1*e4a36f41SAndroid Build Coastguard Workertype virtualizationservice, domain, coredomain; 2*e4a36f41SAndroid Build Coastguard Workertype virtualizationservice_exec, system_file_type, exec_type, file_type; 3*e4a36f41SAndroid Build Coastguard Worker 4*e4a36f41SAndroid Build Coastguard Worker# When init runs a file labelled with virtualizationservice_exec, run it in the 5*e4a36f41SAndroid Build Coastguard Worker# virtualizationservice domain. 6*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(virtualizationservice) 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Let the virtualizationservice domain use Binder. 9*e4a36f41SAndroid Build Coastguard Workerbinder_use(virtualizationservice) 10*e4a36f41SAndroid Build Coastguard Worker# ... and host a binder service 11*e4a36f41SAndroid Build Coastguard Workerbinder_service(virtualizationservice) 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# Allow calling into the system server so that it can check permissions. 14*e4a36f41SAndroid Build Coastguard Workerbinder_call(virtualizationservice, system_server) 15*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice permission_service:service_manager find; 16*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to access "package_native" service for staged apex info. 17*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice package_native_service:service_manager find; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Let the virtualizationservice domain register the virtualization_service with ServiceManager. 20*e4a36f41SAndroid Build Coastguard Workeradd_service(virtualizationservice, virtualization_service) 21*e4a36f41SAndroid Build Coastguard Worker 22*e4a36f41SAndroid Build Coastguard Worker# When virtualizationservice execs a file with the crosvm_exec label, run it in the crosvm domain. 23*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(virtualizationservice, crosvm_exec, crosvm) 24*e4a36f41SAndroid Build Coastguard Worker 25*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice kill crosvm. 26*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice crosvm:process sigkill; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice access its data directory. 29*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationservice_data_file:file create_file_perms; 30*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; 31*e4a36f41SAndroid Build Coastguard Worker 32*e4a36f41SAndroid Build Coastguard Worker# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from 33*e4a36f41SAndroid Build Coastguard Worker# crosvm to the console 34*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice adbd:fd use; 35*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice adbd:unix_stream_socket { read write }; 36*e4a36f41SAndroid Build Coastguard Worker 37*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice read and write files from its various clients, but not open them 38*e4a36f41SAndroid Build Coastguard Worker# directly as they must be passed over Binder by the client. 39*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apk_data_file:file { getattr read }; 40*e4a36f41SAndroid Build Coastguard Worker# Write access is needed for mutable partitions like instance.img 41*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice { 42*e4a36f41SAndroid Build Coastguard Worker app_data_file 43*e4a36f41SAndroid Build Coastguard Worker apex_compos_data_file 44*e4a36f41SAndroid Build Coastguard Worker}:file { getattr read write }; 45*e4a36f41SAndroid Build Coastguard Worker 46*e4a36f41SAndroid Build Coastguard Worker# shell_data_file is used for automated tests and manual debugging. 47*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice shell_data_file:file { getattr read write }; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to read apex-info-list.xml and access the APEX files listed there. 50*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_info_file:file r_file_perms; 51*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_data_file:dir search; 52*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice staging_data_file:file r_file_perms; 53*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice staging_data_file:dir search; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker# Run derive_classpath in our domain 56*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice derive_classpath_exec:file rx_file_perms; 57*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice apex_mnt_dir:dir r_dir_perms; 58*e4a36f41SAndroid Build Coastguard Worker# Ignore harmless denials on /proc/self/fd 59*e4a36f41SAndroid Build Coastguard Workerdontaudit virtualizationservice self:dir write; 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# Let virtualizationservice to accept vsock connection from the guest VMs 62*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 63*e4a36f41SAndroid Build Coastguard Worker 64*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to read/write its own sysprop. Only the process can do so. 65*e4a36f41SAndroid Build Coastguard Workerset_prop(virtualizationservice, virtualizationservice_prop) 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Worker# Allow virtualizationservice to inspect hypervisor capabilities. 68*e4a36f41SAndroid Build Coastguard Workerget_prop(virtualizationservice, hypervisor_prop) 69*e4a36f41SAndroid Build Coastguard Worker 70*e4a36f41SAndroid Build Coastguard Worker# Allow writing stats to statsd 71*e4a36f41SAndroid Build Coastguard Workerunix_socket_send(virtualizationservice, statsdw, statsd) 72*e4a36f41SAndroid Build Coastguard Worker 73*e4a36f41SAndroid Build Coastguard Worker# Allow virtualization service to talk to tombstoned to push guest tombstones 74*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) 75*e4a36f41SAndroid Build Coastguard Worker 76*e4a36f41SAndroid Build Coastguard Worker# Append to tombstone files passed as fds from tombstoned 77*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice tombstone_data_file:file { append getattr }; 78*e4a36f41SAndroid Build Coastguard Workerallow virtualizationservice tombstoned:fd use; 79*e4a36f41SAndroid Build Coastguard Worker 80*e4a36f41SAndroid Build Coastguard Workerneverallow { 81*e4a36f41SAndroid Build Coastguard Worker domain 82*e4a36f41SAndroid Build Coastguard Worker -init 83*e4a36f41SAndroid Build Coastguard Worker -virtualizationservice 84*e4a36f41SAndroid Build Coastguard Worker} virtualizationservice_prop:property_service set; 85