Add permission for VFIO device binding

vfio_handler will bind platform devices to VFIO driver, and then return a file descriptor containing DTBO. This change adds permissions needed for that. Bug: 278008182 Bug: 308058980 Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \ --devices /sys/bus/platform/devices/16d00000.eh --protected Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272 Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272 (cherry picked from commit 825056de9ab6c5d8231cd0039e12280eb5b0ea10)
author: Inseob Kim <inseob@google.com> 2023-08-01 11:00:49 +0900
committer: Inseob Kim <inseob@google.com> 2023-11-14 01:56:24 +0000
commit: 901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2 (patch)
tree: 0787670629ed54a16cde83f699c031eb64f2737d
parent: 6dcc5f787e61841375f4c991e143fef50551bcc0 (diff)
download: sepolicy-901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2.tar.gz
20 files changed, 119 insertions, 0 deletions
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts
index 9c13bd5cb..afe9f51c4 100644
--- a/apex/com.android.virt-file_contexts
+++ b/apex/com.android.virt-file_contexts
@@ -3,3 +3,4 @@
 /bin/fd_server             u:object_r:fd_server_exec:s0
 /bin/virtmgr               u:object_r:virtualizationmanager_exec:s0
 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0
+/bin/vfio_handler          u:object_r:vfio_handler_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 0d0fa76f8..269233ad5 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -167,7 +167,9 @@ var (
 		"android.security.metrics":                                        EXCEPTION_NO_FUZZER,
 		"android.service.gatekeeper.IGateKeeperService":                   EXCEPTION_NO_FUZZER,
 		"android.system.composd":                                          EXCEPTION_NO_FUZZER,
+		// TODO(b/294158658): add fuzzer
 		"android.system.virtualizationservice":                            EXCEPTION_NO_FUZZER,
+		"android.system.virtualizationservice_internal.IVfioHandler":      EXCEPTION_NO_FUZZER,
 		"ambient_context":                                                 EXCEPTION_NO_FUZZER,
 		"app_binding":                                                     EXCEPTION_NO_FUZZER,
 		"app_hibernation":                                                 EXCEPTION_NO_FUZZER,
diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te
index 83930a50a..f9b47dfb8 100644
--- a/prebuilts/api/34.0/private/coredomain.te
+++ b/prebuilts/api/34.0/private/coredomain.te
@@ -150,6 +150,7 @@ full_treble_only(`
     -apexd
     -init
     -ueventd
+    -vfio_handler
     -vold
   } sysfs:file no_rw_file_perms;
 
diff --git a/prebuilts/api/34.0/private/crosvm.te b/prebuilts/api/34.0/private/crosvm.te
index f1012b79b..31d6c1992 100644
--- a/prebuilts/api/34.0/private/crosvm.te
+++ b/prebuilts/api/34.0/private/crosvm.te
@@ -91,6 +91,14 @@ allow crosvm port:tcp_socket name_bind;
 allow crosvm adbd:unix_stream_socket ioctl;
 allow crosvm node:tcp_socket node_bind;
 
