From cb2c533d8311356aca626263f264a231bba344cc Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 16 Nov 2022 19:59:07 +0900 Subject: [PATCH 1/2] Grant kmsg_debug permission to kexec microdroid_manager has stdio_to_kmsg, so it's good to have the same permission to microdroid_manager's children for better debuggability. Bug: 259241719 Test: atest MicrodroidHostTestCases MicrodroidTestApp Change-Id: Ibaaed365e970e6b9f2d458ccae4d128fd3b84f38 --- microdroid/system/private/kexec.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/microdroid/system/private/kexec.te b/microdroid/system/private/kexec.te index c0ab7357a..8d40986c8 100644 --- a/microdroid/system/private/kexec.te +++ b/microdroid/system/private/kexec.te @@ -10,3 +10,6 @@ allow kexec microdroid_manager:fd use; # allow kexec to have SYS_BOOT allow kexec self:capability sys_boot; + +# allow kexec to write kmsg_debug +allow kexec kmsg_debug_device:chr_file w_file_perms; From 5df428bea8d11419e26b5652c7900b6df04c9166 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Wed, 16 Nov 2022 20:13:29 +0900 Subject: [PATCH 2/2] Add listen/accept permission to MM's vsock Bug: 259241719 Test: atest MicrodroidHostTestCases MicrodroidTestApp Change-Id: I7403b2ae777fd72bb056b5cb260e693ef0793cff --- microdroid/system/private/microdroid_manager.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te index 399330f13..5996b5541 100644 --- a/microdroid/system/private/microdroid_manager.te +++ b/microdroid/system/private/microdroid_manager.te @@ -48,6 +48,9 @@ allow microdroid_manager kmsg_device:chr_file w_file_perms; # Let microdroid_manager to create a vsock connection back to the host VM allow microdroid_manager self:vsock_socket { create_socket_perms_no_ioctl }; +# Let microdroid_manager listen/accept from the host for stdio proxy +allow microdroid_manager self:vsock_socket { listen accept }; + # microdroid_manager is using bootstrap bionic use_bootstrap_libs(microdroid_manager)