1# Domain for a child process that manages virtual machines on behalf of its parent. 2 3type virtualizationmanager, domain, coredomain; 4type virtualizationmanager_exec, system_file_type, exec_type, file_type; 5 6# Allow virtualizationmanager to communicate use, read and write over the adb connection. 7allow virtualizationmanager adbd:fd use; 8allow virtualizationmanager adbd:unix_stream_socket { read write }; 9 10# Let the virtualizationmanager domain use Binder. 11binder_use(virtualizationmanager) 12 13# Let virtualizationmanager find and communicate with virtualizationservice. 14allow virtualizationmanager virtualization_service:service_manager find; 15binder_call(virtualizationmanager, virtualizationservice) 16 17# Allow calling into the system server to find native services. "permission_service" to check 18# permissions, and "package_native" for staged apex info. 19binder_call(virtualizationmanager, system_server) 20allow virtualizationmanager { package_native_service permission_service }:service_manager find; 21 22# When virtualizationmanager execs a file with the crosvm_exec label, run it in the crosvm domain. 23domain_auto_trans(virtualizationmanager, crosvm_exec, crosvm) 24 25# Let virtualizationmanager kill crosvm. 26allow virtualizationmanager crosvm:process sigkill; 27 28# Let virtualizationmanager create files inside virtualizationservice's temporary directories. 29allow virtualizationmanager virtualizationservice_data_file:dir rw_dir_perms; 30allow virtualizationmanager virtualizationservice_data_file:{ file sock_file } create_file_perms; 31 32# Let virtualizationmanager read and write files from its various clients, but not open them 33# directly as they must be passed over Binder by the client. 34allow virtualizationmanager apk_data_file:file { getattr read }; 35 36# Write access is needed for mutable partitions like instance.img 37allow virtualizationmanager { 38 app_data_file 39 apex_compos_data_file 40 privapp_data_file 41}:file { getattr read write }; 42 43# shell_data_file is used for automated tests and manual debugging. 44allow virtualizationmanager shell_data_file:file { getattr read write }; 45 46# Allow virtualizationmanager to read apex-info-list.xml and access the APEX files listed there. 47allow virtualizationmanager apex_info_file:file r_file_perms; 48allow virtualizationmanager apex_data_file:dir search; 49allow virtualizationmanager staging_data_file:file r_file_perms; 50allow virtualizationmanager staging_data_file:dir search; 51 52# Run derive_classpath in our domain 53allow virtualizationmanager derive_classpath_exec:file rx_file_perms; 54allow virtualizationmanager apex_mnt_dir:dir r_dir_perms; 55# Ignore harmless denials on /proc/self/fd 56dontaudit virtualizationmanager self:dir write; 57 58# Let virtualizationmanager to accept vsock connection from the guest VMs 59allow virtualizationmanager self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 60 61# Allow virtualizationmanager to inspect all hypervisor capabilities. 62get_prop(virtualizationmanager, hypervisor_prop) 63get_prop(virtualizationmanager, hypervisor_restricted_prop) 64 65# Allow virtualizationmanager service to talk to tombstoned to push guest ramdumps 66unix_socket_connect(virtualizationmanager, tombstoned_crash, tombstoned) 67 68# Append ramdumps to tombstone files passed as fds from tombstoned 69allow virtualizationmanager tombstone_data_file:file { append getattr }; 70allow virtualizationmanager tombstoned:fd use; 71 72# Allow virtualizationmanager to read AVF debug policy 73allow virtualizationmanager sysfs_dt_avf:dir search; 74allow virtualizationmanager sysfs_dt_avf:file { open read }; 75 76# Let virtualizationmanager open test artifacts under /data/local/tmp with file path. 77# (e.g. custom debug policy) 78userdebug_or_eng(` 79 allow virtualizationmanager shell_data_file:dir search; 80 allow virtualizationmanager shell_data_file:file open; 81') 82 83# Allow reading files under /proc/[crosvm pid]/, for collecting CPU & memory usage inside VM. 84r_dir_file(virtualizationmanager, crosvm); 85 86# For debug purposes we try to get the canonical path from /proc/self/fd/N. That triggers 87# a harmless denial for CompOS log files, so ignore that. 88dontaudit virtualizationmanager apex_module_data_file:dir search; 89