diff options
author | Inseob Kim <inseob@google.com> | 2023-08-01 11:00:49 +0900 |
---|---|---|
committer | Inseob Kim <inseob@google.com> | 2023-11-14 01:56:24 +0000 |
commit | 901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2 (patch) | |
tree | 0787670629ed54a16cde83f699c031eb64f2737d | |
parent | 6dcc5f787e61841375f4c991e143fef50551bcc0 (diff) | |
download | sepolicy-901385f711bf6d92a8cb42c6f4ef646f7a4f3ea2.tar.gz |
Add permission for VFIO device binding
vfio_handler will bind platform devices to VFIO driver, and then
return a file descriptor containing DTBO. This change adds
permissions needed for that.
Bug: 278008182
Bug: 308058980
Test: adb shell /apex/com.android.virt/bin/vm run-microdroid \
--devices /sys/bus/platform/devices/16d00000.eh --protected
Change-Id: Ie947adff00d138426d4703cbb8e7a8cd429c2272
Merged-In: Ie947adff00d138426d4703cbb8e7a8cd429c2272
(cherry picked from commit 825056de9ab6c5d8231cd0039e12280eb5b0ea10)
-rw-r--r-- | apex/com.android.virt-file_contexts | 1 | ||||
-rw-r--r-- | build/soong/service_fuzzer_bindings.go | 2 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/coredomain.te | 1 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/crosvm.te | 8 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/file_contexts | 1 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/service.te | 1 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/service_contexts | 1 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/vfio_handler.te | 24 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/virtualizationmanager.te | 4 | ||||
-rw-r--r-- | prebuilts/api/34.0/private/virtualizationservice.te | 15 | ||||
-rw-r--r-- | prebuilts/api/34.0/public/device.te | 3 | ||||
-rw-r--r-- | private/coredomain.te | 1 | ||||
-rw-r--r-- | private/crosvm.te | 8 | ||||
-rw-r--r-- | private/file_contexts | 1 | ||||
-rw-r--r-- | private/service.te | 1 | ||||
-rw-r--r-- | private/service_contexts | 1 | ||||
-rw-r--r-- | private/vfio_handler.te | 24 | ||||
-rw-r--r-- | private/virtualizationmanager.te | 4 | ||||
-rw-r--r-- | private/virtualizationservice.te | 15 | ||||
-rw-r--r-- | public/device.te | 3 |
20 files changed, 119 insertions, 0 deletions
diff --git a/apex/com.android.virt-file_contexts b/apex/com.android.virt-file_contexts index 9c13bd5cb..afe9f51c4 100644 --- a/apex/com.android.virt-file_contexts +++ b/apex/com.android.virt-file_contexts @@ -3,3 +3,4 @@ /bin/fd_server u:object_r:fd_server_exec:s0 /bin/virtmgr u:object_r:virtualizationmanager_exec:s0 /bin/virtualizationservice u:object_r:virtualizationservice_exec:s0 +/bin/vfio_handler u:object_r:vfio_handler_exec:s0 diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go index 0d0fa76f8..269233ad5 100644 --- a/build/soong/service_fuzzer_bindings.go +++ b/build/soong/service_fuzzer_bindings.go @@ -167,7 +167,9 @@ var ( "android.security.metrics": EXCEPTION_NO_FUZZER, "android.service.gatekeeper.IGateKeeperService": EXCEPTION_NO_FUZZER, "android.system.composd": EXCEPTION_NO_FUZZER, + // TODO(b/294158658): add fuzzer "android.system.virtualizationservice": EXCEPTION_NO_FUZZER, + "android.system.virtualizationservice_internal.IVfioHandler": EXCEPTION_NO_FUZZER, "ambient_context": EXCEPTION_NO_FUZZER, "app_binding": EXCEPTION_NO_FUZZER, "app_hibernation": EXCEPTION_NO_FUZZER, diff --git a/prebuilts/api/34.0/private/coredomain.te b/prebuilts/api/34.0/private/coredomain.te index 83930a50a..f9b47dfb8 100644 --- a/prebuilts/api/34.0/private/coredomain.te +++ b/prebuilts/api/34.0/private/coredomain.te @@ -150,6 +150,7 @@ full_treble_only(` -apexd -init -ueventd + -vfio_handler -vold } sysfs:file no_rw_file_perms; diff --git a/prebuilts/api/34.0/private/crosvm.te b/prebuilts/api/34.0/private/crosvm.te index f1012b79b..31d6c1992 100644 --- a/prebuilts/api/34.0/private/crosvm.te +++ b/prebuilts/api/34.0/private/crosvm.te @@ -91,6 +91,14 @@ allow crosvm port:tcp_socket name_bind; allow crosvm adbd:unix_stream_socket ioctl; allow crosvm node:tcp_socket node_bind; +# Allow crosvm to interact to VFIO device +allow crosvm vfio_device:chr_file rw_file_perms; +allow crosvm vfio_device:dir r_dir_perms; + +# Allow crosvm to access VM DTBO via a pipe created by vfio handler. +allow crosvm vfio_handler:fd use; +allow crosvm vfio_handler:fifo_file r_file_perms; + # Don't