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
+allow crosvm vfio_handler:fd use;
+allow crosvm vfio_handler:fifo_file r_file_perms;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts
index 258c6b456..f18b6dd31 100644
--- a/prebuilts/api/34.0/private/file_contexts
+++ b/prebuilts/api/34.0/private/file_contexts
@@ -191,6 +191,7 @@
 /dev/urandom		u:object_r:random_device:s0
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/v4l-touch[0-9]*	u:object_r:input_device:s0
+/dev/vfio(/.*)?		u:object_r:vfio_device:s0
 /dev/vhost-vsock	u:object_r:kvm_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
 /dev/vndbinder		u:object_r:vndbinder_device:s0
diff --git a/prebuilts/api/34.0/private/service.te b/prebuilts/api/34.0/private/service.te
index 3717150de..06b03e091 100644
--- a/prebuilts/api/34.0/private/service.te
+++ b/prebuilts/api/34.0/private/service.te
@@ -20,5 +20,6 @@ type statscompanion_service,        system_server_service, service_manager_type;
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
 type tracingproxy_service,          system_server_service, service_manager_type;
 type transparency_service,          system_server_service, service_manager_type;
+type vfio_handler_service,          service_manager_type;
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      system_api_service, system_server_service, service_manager_type;
diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts
index 3bb9c8502..0f63e3950 100644
--- a/prebuilts/api/34.0/private/service_contexts
+++ b/prebuilts/api/34.0/private/service_contexts
@@ -144,6 +144,7 @@ android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0
+android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
diff --git a/prebuilts/api/34.0/private/vfio_handler.te b/prebuilts/api/34.0/private/vfio_handler.te
new file mode 100644
index 000000000..706a6ca22
--- /dev/null
+++ b/prebuilts/api/34.0/private/vfio_handler.te
@@ -0,0 +1,24 @@
+# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+type vfio_handler, domain, coredomain;
+type vfio_handler_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+init_daemon_domain(vfio_handler)
+
+# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+add_service(vfio_handler, vfio_handler_service)
+
+# Let the vfio_handler domain use Binder.
+binder_use(vfio_handler)
+
+# Allow vfio_handler to check if VFIO is supported
+allow vfio_handler vfio_device:chr_file getattr;
+allow vfio_handler vfio_device:dir r_dir_perms;
+
+# Allow vfio_handler to bind/unbind platform devices
+allow vfio_handler sysfs:dir r_dir_perms;
+allow vfio_handler sysfs:file rw_file_perms;
+
+# Only vfio_handler can add vfio_handler_service
+neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/prebuilts/api/34.0/private/virtualizationmanager.te b/prebuilts/api/34.0/private/virtualizationmanager.te
index bfad8e71f..70338ff1a 100644
--- a/prebuilts/api/34.0/private/virtualizationmanager.te
+++ b/prebuilts/api/34.0/private/virtualizationmanager.te
@@ -86,3 +86,7 @@ r_dir_file(virtualizationmanager, crosvm);
 # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
 # a harmless denial for CompOS log files, so ignore that.
 dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationmanager vfio_handler:fd use;
+allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/prebuilts/api/34.0/private/virtualizationservice.te b/prebuilts/api/34.0/private/virtualizationservice.te
index 561e7788d..a4588dc9f 100644
--- a/prebuilts/api/34.0/private/virtualizationservice.te
+++ b/prebuilts/api/34.0/private/virtualizationservice.te
@@ -15,6 +15,10 @@ binder_use(virtualizationservice)
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
 allow virtualizationservice permission_service:service_manager find;
@@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
 allow virtualizationservice tombstone_data_file:file { append getattr };
 allow virtualizationservice tombstoned:fd use;
 
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationservice vfio_handler:fd use;
+allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+
 neverallow {
   domain
   -init
@@ -72,3 +84,6 @@ neverallow virtualizationservice {
   -virtualizationmanager
   -virtualizationservice
 }:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/prebuilts/api/34.0/public/device.te b/prebuilts/api/34.0/public/device.te
index fa292565e..36299d38c 100644
--- a/prebuilts/api/34.0/public/device.te
+++ b/prebuilts/api/34.0/public/device.te
@@ -129,3 +129,6 @@ type userdata_sysdev, dev_type;
 
 # Root disk file for disk tunables
 type rootdisk_sysdev, dev_type;
+
+# vfio device
+type vfio_device, dev_type;
diff --git a/private/coredomain.te b/private/coredomain.te
index 83930a50a..f9b47dfb8 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -150,6 +150,7 @@ full_treble_only(`
     -apexd
     -init
     -ueventd
+    -vfio_handler
     -vold
   } sysfs:file no_rw_file_perms;
 
diff --git a/private/crosvm.te b/private/crosvm.te
index f1012b79b..31d6c1992 100644
--- a/private/crosvm.te
+++ b/private/crosvm.te
@@ -91,6 +91,14 @@ allow crosvm port:tcp_socket name_bind;
 allow crosvm adbd:unix_stream_socket ioctl;
 allow crosvm node:tcp_socket node_bind;
 
