1type crosvm, domain, coredomain; 2type crosvm_exec, system_file_type, exec_type, file_type; 3type crosvm_tmpfs, file_type; 4 5# Let crosvm open /dev/kvm. 6allow crosvm kvm_device:chr_file rw_file_perms; 7 8# Most other domains shouldn't access /dev/kvm. 9neverallow { domain -crosvm -ueventd -shell } kvm_device:chr_file getattr; 10neverallow { domain -crosvm -ueventd } kvm_device:chr_file ~getattr; 11neverallowxperm { domain -crosvm } kvm_device:chr_file ioctl ~{ KVM_CHECK_EXTENSION }; 12 13# Let crosvm mlock VM memory and page tables. 14allow crosvm self:capability ipc_lock; 15 16# Let crosvm create temporary files. 17tmpfs_domain(crosvm) 18 19# Let crosvm receive file descriptors from VirtualizationService. 20allow crosvm virtualizationservice:fd use; 21 22# Allow sending VirtualizationService the failure reason from the VM via pipe. 23allow crosvm virtualizationservice:fifo_file write; 24 25# Let crosvm read the composite disk images (virtualizationservice_data_file), APEXes 26# (staging_data_file), APKs (apk_data_file and shell_data_file where the latter is for test apks in 27# /data/local/tmp), and instance.img (app_data_file). Note that the open permission is not given as 28# the files are passed as file descriptors. 29allow crosvm { 30 virtualizationservice_data_file 31 staging_data_file 32 apk_data_file 33 app_data_file 34 apex_compos_data_file 35 shell_data_file 36}:file { getattr read ioctl lock }; 37 38# Allow searching the directory where the composite disk images are. 39allow crosvm virtualizationservice_data_file:dir search; 40 41# Don't allow crosvm to open files that it doesn't own. 42# This is important because a malicious application could try to start a VM with a composite disk 43# image referring by name to files which it doesn't have permission to open, trying to get crosvm to 44# open them on its behalf. By preventing crosvm from opening any other files we prevent this 45# potential privilege escalation. See http://b/192453819 for more discussion. 46neverallow crosvm { 47 virtualizationservice_data_file 48 staging_data_file 49 apk_data_file 50 app_data_file 51 userdebug_or_eng(`-shell_data_file') 52}:file open; 53 54# The instance image and the composite image should be writable as well because they could represent 55# mutable disks. 56allow crosvm { 57 virtualizationservice_data_file 58 app_data_file 59 apex_compos_data_file 60}:file write; 61 62# Allow crosvm to pipe console log to shell or app which could be the owner of a VM. 63allow crosvm adbd:fd use; 64allow crosvm adbd:unix_stream_socket { read write }; 65 66# For ACPI 67allow crosvm self:netlink_generic_socket create_socket_perms_no_ioctl; 68 69# The console log can also be written to /data/local/tmp. This is not safe as the log then can be 70# visible to the processes which don't own the VM. Therefore, this is a debugging only feature. 71userdebug_or_eng(`allow crosvm shell_data_file:file w_file_perms;') 72 73# Don't allow crosvm to have access to ordinary vendor files that are not for VMs. 74full_treble_only(` 75 neverallow crosvm { 76 vendor_file_type 77 -vendor_vm_file 78 -vendor_vm_data_file 79 # These types are not required for crosvm, but the access is granted to globally in domain.te 80 # thus should be exempted here. 81 -vendor_configs_file 82 -vndk_sp_file 83 -vendor_task_profiles_file 84 }:file *; 85') 86 87# app_data_file and shell_data_file is the only app_data_file_type that is 88# allowed for crosvm to read. Note that the use of app_data_file is allowed 89# only for the instance disk image. This is enforced inside the 90# virtualizationservice by checking the file context of all disk image files. 91neverallow crosvm { 92 app_data_file_type 93 -app_data_file 94 -shell_data_file 95}:file read; 96 97# Only virtualizationservice can run crosvm 98neverallow { 99 domain 100 -crosvm 101 -virtualizationservice 102} crosvm_exec:file no_x_file_perms; 103