allow crosvm to open files that it doesn't own. # This is important because a malicious application could try to start a VM with a composite disk # image referring by name to files which it doesn't have permission to open, trying to get crosvm to diff --git a/prebuilts/api/34.0/private/file_contexts b/prebuilts/api/34.0/private/file_contexts index 258c6b456..f18b6dd31 100644 --- a/prebuilts/api/34.0/private/file_contexts +++ b/prebuilts/api/34.0/private/file_contexts @@ -191,6 +191,7 @@ /dev/urandom u:object_r:random_device:s0 /dev/usb_accessory u:object_r:usbaccessory_device:s0 /dev/v4l-touch[0-9]* u:object_r:input_device:s0 +/dev/vfio(/.*)? u:object_r:vfio_device:s0 /dev/vhost-vsock u:object_r:kvm_device:s0 /dev/video[0-9]* u:object_r:video_device:s0 /dev/vndbinder u:object_r:vndbinder_device:s0 diff --git a/prebuilts/api/34.0/private/service.te b/prebuilts/api/34.0/private/service.te index 3717150de..06b03e091 100644 --- a/prebuilts/api/34.0/private/service.te +++ b/prebuilts/api/34.0/private/service.te @@ -20,5 +20,6 @@ type statscompanion_service, system_server_service, service_manager_type; type statsmanager_service, system_api_service, system_server_service, service_manager_type; type tracingproxy_service, system_server_service, service_manager_type; type transparency_service, system_server_service, service_manager_type; +type vfio_handler_service, service_manager_type; type uce_service, service_manager_type; type wearable_sensing_service, system_api_service, system_server_service, service_manager_type; diff --git a/prebuilts/api/34.0/private/service_contexts b/prebuilts/api/34.0/private/service_contexts index 3bb9c8502..0f63e3950 100644 --- a/prebuilts/api/34.0/private/service_contexts +++ b/prebuilts/api/34.0/private/service_contexts @@ -144,6 +144,7 @@ android.security.metrics u:object_r:keystore_metrics_service:s0 android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 android.system.composd u:object_r:compos_service:s0 android.system.virtualizationservice u:object_r:virtualization_service:s0 +android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0 ambient_context u:object_r:ambient_context_service:s0 app_binding u:object_r:app_binding_service:s0 app_hibernation u:object_r:app_hibernation_service:s0 diff --git a/prebuilts/api/34.0/private/vfio_handler.te b/prebuilts/api/34.0/private/vfio_handler.te new file mode 100644 index 000000000..706a6ca22 --- /dev/null +++ b/prebuilts/api/34.0/private/vfio_handler.te @@ -0,0 +1,24 @@ +# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. +# vfio_handler is separate from virtualizationservice as VFIO tasks require root. +type vfio_handler, domain, coredomain; +type vfio_handler_exec, system_file_type, exec_type, file_type; + +# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. +init_daemon_domain(vfio_handler) + +# Let the vfio_handler domain register the vfio_handler_service with ServiceManager. +add_service(vfio_handler, vfio_handler_service) + +# Let the vfio_handler domain use Binder. +binder_use(vfio_handler) + +# Allow vfio_handler to check if VFIO is supported +allow vfio_handler vfio_device:chr_file getattr; +allow vfio_handler vfio_device:dir r_dir_perms; + +# Allow vfio_handler to bind/unbind platform devices +allow vfio_handler sysfs:dir r_dir_perms; +allow vfio_handler sysfs:file rw_file_perms; + +# Only vfio_handler can add vfio_handler_service +neverallow { domain -vfio_handler } vfio_handler_service:service_manager add; diff --git a/prebuilts/api/34.0/private/virtualizationmanager.te b/prebuilts/api/34.0/private/virtualizationmanager.te index bfad8e71f..70338ff1a 100644 --- a/prebuilts/api/34.0/private/virtualizationmanager.te +++ b/prebuilts/api/34.0/private/virtualizationmanager.te @@ -86,3 +86,7 @@ r_dir_file(virtualizationmanager, crosvm); # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers # a harmless denial for CompOS log files, so ignore that. dontaudit virtualizationmanager apex_module_data_file:dir search; + +# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler. +allow virtualizationmanager vfio_handler:fd use; +allow virtualizationmanager vfio_handler:fifo_file r_file_perms; diff --git a/prebuilts/api/34.0/private/virtualizationservice.te b/prebuilts/api/34.0/private/virtualizationservice.te index 561e7788d..a4588dc9f 