1type virtualizationservice, domain, coredomain; 2type virtualizationservice_exec, system_file_type, exec_type, file_type; 3 4# The domain needs to be a 'mlstrustedsubject' to change the memlock rlimit of 5# the virtualizationmanager domain running at a more constrained MLS level. 6typeattribute virtualizationservice mlstrustedsubject; 7 8# When init runs a file labelled with virtualizationservice_exec, run it in the 9# virtualizationservice domain. 10init_daemon_domain(virtualizationservice) 11 12# Let the virtualizationservice domain use Binder. 13binder_use(virtualizationservice) 14 15# Register our services with ServiceManager. 16add_service(virtualizationservice, virtualization_service) 17is_flag_enabled(RELEASE_AVF_ENABLE_LLPVM_CHANGES, ` 18 add_service(virtualizationservice, virtualization_maintenance_service) 19') 20 21is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 22 # Let virtualizationservice find and communicate with vfio_handler. 23 allow virtualizationservice vfio_handler_service:service_manager find; 24 binder_call(virtualizationservice, vfio_handler) 25') 26 27is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 28 # Let virtualizationservice find and communicate with vmnic. 29 allow virtualizationservice vmnic_service:service_manager find; 30 binder_call(virtualizationservice, vmnic) 31 allow virtualizationservice vm_tethering_service:service_manager find; 32') 33 34# Allow the virtualizationservice domain to serve a remotely provisioned component for 35# pVM remote attestation. 36hal_server_domain(virtualizationservice, hal_remotelyprovisionedcomponent_avf) 37 38# Allow the virtualizationservice to inspect whether remote attestation is supported 39# through the system property. 40get_prop(virtualizationservice, avf_virtualizationservice_prop) 41 42# Allow calling into the system server to find "permission_service". 43binder_call(virtualizationservice, system_server) 44allow virtualizationservice permission_service:service_manager find; 45 46# Allow virtualizationservice to retrieve the remotely provisioned keys from rkpd. 47binder_call(virtualizationservice, remote_provisioning_service_server) 48allow virtualizationservice remote_provisioning_service:service_manager find; 49 50# Allow virtualizationservice to manage VM secrets via Secretkeeper. 51hal_client_domain(virtualizationservice, hal_secretkeeper) 52 53# Let virtualizationservice remove memlock rlimit of virtualizationmanager. This is necessary 54# to mlock VM memory and page tables. 55allow virtualizationservice self:capability sys_resource; 56allow virtualizationservice virtualizationmanager:process setrlimit; 57 58is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 59 # To provide display service to an app to get surface. 60 # TODO(b/332677707): remove them when display service uses binder RPC. 61 allow virtualizationservice vmlauncher_app:binder transfer; 62') 63 64# Let virtualizationservice set the owner of a VM's temporary directory. 65allow virtualizationservice self:capability chown; 66 67# Let virtualizationservice create and delete temporary directories of VMs. To remove old 68# directories, it needs the permission to unlink the files created by virtualizationmanager. 69allow virtualizationservice virtualizationservice_data_file:dir create_dir_perms; 70allow virtualizationservice virtualizationservice_data_file:sock_file unlink; 71allow virtualizationservice virtualizationservice_data_file:file create_file_perms; 72 73# Allow to use fd (e.g. /dev/pts/0) inherited from adbd so that we can redirect output from 74# crosvm to the console 75allow virtualizationservice adbd:fd use; 76allow virtualizationservice adbd:unix_stream_socket { read write }; 77 78# Allow to connnect to and run VirtMgr to start the service VM for remote attestation. 79virtualizationservice_use(virtualizationservice) 80 81# Allow virtualizationservice to read and write in the apex data directory 82# /data/misc/apexdata/com.android.virt. Also allow checking of the parent directory 83# (needed for SQLite database creation). 84allow virtualizationservice apex_module_data_file:dir { search getattr }; 85allow virtualizationservice apex_virt_data_file:dir create_dir_perms; 86allow virtualizationservice apex_virt_data_file:file create_file_perms; 87 88# Accept vsock connection from the guest VMs to singleton services 89# such as the guest tombstone server. 90allow virtualizationservice self:vsock_socket { create read getattr write setattr lock append bind getopt setopt shutdown map listen accept }; 91neverallow { domain -virtualizationservice -dumpstate } virtualizationservice:vsock_socket *; 92 93# Allow virtualizationservice to read/write its own sysprop. Only the process can do so. 94set_prop(virtualizationservice, virtualizationservice_prop) 95 96# Allow writing stats to statsd 97unix_socket_send(virtualizationservice, statsdw, statsd) 98 99# Allow virtualization service to talk to tombstoned to push guest tombstones 100unix_socket_connect(virtualizationservice, tombstoned_crash, tombstoned) 101 102# Append to tombstone files passed as fds from tombstoned 103allow virtualizationservice tombstone_data_file:file { append getattr }; 104allow virtualizationservice tombstoned:fd use; 105 106# Allow virtualizationservice to check if VFIO is supported 107allow virtualizationservice vfio_device:chr_file getattr; 108allow virtualizationservice vfio_device:dir r_dir_perms; 109 110# Allow virtualizationservice to access VM DTBO via a file created by virtualizationmanager. 111allow virtualizationservice virtualizationmanager:fd use; 112 113# Allow virtualizationservice to access vendor_configs_file to get the list of assignable devices. 114r_dir_file(virtualizationservice, vendor_configs_file) 115 116neverallow { 117 domain 118 -init 119 -virtualizationservice 120} virtualizationservice_prop:property_service set; 121 122neverallow { 123 domain 124 -init 125 -virtualizationmanager 126 -virtualizationservice 127} virtualizationservice_data_file:file { open create }; 128 129neverallow virtualizationservice { 130 domain 131 -virtualizationmanager 132 -virtualizationservice 133 # TODO(b/332677707): remove them when display service uses binder RPC. 134 -crosvm 135}:process setrlimit; 136 137is_flag_enabled(RELEASE_AVF_ENABLE_NETWORK, ` 138 # Allow virtualizationservice to deal with file descriptors of TAP interfaces. 139 allow virtualizationservice tun_device:chr_file rw_file_perms; 140 allow virtualizationservice vmnic:fd use; 141') 142 143is_flag_enabled(RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT, ` 144 # Only virtualizationservice and virtualizationmanager can communicate to vfio_handler 145 neverallow { domain -virtualizationmanager -virtualizationservice -servicemanager } vfio_handler:binder call; 146') 147