+# Allow crosvm to interact to VFIO device
+allow crosvm vfio_device:chr_file rw_file_perms;
+allow crosvm vfio_device:dir r_dir_perms;
+
+# Allow crosvm to access VM DTBO via a pipe created by vfio handler.
+allow crosvm vfio_handler:fd use;
+allow crosvm vfio_handler:fifo_file r_file_perms;
+
 # Don't allow crosvm to open files that it doesn't own.
 # This is important because a malicious application could try to start a VM with a composite disk
 # image referring by name to files which it doesn't have permission to open, trying to get crosvm to
diff --git a/private/file_contexts b/private/file_contexts
index 258c6b456..f18b6dd31 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -191,6 +191,7 @@
 /dev/urandom		u:object_r:random_device:s0
 /dev/usb_accessory	u:object_r:usbaccessory_device:s0
 /dev/v4l-touch[0-9]*	u:object_r:input_device:s0
+/dev/vfio(/.*)?		u:object_r:vfio_device:s0
 /dev/vhost-vsock	u:object_r:kvm_device:s0
 /dev/video[0-9]*	u:object_r:video_device:s0
 /dev/vndbinder		u:object_r:vndbinder_device:s0
diff --git a/private/service.te b/private/service.te
index 3717150de..06b03e091 100644
--- a/private/service.te
+++ b/private/service.te
@@ -20,5 +20,6 @@ type statscompanion_service,        system_server_service, service_manager_type;
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
 type tracingproxy_service,          system_server_service, service_manager_type;
 type transparency_service,          system_server_service, service_manager_type;
+type vfio_handler_service,          service_manager_type;
 type uce_service,                   service_manager_type;
 type wearable_sensing_service,      system_api_service, system_server_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index 3bb9c8502..0f63e3950 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -144,6 +144,7 @@ android.security.metrics                  u:object_r:keystore_metrics_service:s0
 android.service.gatekeeper.IGateKeeperService    u:object_r:gatekeeper_service:s0
 android.system.composd                    u:object_r:compos_service:s0
 android.system.virtualizationservice      u:object_r:virtualization_service:s0
+android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0
 ambient_context                           u:object_r:ambient_context_service:s0
 app_binding                               u:object_r:app_binding_service:s0
 app_hibernation                           u:object_r:app_hibernation_service:s0
diff --git a/private/vfio_handler.te b/private/vfio_handler.te
new file mode 100644
index 000000000..706a6ca22
--- /dev/null
+++ b/private/vfio_handler.te
@@ -0,0 +1,24 @@
+# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver.
+# vfio_handler is separate from virtualizationservice as VFIO tasks require root.
+type vfio_handler, domain, coredomain;
+type vfio_handler_exec, system_file_type, exec_type, file_type;
+
+# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain.
+init_daemon_domain(vfio_handler)
+
+# Let the vfio_handler domain register the vfio_handler_service with ServiceManager.
+add_service(vfio_handler, vfio_handler_service)
+
+# Let the vfio_handler domain use Binder.
+binder_use(vfio_handler)
+
+# Allow vfio_handler to check if VFIO is supported
+allow vfio_handler vfio_device:chr_file getattr;
+allow vfio_handler vfio_device:dir r_dir_perms;
+
+# Allow vfio_handler to bind/unbind platform devices
+allow vfio_handler sysfs:dir r_dir_perms;
+allow vfio_handler sysfs:file rw_file_perms;
+
+# Only vfio_handler can add vfio_handler_service
+neverallow { domain -vfio_handler } vfio_handler_service:service_manager add;
diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te
index bfad8e71f..70338ff1a 100644
--- a/private/virtualizationmanager.te
+++ b/private/virtualizationmanager.te
@@ -86,3 +86,7 @@ r_dir_file(virtualizationmanager, crosvm);
 # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers
 # a harmless denial for CompOS log files, so ignore that.
 dontaudit virtualizationmanager apex_module_data_file:dir search;
+
+# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationmanager vfio_handler:fd use;
+allow virtualizationmanager vfio_handler:fifo_file r_file_perms;
diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te
index 561e7788d..a4588dc9f 100644
--- a/private/virtualizationservice.te
+++ b/private/virtualizationservice.te
@@ -15,6 +15,10 @@ binder_use(virtualizationservice)
 # Let the virtualizationservice domain register the virtualization_service with ServiceManager.
 add_service(virtualizationservice, virtualization_service)
 
+# Let virtualizationservice find and communicate with vfio_handler.
+allow virtualizationservice vfio_handler_service:service_manager find;
+binder_call(virtualizationservice, vfio_handler)
+
 # Allow calling into the system server to find "permission_service".
 binder_call(virtualizationservice, system_server)
 allow virtualizationservice permission_service:service_manager find;
@@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned)
 allow virtualizationservice tombstone_data_file:file { append getattr };
 allow virtualizationservice tombstoned:fd use;
 
+# Allow virtualizationservice to check if VFIO is supported
+allow virtualizationservice vfio_device:chr_file getattr;
+allow virtualizationservice vfio_device:dir r_dir_perms;
+
+# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler.
+allow virtualizationservice vfio_handler:fd use;
+allow virtualizationservice vfio_handler:fifo_file r_file_perms;
+
 neverallow {
   domain
   -init
@@ -72,3 +84,6 @@ neverallow virtualizationservice {
   -virtualizationmanager
   -virtualizationservice
 }:process setrlimit;
+
+# Only virtualizationservice can communicate to vfio_handler
+neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call;
diff --git a/public/device.te b/public/device.te
index fa292565e..36299d38c 100644
--- a/public/device.te
+++ b/public/device.te
@@ -129,3 +129,6 @@ type userdata_sysdev, dev_type;
 
 # Root disk file for disk tunables
 type rootdisk_sysdev, dev_type;
+
+# vfio device
+type vfio_device, dev_type;
author	Inseob Kim <inseob@google.com>	2023-08-01 11:00:49 +0900
committer	Inseob Kim <inseob@google.com>	2023-11-14 01:56:24 +0000
commit	901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2 (patch)
tree	0787670629ed54a16cde83f699c031eb64f2737d
parent	6dcc5f787e61841375f4c991e143fef50551bcc0 (diff)
download	sepolicy-901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2.tar.gz