100644 --- a/prebuilts/api/34.0/private/virtualizationservice.te +++ b/prebuilts/api/34.0/private/virtualizationservice.te @@ -15,6 +15,10 @@ binder_use(virtualizationservice) # Let the virtualizationservice domain register the virtualization_service with ServiceManager. add_service(virtualizationservice, virtualization_service) +# Let virtualizationservice find and communicate with vfio_handler. +allow virtualizationservice vfio_handler_service:service_manager find; +binder_call(virtualizationservice, vfio_handler) + # Allow calling into the system server to find "permission_service". binder_call(virtualizationservice, system_server) allow virtualizationservice permission_service:service_manager find; @@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) allow virtualizationservice tombstone_data_file:file { append getattr }; allow virtualizationservice tombstoned:fd use; +# Allow virtualizationservice to check if VFIO is supported +allow virtualizationservice vfio_device:chr_file getattr; +allow virtualizationservice vfio_device:dir r_dir_perms; + +# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler. +allow virtualizationservice vfio_handler:fd use; +allow virtualizationservice vfio_handler:fifo_file r_file_perms; + neverallow { domain -init @@ -72,3 +84,6 @@ neverallow virtualizationservice { -virtualizationmanager -virtualizationservice }:process setrlimit; + +# Only virtualizationservice can communicate to vfio_handler +neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call; diff --git a/prebuilts/api/34.0/public/device.te b/prebuilts/api/34.0/public/device.te index fa292565e..36299d38c 100644 --- a/prebuilts/api/34.0/public/device.te +++ b/prebuilts/api/34.0/public/device.te @@ -129,3 +129,6 @@ type userdata_sysdev, dev_type; # Root disk file for disk tunables type rootdisk_sysdev, dev_type; + +# vfio device +type vfio_device, dev_type; diff --git a/private/coredomain.te b/private/coredomain.te index 83930a50a..f9b47dfb8 100644 --- a/private/coredomain.te +++ b/private/coredomain.te @@ -150,6 +150,7 @@ full_treble_only(` -apexd -init -ueventd + -vfio_handler -vold } sysfs:file no_rw_file_perms; diff --git a/private/crosvm.te b/private/crosvm.te index f1012b79b..31d6c1992 100644 --- a/private/crosvm.te +++ b/private/crosvm.te @@ -91,6 +91,14 @@ allow crosvm port:tcp_socket name_bind; allow crosvm adbd:unix_stream_socket ioctl; allow crosvm node:tcp_socket node_bind; +# Allow crosvm to interact to VFIO device +allow crosvm vfio_device:chr_file rw_file_perms; +allow crosvm vfio_device:dir r_dir_perms; + +# Allow crosvm to access VM DTBO via a pipe created by vfio handler. +allow crosvm vfio_handler:fd use; +allow crosvm vfio_handler:fifo_file r_file_perms; + # Don't allow crosvm to open files that it doesn't own. # This is important because a malicious application could try to start a VM with a composite disk # image referring by name to files which it doesn't have permission to open, trying to get crosvm to diff --git a/private/file_contexts b/private/file_contexts index 258c6b456..f18b6dd31 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -191,6 +191,7 @@ /dev/urandom u:object_r:random_device:s0 /dev/usb_accessory u:object_r:usbaccessory_device:s0 /dev/v4l-touch[0-9]* u:object_r:input_device:s0 +/dev/vfio(/.*)? u:object_r:vfio_device:s0 /dev/vhost-vsock u:object_r:kvm_device:s0 /dev/video[0-9]* u:object_r:video_device:s0 /dev/vndbinder u:object_r:vndbinder_device:s0 diff --git a/private/service.te b/private/service.te index 3717150de..06b03e091 100644 --- a/private/service.te +++ b/private/service.te @@ -20,5 +20,6 @@ type statscompanion_service, system_server_service, service_manager_type; type statsmanager_service, system_api_service, system_server_service, service_manager_type; type tracingproxy_service, system_server_service, service_manager_type; type transparency_service, system_server_service, service_manager_type; +type vfio_handler_service, service_manager_type; type uce_service, service_manager_type; type wearable_sensing_service, system_api_service, system_server_service, service_manager_type; diff --git a/private/service_contexts b/private/service_contexts index 3bb9c8502..0f63e3950 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -144,6 +144,7 @@ android.security.metrics