• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1until_board_api(202504, `
2    type crosvm, domain, coredomain;
3')
4
5type crosvm_exec, system_file_type, exec_type, file_type;
6type crosvm_tmpfs, file_type;
7
8# Let crosvm open VM manager devices such as /dev/kvm.
9allow crosvm vm_manager_device_type:chr_file rw_file_perms;
10
11# Most other domains shouldn't access /dev/kvm.
12neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr;
13neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr;
14neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION };
15
16# Most other domains shouldn't access other vm managers either.
17# These restrictions need to be slightly looser than for kvm_device to allow
18# for different implementations.
19neverallow { coredomain appdomain -crosvm -ueventd -shell } vm_manager_device_type:chr_file getattr;
20neverallow { coredomain appdomain -crosvm -ueventd } vm_manager_device_type:chr_file ~getattr;
21
22# Let crosvm create temporary files.
23tmpfs_domain(crosvm)
24
25# Let crosvm receive file descriptors from VirtualizationService.
26allow crosvm {
27  virtualizationmanager
28  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
29}:fd use;
30
31# Allow sending VirtualizationService the failure reason and console/log from the VM via pipe.
32allow crosvm {
33  virtualizationmanager
34  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
35}:fifo_file write;
36
37# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes
38# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in
39# /data/local/tmp), instance.img (app_data_file), and microdroid vendor image (vendor_microdroid_file).
40# Allow crosvm to read the instance image of the service VM saved in apex_virt_data_file.
41# Note that the open permission is not given as the files are passed as file descriptors.
42allow crosvm {
43  virtualizationservice_data_file
44  staging_data_file
45  apk_data_file
46  app_data_file
47  privapp_data_file
48  apex_compos_data_file
49  apex_virt_data_file
50  shell_data_file
51  vendor_microdroid_file
52  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
53}:file { getattr read ioctl lock };
54
55# Allow searching the directory where the composite disk images are.
56allow crosvm {
57    virtualizationservice_data_file
58    is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
59}:dir search;
60
61# When running a VM as root we get spurious capability denials.
62# Suppress them.
63userdebug_or_eng(`
64  dontaudit crosvm self:capability ipc_lock;
65')
66
67# Allow crosvm to tune for performance.
68allow crosvm self:global_capability_class_set sys_nice;
69
70# Let crosvm access its control socket as created by VS.
71#   read, write, getattr: listener socket polling
72#   accept: listener socket accepting new connection
73# Note that the open permission is not given as the socket is passed by FD.
74allow crosvm {
75  virtualizationmanager
76  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
77}:unix_stream_socket { accept read write getattr getopt };
78
79# Let crosvm open test artifacts under /data/local/tmp with file path. (e.g. custom pvmfw.img)
80userdebug_or_eng(`
81  allow crosvm shell_data_file:dir search;
82  allow crosvm shell_data_file:file open;
83')
84
85# The instance image and the composite image should be writable as well because they could represent
86# mutable disks.
87allow crosvm {
88  virtualizationservice_data_file
89  app_data_file
90  privapp_data_file
91  apex_compos_data_file
92  apex_virt_data_file
93  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
94}:file write;
95
96# Allow crosvm to pipe console log to shell or app which could be the owner of a VM.
97allow crosvm adbd:fd use;
98allow crosvm adbd:unix_stream_socket { read write };
99allow crosvm devpts:chr_file { read write getattr ioctl };
100
101is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
102  # Allow crosvm to draw screen in the surface
103  allow crosvm device:dir { read open };
104  allow crosvm same_process_hal_file:file { read open getattr map execute };
105  allow crosvm gpu_device:chr_file { read write open ioctl map open getattr };
106  allow crosvm hal_graphics_allocator:fd use;
107  allow crosvm hal_graphics_allocator_server:binder call;
108  allow crosvm surfaceflinger:fd use;
109  hal_client_domain(crosvm, hal_graphics_allocator)
110
111  # To provide display service to an app to get surface.
112  # TODO(b/332677707): remove them when display service uses binder RPC.
113  allow crosvm vmlauncher_app:binder { transfer call };
114  allow crosvm servicemanager:binder { call transfer };
115  allow crosvm virtualization_service:service_manager find;
116  allow crosvm virtualizationservice:binder { call transfer };
117
118  # Allow crosvm to play sound.
