1type virtualizationservice, domain, coredomain; 2type virtualizationservice_exec, system_file_type, exec_type, file_type; 3 4# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of 5# the virtualizationmanager domain running at a more constrained MLS level. 6typeattribute virtualizationservice mlstrustedsubject; 7 8# When init runs a file labelled with virtualizationservice_exec, run it in the 9# virtualizationservice domain. 10init_daemon_domain(virtualizationservice) 11 12# Let the virtualizationservice domain use Binder. 13binder_use(virtualizationservice) 14 15# Register our services with ServiceManager. 16add_service(virtualizationservice, virtualization_service) 17is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 18 add_service(virtualizationservice, virtualization_maintenance_service) 19') 20 21is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 22 # Let virtualizationservice find and communicate with vfio_handler. 23 allow virtualizationservice vfio_handler_service:service_manager find; 24 binder_call(virtualizationservice, vfio_handler) 25') 26 27# Allow the virtualizationservice domain to serve a remotely provisioned component for 28# pVM remote attestation. 29hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf) 30 31# Allow calling into the system server to find "permission_service". 32binder_call(virtualizationservice, system_server) 33allow virtualizationservice permission_service:service_manager find; 34 35# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd. 36binder_call(virtualizationservice, remote_provisioning_service) 37allow virtualizationservice remote_provisioning_service:service_manager find; 38 39# Allow virtualizationservice to manage VM secrets via Secretkeeper. 40hal_client_domain(virtualizationservice, hal_secretkeeper) 41 42# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary 43# to mlock VM memory and page tables. 44allow virtualizationservice self:capability sys_resource; 45allow virtualizationservice virtualizationmanager:process setrlimit; 46 47# Let virtualizationservice set the owner of a VM's temporary directory. 48allow virtualizationservice self:capability chown; 49 50# Let virtualizationservice create and delete temporary directories of VMs. To remove old 51# directories, it needs the permission to unlink the files created by virtualizationmanager. 52allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; 53allow virtualizationservice virtualizationservice_data_file:sock_file unlink; 54allow virtualizationservice virtualizationservice_data_file:file create_file_perms; 55 56# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from 57# crosvm to the console 58allow virtualizationservice adbd:fd use; 59allow virtualizationservice adbd:unix_stream_socket { read write }; 60 61# Allow to connnect to and run VirtMgr to start the service VM for remote attestation. 62virtualizationservice_use(virtualizationservice) 63 64# Allow virtualizationservice to read and write in the apex data directory 65# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory 66# (needed for SQLite database creation). 67allow virtualizationservice apex_module_data_file:dir { search getattr }; 68allow virtualizationservice apex_virt_data_file:dir create_dir_perms; 69allow virtualizationservice apex_virt_data_file:file create_file_perms; 70 71# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services 72# such as the guest tombstone server. 73allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 74 75# Allow virtualizationservice to read/write its own sysprop. Only the process can do so. 76set_prop(virtualizationservice, virtualizationservice_prop) 77 78# Allow writing stats to statsd 79unix_socket_send(virtualizationservice, statsdw, statsd) 80 81# Allow virtualization service to talk to tombstoned to push guest tombstones 82unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) 83 84# Append to tombstone files passed as fds from tombstoned 85allow virtualizationservice tombstone_data_file:file { append getattr }; 86allow virtualizationservice tombstoned:fd use; 87 88# Allow virtualizationservice to check if VFIO is supported 89allow virtualizationservice vfio_device:chr_file getattr; 90allow virtualizationservice vfio_device:dir r_dir_perms; 91 92# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager. 93allow virtualizationservice virtualizationmanager:fd use; 94 95# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices. 96r_dir_file(virtualizationservice, vendor_configs_file) 97 98neverallow { 99 domain 100 -init 101 -virtualizationservice 102} virtualizationservice_prop:property_service set; 103 104neverallow { 105 domain 106 -init 107 -virtualizationmanager 108 -virtualizationservice 109} virtualizationservice_data_file:file { open create }; 110 111neverallow virtualizationservice { 112 domain 113 -virtualizationmanager 114 -virtualizationservice 115}:process setrlimit; 116 117is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 118 # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler 119 neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call; 120') 121