u:object_r:keystore_metrics_service:s0 android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0 android.system.composd u:object_r:compos_service:s0 android.system.virtualizationservice u:object_r:virtualization_service:s0 +android.system.virtualizationservice_internal.IVfioHandler u:object_r:vfio_handler_service:s0 ambient_context u:object_r:ambient_context_service:s0 app_binding u:object_r:app_binding_service:s0 app_hibernation u:object_r:app_hibernation_service:s0 diff --git a/private/vfio_handler.te b/private/vfio_handler.te new file mode 100644 index 000000000..706a6ca22 --- /dev/null +++ b/private/vfio_handler.te @@ -0,0 +1,24 @@ +# vfio_handler is a helper service for VFIO tasks, like binding platform devices to VFIO driver. +# vfio_handler is separate from virtualizationservice as VFIO tasks require root. +type vfio_handler, domain, coredomain; +type vfio_handler_exec, system_file_type, exec_type, file_type; + +# When init runs a file labelled with vfio_handler_exec, run it in the vfio_handler domain. +init_daemon_domain(vfio_handler) + +# Let the vfio_handler domain register the vfio_handler_service with ServiceManager. +add_service(vfio_handler, vfio_handler_service) + +# Let the vfio_handler domain use Binder. +binder_use(vfio_handler) + +# Allow vfio_handler to check if VFIO is supported +allow vfio_handler vfio_device:chr_file getattr; +allow vfio_handler vfio_device:dir r_dir_perms; + +# Allow vfio_handler to bind/unbind platform devices +allow vfio_handler sysfs:dir r_dir_perms; +allow vfio_handler sysfs:file rw_file_perms; + +# Only vfio_handler can add vfio_handler_service +neverallow { domain -vfio_handler } vfio_handler_service:service_manager add; diff --git a/private/virtualizationmanager.te b/private/virtualizationmanager.te index bfad8e71f..70338ff1a 100644 --- a/private/virtualizationmanager.te +++ b/private/virtualizationmanager.te @@ -86,3 +86,7 @@ r_dir_file(virtualizationmanager, crosvm); # For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers # a harmless denial for CompOS log files, so ignore that. dontaudit virtualizationmanager apex_module_data_file:dir search; + +# Allow virtualizationmanager to access VM DTBO via a pipe created by vfio handler. +allow virtualizationmanager vfio_handler:fd use; +allow virtualizationmanager vfio_handler:fifo_file r_file_perms; diff --git a/private/virtualizationservice.te b/private/virtualizationservice.te index 561e7788d..a4588dc9f 100644 --- a/private/virtualizationservice.te +++ b/private/virtualizationservice.te @@ -15,6 +15,10 @@ binder_use(virtualizationservice) # Let the virtualizationservice domain register the virtualization_service with ServiceManager. add_service(virtualizationservice, virtualization_service) +# Let virtualizationservice find and communicate with vfio_handler. +allow virtualizationservice vfio_handler_service:service_manager find; +binder_call(virtualizationservice, vfio_handler) + # Allow calling into the system server to find "permission_service". binder_call(virtualizationservice, system_server) allow virtualizationservice permission_service:service_manager find; @@ -54,6 +58,14 @@ unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) allow virtualizationservice tombstone_data_file:file { append getattr }; allow virtualizationservice tombstoned:fd use; +# Allow virtualizationservice to check if VFIO is supported +allow virtualizationservice vfio_device:chr_file getattr; +allow virtualizationservice vfio_device:dir r_dir_perms; + +# Allow virtualizationservice to access VM DTBO via a pipe created by vfio handler. +allow virtualizationservice vfio_handler:fd use; +allow virtualizationservice vfio_handler:fifo_file r_file_perms; + neverallow { domain -init @@ -72,3 +84,6 @@ neverallow virtualizationservice { -virtualizationmanager -virtualizationservice }:process setrlimit; + +# Only virtualizationservice can communicate to vfio_handler +neverallow { domain -virtualizationservice -servicemanager } vfio_handler:binder call; diff --git a/public/device.te b/public/device.te index fa292565e..36299d38c 100644 --- a/public/device.te +++ b/public/device.te @@ -129,3 +129,6 @@ type userdata_sysdev, dev_type; # Root disk file for disk tunables type rootdisk_sysdev, dev_type; + +# vfio device +type vfio_device, dev_type; |