object_r:vendor_cgroup_desc_file:s0
/(vendor|system/vendor)/etc/task_profiles\.json u:object_r:vendor_task_profiles_file:s0
+/(vendor|system/vendor)/etc/avf/microdroid(/.*)? u:object_r:vendor_microdroid_file:s0
/(vendor|system/vendor)/lib(64)?/egl(/.*)? u:object_r:same_process_hal_file:s0
diff --git a/private/shell.te b/private/shell.te
index 181963c..db35b2d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -132,6 +132,9 @@
allow shell self:perf_event { open read write kernel };
neverallow shell self:perf_event ~{ open read write kernel };
+# Allow shell to read microdroid vendor image
+r_dir_file(shell, vendor_microdroid_file)
+
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index 70338ff..145a83d 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -80,6 +80,9 @@
allow virtualizationmanager shell_data_file:file open;
')
+# Allow virtualizationmanager to read microdroid related files in vendor partition
+r_dir_file(virtualizationmanager, vendor_microdroid_file)
+
# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM.
r_dir_file(virtualizationmanager, crosvm);
diff --git a/public/file.te b/public/file.te
index 9d43ccb..e19628b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -251,6 +251,8 @@
# Type for all vendor public libraries for system. These libs should only be exposed to
# system. ABI stability of these libs is vendor's responsibility.
type vendor_public_framework_file, vendor_file_type, file_type;
+# Type for all microdroid related files in the vendor partition.
+type vendor_microdroid_file, vendor_file_type, file_type;
# Input configuration
type vendor_keylayout_file, vendor_file_type, file_type;