119  binder_call(crosvm, audioserver)
120  allow crosvm audioserver_service:service_manager find;
121
122  # Allow crosvm to mount fuse path in guest VM through virtiofs
123  allow crosvm fuse:file create_file_perms;
124  allow crosvm fuse:dir create_dir_perms;
125  allow crosvm mnt_user_file:dir search;
126
127  # Allow crosvm to create unix socket for vhost-user-fs
128  allow crosvm virtualizationservice_data_file:dir { add_name write remove_name };
129  allow crosvm virtualizationservice_data_file:sock_file { create write unlink };
130')
131
132# crosvm tries to use netlink sockets as part its APCI implementation, but we don't need it for AVF (b/228077254)
133dontaudit crosvm self:netlink_generic_socket create_socket_perms_no_ioctl;
134
135# crosvm can write files in /data/local/tmp which are usually used for instance.img and logging by
136# compliance tests and demo apps. Write access to instance.img is particularily important because
137# the VM has to initialize the disk image on its first boot. Note that open access is still not
138# granted because the files are expected to be opened by the owner of the VM (apps or shell in case
139# when the vm is created by the `vm` tool) and handed over to crosvm as FD.
140allow crosvm shell_data_file:file write;
141
142# crosvm tries to read serial device, including the write-only pipe from virtualizationmanager (to
143# forward console/log to the host logcat).
144# crosvm only needs write permission, so dontaudit read
145dontaudit crosvm {
146  virtualizationmanager
147  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `early_virtmgr')
148}:fifo_file { read getattr };
149
150# Required for crosvm to start gdb-server to enable debugging of guest kernel.
151allow crosvm self:tcp_socket { bind create read setopt write accept listen };
152allow crosvm port:tcp_socket name_bind;
153allow crosvm adbd:unix_stream_socket ioctl;
154allow crosvm node:tcp_socket node_bind;
155
156# Allow crosvm to interact to VFIO device
157allow crosvm vfio_device:chr_file rw_file_perms;
158allow crosvm vfio_device:dir r_dir_perms;
159
160# Allow crosvm to access VM DTBO via a file created by virtualizationmanager.
161allow crosvm virtualizationservice_data_file:file read;
162
163is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, `
164    # Allow crosvm to deal with file descriptors of TAP interfaces.
165    allow crosvm tun_device:chr_file rw_file_perms;
166    allowxperm crosvm tun_device:chr_file ioctl { TUNGETIFF TUNSETOFFLOAD TUNSETVNETHDRSZ };
167    allow crosvm self:udp_socket create_socket_perms;
168    allowxperm crosvm self:udp_socket ioctl SIOCGIFMTU;
169    allow crosvm vmnic:fd use;
170')
171
172# Early VMs may print messages to kmsg_debug_device.
173allow crosvm kmsg_debug_device:chr_file w_file_perms;
174
175# Allow crosvm to read /data/nativetest for VTS
176r_dir_file(crosvm, nativetest_data_file)
177
178# Don't allow crosvm to open files that it doesn't own.
179# This is important because a malicious application could try to start a VM with a composite disk
180# image referring by name to files which it doesn't have permission to open, trying to get crosvm to
181# open them on its behalf. By preventing crosvm from opening any other files we prevent this
182# potential privilege escalation. See http://b/192453819 for more discussion.
183neverallow crosvm {
184  virtualizationservice_data_file
185  staging_data_file
186  apk_data_file
187  app_data_file
188  privapp_data_file
189  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_content_file')
190  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `vm_data_file')
191  userdebug_or_eng(`-shell_data_file')
192}:file open;
193
194# Don't allow crosvm to have access to ordinary vendor files that are not for VMs.
195full_treble_only(`
196  neverallow crosvm {
197    vendor_file_type
198    -vendor_vm_file
199    -vendor_vm_data_file
200    # These types are not required for crosvm, but the access is granted to globally in domain.te
201    # thus should be exempted here.
202    -vendor_cgroup_desc_file
203    -vendor_configs_file
204    -vendor_microdroid_file
205    -vndk_sp_file
206    -vendor_task_profiles_file
207    -same_process_hal_file
208  }:file *;
209')
210
211# Only allow crosvm to read app data files for clients that can start
212# VMs. Note that the use of app data files is further restricted
213# inside the virtualizationservice by checking the label of all disk
214# image files.
215neverallow crosvm {
216  app_data_file_type
217  -app_data_file
218  -privapp_data_file
219  -shell_data_file
220}:file read;
221
222# Only virtualizationmanager can run crosvm
223# Allow vmlauncher app to launch crosvm for virtiofs
224neverallow {
225  domain
226  -crosvm
227  -virtualizationmanager
228  -vmlauncher_app
229  userdebug_or_eng(`-overlay_remounter')
230
231  is_flag_enabled(RELEASE_AVF_ENABLE_EARLY_VM, `-early_virtmgr')
232} crosvm_exec:file no_x_file_perms;
233