From 5b178328a3f4a479566e507469f9b2f86ba9776f Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 1 Apr 2022 13:06:50 +0900
Subject: [PATCH 1/2] /dev/[kvm|vhost-vsock] are owned by system

/dev/kvm and /dev/vhost-vsock are used by crosvm. Previously, it ran as
a custom UID `virtualizationservice`. However, this prevented us from
applying task profiles to the crosvm process because joining a process
to a cgroup requires system UID.

Now, crosvm (and its parent virtualizationservice as well) runs in
system UID. Therefore, the ownership of two device files are also
updated accorgly.

BUG=b:216788146
BUG=b:223790172
Test: watch TH

Change-Id: I1f63a12532d3a2cb5724291dbbb40210bd7c9203
---
 rootdir/ueventd.rc | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc
index 3101974a2..a140c8c51 100644
--- a/rootdir/ueventd.rc
+++ b/rootdir/ueventd.rc
@@ -67,9 +67,8 @@ subsystem dma_heap
 # CDMA radio interface MUX
 /dev/ppp                  0660   radio      vpn
 
-# Virtualization is managed by VirtualizationService.
-/dev/kvm                  0600   virtualizationservice root
-/dev/vhost-vsock          0600   virtualizationservice root
+/dev/kvm                  0600   system     system
+/dev/vhost-vsock          0600   system	    system
 
 # sysfs properties
 /sys/devices/platform/trusty.*      trusty_version        0440  root   log

From 93c66bbd89316de41af598b84c702843bb52aaa2 Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 1 Apr 2022 13:26:52 +0900
Subject: [PATCH 2/2] Virtualizationservice is owned by the system UID

Previously, virtualizationservice had its own UID
`virtualizationservice`. As a result, crosvm, which is spawed by
virtualizationservice`, also run as the UID. However, that prevented us
from applying task profiles to the crosvm process because joining a
process to a cgroup requires system UID.

To fix that, virtualizationservice now runs as system UID. As a result,
this directory that virtualizationservice accesses has to change its
owner and group to system.

Bug: 223790172
Bug: 216788146
Test: watch TH

Change-Id: I2bdf49e99f1841bf77ff046b0c2455064b174e0a
---
 rootdir/init.rc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 5fbe75629..d39a21ca1 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -829,7 +829,7 @@ on post-fs-data
     mkdir /data/misc/odsign/metrics 0770 root system
 
     # Directory for VirtualizationService temporary image files.
-    mkdir /data/misc/virtualizationservice 0700 virtualizationservice virtualizationservice
+    mkdir /data/misc/virtualizationservice 0700 system system
 
     mkdir /data/preloads 0775 system system encryption=None