From 2df19cba08dcc6070508142e6eec66494946e8d2 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Thu, 25 Nov 2021 11:25:44 +0900 Subject: [PATCH] microdroid: Run apk mount utils from MM For now, the command for apkdmverity and zipfuse is hard-coded in the init script file. To support passing extra APKs, microdroid_manager needs to parse the vm config, and then manually run apkdmverity and zipfuse with appropriate parameters. Bug: 205224817 Test: atest MicrodroidHostTestCases ComposHostTestCases Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf --- microdroid/system/private/apkdmverity.te | 13 ++++++++++--- microdroid/system/private/microdroid_manager.te | 4 ++++ microdroid/system/private/microdroid_payload.te | 4 ++-- microdroid/system/private/zipfuse.te | 13 ++++++++++--- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te index 0c0ef41c3..c3f718bc0 100644 --- a/microdroid/system/private/apkdmverity.te +++ b/microdroid/system/private/apkdmverity.te @@ -3,9 +3,6 @@ type apkdmverity, domain, coredomain; type apkdmverity_exec, exec_type, file_type, system_file_type; -# allow domain transition from init -init_daemon_domain(apkdmverity) - # apkdmverity is using bootstrap bionic allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms; allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map }; @@ -34,3 +31,13 @@ allowxperm apkdmverity loop_device:blk_file ioctl { LOOP_SET_FD LOOP_SET_DIRECT_IO }; + +# allow apkdmverity to log to the kernel +allow apkdmverity kmsg_device:chr_file w_file_perms; + +# apkdmverity is forked from microdroid_manager +# TODO(inseob): remove this +allow apkdmverity microdroid_manager:fd use; + +# Only microdroid_manager can run apkdmverity +neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition }; diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te index 3aa14ca6a..38fabcd93 100644 --- a/microdroid/system/private/microdroid_manager.te +++ b/microdroid/system/private/microdroid_manager.te @@ -18,6 +18,10 @@ allow microdroid_manager dm_device:blk_file r_file_perms; domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app) domain_auto_trans(microdroid_manager, compos_exec, compos) +# Allow microdroid_manager to start apk verity binaries +domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity) +domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse) + # Let microdroid_manager kernel-log. allow microdroid_manager kmsg_device:chr_file w_file_perms; diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te index 0b0d20102..7c50db72d 100644 --- a/microdroid/system/private/microdroid_payload.te +++ b/microdroid/system/private/microdroid_payload.te @@ -27,8 +27,8 @@ allow microdroid_payload microdroid_manager:vsock_socket { read write }; # Write to /dev/kmsg. allow microdroid_payload kmsg_device:chr_file rw_file_perms; -# Only microdroid_payload can be run by microdroid_manager -neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition; +# Only microdroid_payload and apk verity binaries can be run by microdroid_manager +neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition; # Allow microdroid_payload to open binder servers via vsock. allow microdroid_payload self:vsock_socket { create_socket_perms listen accept }; diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te index 351e89e65..04cdadf79 100644 --- a/microdroid/system/private/zipfuse.te +++ b/microdroid/system/private/zipfuse.te @@ -6,9 +6,6 @@ type zipfuse, domain, coredomain; type zipfuse_exec, exec_type, file_type, system_file_type; -# allow domain transition from init -init_daemon_domain(zipfuse) - # zipfuse is using bootstrap bionic allow zipfuse system_bootstrap_lib_file:dir r_dir_perms; allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map }; @@ -36,3 +33,13 @@ allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; # allow mounting with context=u:object_r:system_file:s0 so that files provided # by zipfuse are treated the same as the other files in /system or /apex allow system_file zipfusefs:filesystem associate; + +# allow zipfuse to log to the kernel +allow zipfuse kmsg_device:chr_file w_file_perms; + +# zipfuse is forked from microdroid_manager +# TODO(inseob): remove this +allow zipfuse microdroid_manager:fd use; + +# Only microdroid_manager can run zipfuse +neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };