1type virtualizationservice, domain, coredomain; 2type virtualizationservice_exec, system_file_type, exec_type, file_type; 3 4# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of 5# the virtualizationmanager domain running at a more constrained MLS level. 6typeattribute virtualizationservice mlstrustedsubject; 7 8# When init runs a file labelled with virtualizationservice_exec, run it in the 9# virtualizationservice domain. 10init_daemon_domain(virtualizationservice) 11 12# Let the virtualizationservice domain use Binder. 13binder_use(virtualizationservice) 14 15# Let the virtualizationservice domain register the virtualization_service with ServiceManager. 16add_service(virtualizationservice, virtualization_service) 17 18# Allow calling into the system server to find "permission_service". 19binder_call(virtualizationservice, system_server) 20allow virtualizationservice permission_service:service_manager find; 21 22# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary 23# to mlock VM memory and page tables. 24allow virtualizationservice self:capability sys_resource; 25allow virtualizationservice virtualizationmanager:process setrlimit; 26 27# Let virtualizationservice set the owner of a VM's temporary directory. 28allow virtualizationservice self:capability chown; 29 30# Let virtualizationservice create and delete temporary directories of VMs. To remove old 31# directories, it needs the permission to unlink the files created by virtualizationmanager. 32allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; 33allow virtualizationservice virtualizationservice_data_file:{ file sock_file } unlink; 34 35# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from 36# crosvm to the console 37allow virtualizationservice adbd:fd use; 38allow virtualizationservice adbd:unix_stream_socket { read write }; 39 40# Let virtualizationservice to accept vsock connection from the guest VMs to singleton services 41# such as the guest tombstone server. 42allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 43 44# Allow virtualizationservice to read/write its own sysprop. Only the process can do so. 45set_prop(virtualizationservice, virtualizationservice_prop) 46 47# Allow writing stats to statsd 48unix_socket_send(virtualizationservice, statsdw, statsd) 49 50# Allow virtualization service to talk to tombstoned to push guest tombstones 51unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) 52 53# Append to tombstone files passed as fds from tombstoned 54allow virtualizationservice tombstone_data_file:file { append getattr }; 55allow virtualizationservice tombstoned:fd use; 56 57neverallow { 58 domain 59 -init 60 -virtualizationservice 61} virtualizationservice_prop:property_service set; 62 63neverallow { 64 domain 65 -init 66 -virtualizationmanager 67 -virtualizationservice 68} virtualizationservice_data_file:file { open create }; 69 70neverallow virtualizationservice { 71 domain 72 -virtualizationmanager 73 -virtualizationservice 74}:process setrlimit; 75