Fix virtualizationservice denials
Allow logging to statsd - see commit 3ffa832c6325bc9640baea66192e4e2c64349bc8. Allow ioctl on /dev/kvm (allowxperm isn't enough) - see commit2dd48d0400
. Ignore spurious errors on /proc/fd/1 when running derive_classpath - see commit3fad86bb8a
. This fixes these denials: avc: denied { write } for name="statsdw" dev="tmpfs" ino=984 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:statsdw_socket:s0 tclass=sock_file permissive=0 avc: denied { ioctl } for path="/dev/kvm" dev="tmpfs" ino=766 ioctlcmd=0xae03 scontext=u:r:virtualizationservice:s0 tcontext=u:object_r:kvm_device:s0 tclass=chr_file permissive=0 avc: denied { write } for name="fd" dev="proc" ino=63285 scontext=u:r:virtualizationservice:s0 tcontext=u:r:virtualizationservice:s0 tclass=dir permissive=0 Bug: 209008347 Bug: 210472252 Bug: 210803811 Test: Start VM, don't see denials. Change-Id: I4c67746c1312553ee1155098ac27fc0d46c6f521
This commit is contained in:
parent
001b47c547
commit
8a881c14bf
@ -55,17 +55,22 @@ allow virtualizationservice staging_data_file:dir search;
|
||||
# Run derive_classpath in our domain
|
||||
allow virtualizationservice derive_classpath_exec:file rx_file_perms;
|
||||
allow virtualizationservice apex_mnt_dir:dir r_dir_perms;
|
||||
# Ignore harmless denials on /proc/self/fd
|
||||
dontaudit virtualizationservice self:dir write;
|
||||
|
||||
# Let virtualizationservice to accept vsock connection from the guest VMs
|
||||
allow virtualizationservice self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
||||
|
||||
# Allow virtualization to ioctl on dev/kvm only to check if protected VM is supported or not.
|
||||
allow virtualizationservice kvm_device:chr_file { open read write };
|
||||
allow virtualizationservice kvm_device:chr_file { open read write ioctl };
|
||||
allowxperm virtualizationservice kvm_device:chr_file ioctl KVM_CHECK_EXTENSION;
|
||||
|
||||
# Allow virtualizationservice to read/write its own sysprop. Only the process can do so.
|
||||
set_prop(virtualizationservice, virtualizationservice_prop)
|
||||
|
||||
# Allow writing stats to statsd
|
||||
unix_socket_send(virtualizationservice, statsdw, statsd)
|
||||
|
||||
neverallow {
|
||||
domain
|
||||
-init
|
||||
|
Loading…
Reference in New Issue
Block a user