xref: /aosp_15_r20/system/sepolicy/microdroid/system/private/microdroid_manager.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# microdroid_manager is a daemon running in the microdroid.
2
3type microdroid_manager, domain, coredomain;
4type microdroid_manager_exec, exec_type, file_type, system_file_type;
5
6# allow domain transition from init
7init_daemon_domain(microdroid_manager)
8
9# Allow microdroid_manager to set boot status
10set_prop(microdroid_manager, boot_status_prop)
11
12# microdroid_manager accesses a virtual disk block device to read VM payload
13# It needs write access as it updates the instance image
14allow microdroid_manager block_device:dir r_dir_perms;
15allow microdroid_manager block_device:lnk_file r_file_perms;
16allow microdroid_manager vd_device:blk_file rw_file_perms;
17# microdroid_manager verifies DM-verity mounted APK payload
18allow microdroid_manager dm_device:blk_file r_file_perms;
19
20# microdroid_manager can query AVF flags in the device tree
21r_dir_file(microdroid_manager, proc_dt_avf)
22r_dir_file(microdroid_manager, sysfs_dt_avf)
23
24# Read config from the open-dice driver.
25allow microdroid_manager open_dice_device:chr_file rw_file_perms;
26
27# In case Microdroid VM is started with microdroid vendor partition, the first_stage_init
28# will derive a microdroid vendor dice node, and write a resulting dice chain into file
29# with dice_chain_file type, microdroid_manager will need to read it to derive the next chain.
30allow microdroid_manager microdroid_resources_file:file { rw_file_perms unlink };
31# In case dice chain is stored in dice_chain_file microdroid_manager will delete it after deriving
32# the next dice chain.
33allow microdroid_manager microdroid_resources_file:dir { remove_name search write };
34
35# Microdroid manager unmounts /microdroid_resources before starting the payload.
36# This is a defence-in-depth measure to ensure that payload can't read the dice chain stored
37# on /microdroid_resources/dice_chain.raw
38allow microdroid_manager tmpfs:filesystem unmount;
39
40# Block crash dumps to ensure the DICE secrets are not leaked.
41typeattribute microdroid_manager no_crash_dump_domain;
42
43# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
44# requires sys_admin cap as well.
45allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
46allow microdroid_manager self:global_capability_class_set sys_admin;
47
48# Allow microdroid_manager to remove capabilities from it's capability bounding set.
49allow microdroid_manager self:global_capability_class_set setpcap;
50
51# Allow microdroid_manager to start payload tasks in a different uid/gid.
52domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
53domain_auto_trans(microdroid_manager, compos_exec, compos)
54allow microdroid_manager self:global_capability_class_set { setuid setgid };
55
56# Allow microdroid_manager to start apk verity binaries
57domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
58domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
59
60# Allow microdroid_manager to start encryptedstore binary
61domain_auto_trans(microdroid_manager, encryptedstore_exec, encryptedstore)
62
63# Microdroid Manager needs read related permission for syncing encrypted storage fs
64allow microdroid_manager encryptedstore_file:dir r_dir_perms;
65
66# Allow microdroid_manager to run kexec to load crashkernel
67domain_auto_trans(microdroid_manager, kexec_exec, kexec)
68
69# Let microdroid_manager kernel-log.
70allow microdroid_manager kmsg_device:chr_file w_file_perms;
71
72# Let microdroid_manager to create a vsock connection back to the host VM
73allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl };
74
75# Allow microdroid_manager to read the CID of the VM.
76allow microdroid_manager vsock_device:chr_file { ioctl open read };
77
78# microdroid_manager is using bootstrap bionic
79use_bootstrap_libs(microdroid_manager)
80
81# microdroid_manager create /apex/vm-payload-metadata for apexd
82# TODO(b/199371341) create a new label for the file so that only microdroid_manager can create it.
83allow microdroid_manager apex_mnt_dir:dir w_dir_perms;
84allow microdroid_manager apex_mnt_dir:file create_file_perms;
85
86# Allow microdroid_manager to start various services
87set_prop(microdroid_manager, ctl_apexd_vm_prop)
88set_prop(microdroid_manager, ctl_apkdmverity_prop)
89set_prop(microdroid_manager, ctl_authfs_prop)
90set_prop(microdroid_manager, ctl_seriallogging_prop)
91set_prop(microdroid_manager, ctl_zipfuse_prop)
92
93# Allow microdroid_manager to wait for linkerconfig to be ready
94get_prop(microdroid_manager, apex_config_prop)
95
96# Allow microdroid_manager to wait for zipfuse to be ready
97get_prop(microdroid_manager, microdroid_manager_zipfuse_prop)
98
99# Allow microdroid_manager to pass the roothash to apkdmverity
100set_prop(microdroid_manager, microdroid_manager_roothash_prop)
101
102# Allow microdroid_manager to set sysprops calculated from the payload config
103set_prop(microdroid_manager, microdroid_config_prop)
104
105# Allow microdroid_manager to set sysprops related to microdroid_lifecycle (ex. init_done)
106set_prop(microdroid_manager, microdroid_lifecycle_prop)
107
108# Allow microdroid_manager to shutdown the device when verification fails
109set_prop(microdroid_manager, powerctl_prop)
110
111# Allow microdroid_manager to read bootconfig so that it can reject a bootconfig
112# that is different from what is recorded in the instance.img file.
113allow microdroid_manager proc_bootconfig:file r_file_perms;
114
115# microdroid_manager needs to read /proc/cmdline to see if crashkernel= parameter is set
116# or not; if set, it executes kexec to load the crashkernel into memory.
117allow microdroid_manager proc_cmdline:file r_file_perms;
118
119# microdroid_manager needs to read /proc/stat and /proc_meminfo to collect CPU & memory usage
120# for creating atoms used in AVF telemetry metrics
121allow microdroid_manager proc_meminfo:file r_file_perms;
122allow microdroid_manager proc_stat:file r_file_perms;
123
124# Allow microdroid_manager to set up zram-backed swap:
125#  - Read & Write zram properties in sysfs to set/get zram disksize
126#  - Read & Write to zram block device needed for mkswap and swapon
127allow microdroid_manager sysfs_zram:dir { search };
128allow microdroid_manager sysfs_zram:file rw_file_perms;
129allow microdroid_manager ram_device:blk_file rw_file_perms;
130
131# Allow microdroid_manager to read/write failure serial device
132# tcdrain requires ioctl.
133allow microdroid_manager serial_device:chr_file { w_file_perms ioctl };
134
135# Allow microdroid_manager to handle extra_apks
136allow microdroid_manager extra_apk_file:dir create_dir_perms;
137
138# Allow microdroid_manager to write kmsg_debug (stdio_to_kmsg).
139allow microdroid_manager kmsg_debug_device:chr_file w_file_perms;
140
141# Domains other than microdroid can't write extra_apks
142neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:file no_w_file_perms;
143neverallow { domain -microdroid_manager -init -vendor_init } extra_apk_file:dir no_w_dir_perms;
144
145# Only microdroid_payload and a few other critical binaries can be run by microdroid_manager,
146# in their own domains.
147neverallow microdroid_manager { file_type fs_type }:file execute_no_trans;
148neverallow microdroid_manager {
149  domain
150  -crash_dump
151  -microdroid_payload
152  -apkdmverity
153  -encryptedstore
154  -zipfuse
155  -kexec
156}:process transition;
157