• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1type crosvm, domain, coredomain;
2type crosvm_exec, system_file_type, exec_type, file_type;
3type crosvm_tmpfs, file_type;
4
5# Let crosvm open VM manager devices such as /dev/kvm.
6allow crosvm vm_manager_device_type:chr_file rw_file_perms;
7
8# Most other domains shouldn't access /dev/kvm.
9neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
10neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
11neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
12
13# Most other domains shouldn't access other vm managers either.
14# These restrictions need to be slightly looser than for kvm_device to allow
15# for different implementations.
16neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
17neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
18
19# Let crosvm create temporary files.
20tmpfs_domain(crosvm)
21
22# Let crosvm receive file descriptors from VirtualizationService.
23allow crosvm virtualizationmanager:fd use;
24
25# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
26allow crosvm virtualizationmanager:fifo_file write;
27
28# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
29# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
30# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
31# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
32# Note that the open permission is not given as the files are passed as file descriptors.
33allow crosvm {
34  virtualizationservice_data_file
35  staging_data_file
36  apk_data_file
37  app_data_file
38  privapp_data_file
39  apex_compos_data_file
40  apex_virt_data_file
41  shell_data_file
42  vendor_microdroid_file
43}:file { getattr read ioctl lock };
44
45# Allow searching the directory where the composite disk images are.
46allow crosvm virtualizationservice_data_file:dir search;
47
48# When running a VM as root we get spurious capability denials.
49# Suppress them.
50userdebug_or_eng(`
51  dontaudit crosvm self:capability ipc_lock;
52')
53
54# Allow crosvm to tune for performance.
55allow crosvm self:global_capability_class_set sys_nice;
56
57# Let crosvm access its control socket as created by VS.
58#   read, write, getattr: listener socket polling
59#   accept: listener socket accepting new connection
60# Note that the open permission is not given as the socket is passed by FD.
61allow crosvm virtualizationmanager:unix_stream_socket { accept read write getattr getopt };
62
63# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
64userdebug_or_eng(`
65  allow crosvm shell_data_file:dir search;
66  allow crosvm shell_data_file:file open;
67')
68
69# The instance image and the composite image should be writable as well because they could represent
70# mutable disks.
71allow crosvm {
72  virtualizationservice_data_file
73  app_data_file
74  privapp_data_file
75  apex_compos_data_file
76  apex_virt_data_file
77}:file write;
78
79# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
80allow crosvm adbd:fd use;
81allow crosvm adbd:unix_stream_socket { read write };
82allow crosvm devpts:chr_file { read write getattr ioctl };
83
84# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
85dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
86
87# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
88# compliance tests and demo apps. Write access to instance.img is particularily important because
89# the VM has to initialize the disk image on its first boot. Note that open access is still not
90# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
91# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
92allow crosvm shell_data_file:file write;
93
94# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
95# forward console/log to the host logcat).
96# crosvm only needs write permission, so dontaudit read
97dontaudit crosvm virtualizationmanager:fifo_file { read getattr };
98
99# Required for crosvm to start gdb-server to enable debugging of guest kernel.
100allow crosvm self:tcp_socket { bind create read setopt write accept listen };
101allow crosvm port:tcp_socket name_bind;
102allow crosvm adbd:unix_stream_socket ioctl;
103allow crosvm node:tcp_socket node_bind;
104
105# Allow crosvm to interact to VFIO device
106allow crosvm vfio_device:chr_file rw_file_perms;
107allow crosvm vfio_device:dir r_dir_perms;
108
109# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
110allow crosvm virtualizationmanager:fd use;
111allow crosvm virtualizationservice_data_file:file read;
112
113# Don't allow crosvm to open files that it doesn't own.
114# This is important because a malicious application could try to start a VM with a composite disk
115# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
116# open them on its behalf. By preventing crosvm from opening any other files we prevent this
117# potential privilege escalation. See http://b/192453819 for more discussion.
118neverallow crosvm {
119  virtualizationservice_data_file
120  staging_data_file
121  apk_data_file
122  app_data_file
123  privapp_data_file
124  userdebug_or_eng(`-shell_data_file')
125}:file open;
126
127# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
128full_treble_only(`
129  neverallow crosvm {
130    vendor_file_type
131    -vendor_vm_file
132    -vendor_vm_data_file
133    # These types are not required for crosvm, but the access is granted to globally in domain.te
134    # thus should be exempted here.
135    -vendor_configs_file
136    -vendor_microdroid_file
137    -vndk_sp_file
138    -vendor_task_profiles_file
139  }:file *;
140')
141
142# Only allow crosvm to read app data files for clients that can start
143# VMs. Note that the use of app data files is further restricted
144# inside the virtualizationservice by checking the label of all disk
145# image files.
146neverallow crosvm {
147  app_data_file_type
148  -app_data_file
149  -privapp_data_file
150  -shell_data_file
151}:file read;
152
153# Only virtualizationmanager can run crosvm
154neverallow {
155  domain
156  -crosvm
157  -virtualizationmanager
158} crosvm_exec:file no_x_file_perms;
159