From 8b4d612fd737038e463ec2f76829f0bf302ff71c Mon Sep 17 00:00:00 2001 From: Alan Stokes Date: Wed, 20 Dec 2023 12:36:18 +0000 Subject: [PATCH] Allow su to access virtualization Use our standard macro for granting all the necessary permissions instead of copying a part of it. Add ioctl access for all clients for Unix stream sockets & pipes; this allows them to be used for stdin/stdout without triggering denials. (Only unpriv_sock_ioctls can be used.) Together this allows a root shell to use `vm run` without getting spurious denials such as: avc: denied { ioctl } for comm="crosvm" path="socket:[835168]" dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0 Bug: 316048644 Test: adb root, adb shell /apex/com.android.virt/bin/vm run-microdroid Test: atest MicrodroidTests Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d --- private/su.te | 5 +++-- public/te_macros | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/private/su.te b/private/su.te index cc00e103b..2e0d10ae8 100644 --- a/private/su.te +++ b/private/su.te @@ -19,8 +19,9 @@ userdebug_or_eng(` # Put the perfetto command into its domain so it is the same on user, userdebug and eng. domain_auto_trans(su, perfetto_exec, perfetto) - # Put the virtmgr command into its domain. - domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager) + # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its + # own domain. + virtualizationservice_use(su) # su is also permissive to permit setenforce. permissive su; diff --git a/public/te_macros b/public/te_macros index d2f440600..6d7533afa 100644 --- a/public/te_macros +++ b/public/te_macros @@ -186,13 +186,13 @@ define(`virtualizationservice_use', ` # Transition to virtualizationmanager when the client executes it. domain_auto_trans($1, virtualizationmanager_exec, virtualizationmanager) # Allow virtualizationmanager to communicate over UDS with the client. -allow { virtualizationmanager crosvm } $1:unix_stream_socket { getattr read write }; +allow { virtualizationmanager crosvm } $1:unix_stream_socket { ioctl getattr read write }; # Let the client pass file descriptors to virtualizationmanager and on to crosvm. allow { virtualizationmanager crosvm } $1:fd use; # Let the client use file descriptors created by virtualizationmanager. allow $1 virtualizationmanager:fd use; # Allow piping console log to the client -allow { virtualizationmanager crosvm } $1:fifo_file { getattr read write }; +allow { virtualizationmanager crosvm } $1:fifo_file { ioctl getattr read write }; # Allow client to read/write vsock created by virtualizationmanager to communicate with the VM # that it created. Notice that we do not grant permission to create a vsock; # the client can only connect to VMs that it owns.