This is an AIDL service exposed by Virtualization Service to system
server (VirtualizationSystemService).
The implementation is Rust so no fuzzer is required.
I've put this behind the flag on general principle.
Bug: 294177871
Test: atest MicrodroidTests
Change-Id: Ia867fe27fb2e76d9688e4ba650ebf7b3f51ee597
As virtualizationmanager holds references to IBoundDevice returned by
vfio_handler, virtualizationmanager should also have permission to
binder_call.
Bug: 278008519
Test: boot microdroid with assigned devices
Change-Id: I7b87de099b0731c386666cec215807dc39d8c89c
Revert submission 2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Reason for revert: Relands the original topic:
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
Changes from the reverted cl aosp/2812455:
- The AIDL service type has been renamed from avf_* to hal_* to be
consistent with the others.
- The new AIDL service type, hal_remotelyprovisionedcomponent_avf_service,
for the IRPC/avf service, has been set up with the server/client model
for AIDL Hal. The virtualizationservice is declared as server and
RKPD is declared as client to access the service instead of raw
service permission setup as in the reverted cl. This is aligned
with the AIDL Hal configuration recommendation.
- Since the existing type for IRPC hal_remotelyprovisionedcomponent is
already associated with keymint server/client and has specific
permission requirements, and some of the keymint clients might not
need the AVF Hal. We decided to create a new AIDL service type
instead of reusing the exisiting keymint service type.
Reverted changes: /q/submissionid:2829351-revert-2812456-revert-2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ-PAWNEHUQBT-WYENGHRTXK
Bug: 312427637
Bug: 310744536
Bug: 299257581
Test: atest MicrodroidHostTests librkp_support_test
Change-Id: Id37764b5f98e3c30c0c63601560697cf1c02c0ad
vfio_handler will be active only if device assignment feature is turned
on.
Bug: 306563735
Test: microdroid tests with and without the flag
Change-Id: I5559dfca1a29852b65481c95f37edc9977ee9d7d
Revert submission 2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Reason for revert: This change relands the topic
https://r.android.com/q/topic:%22expose-avf-rkp-hal%22
The SELinux denial has been fixed in system/sepolicy
Reverted changes: /q/submissionid:2812435-revert-2778549-expose-avf-rkp-hal-GTFGLMUUKQ
Bug: 308596709
Bug: 274881098
Change-Id: Ib23ac4680b0f37b760bff043e1f42ce61a58c3e2
Split virtualizationservice policy into rules that should remain with
the global service and rules that now apply to virtmgr - a child process
of the client that runs the VM on its behalf.
The virtualizationservice domain remains responsible for:
* allocating CIDs (access to props)
* creating temporary VM directories (virtualization_data_file, chown)
* receiving tombstones from VMs
* pushing atoms to statsd
* removing memlock rlimit from virtmgr
The new virtualizationmanager domain becomes responsible for:
* executing crosvm
* creating vsock connections, handling callbacks
* preparing APEXes
* pushing ramdumps to tombstoned
* collecting stats for telemetry atoms
The `virtualizationservice_use` macro is changed to allow client domains
to transition to the virtmgr domain upon executing it as their child,
and to allow communication over UDS.
Clients are not allowed to communicate with virtualizationservice via
Binder, only virtmgr is now allowed to do that.
Bug: 250685929
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Iefdccd908fc28e5d8c6f4566290e79ed88ade70b
1. Allow them to be configured by vendor_init.
2. Introduce a new system property
hypervisor.memory_reclaim.supported, which is configured by
vendor_init and accessed only by virtualizationservice, and is not
as widely accessible as the existing hypervisor sysprops.
Bug: 235579465
Test: atest MicrodroidTests
Change-Id: I952432568a6ab351b5cc155ff5eb0cb0dcddf433
Instead of giving CAP_IPC_LOCK to crosvm, give virtualizationservice
CAP_SYS_RESOURCE so it can modify the rlimit_memlock of itself and its
children. This is done in preparation for running crosvm as a child
process of the requestor, in which case it will not have the option to
use CAP_IPC_LOCK anymore, but it also allows us to set an upper bound on
the amount of pinnable memory if necessary.
Bug: 204298056
Bug: 245727626
Test: atest MicrodroidTestApp
Change-Id: Ic7f161fe4232440a0dd9924d971f22fc053d973b
And allow VS and crosvm access to privapp_data_file, to the same
extent as app_data_file.
Update some comments, move a neverallow to the bottom of the file with
the others.
Bug: 255286871
Test: Install demo app to system/priv-app, see it work without explicit grant.
Change-Id: Ic763c3fbfdfe9b7a7ee6f1fe76d2a74281b69f4f
...and crosvm to access a listener socket when passed to it by file
descriptor from virtualizationservice.
Bug: 235579465
Test: Start a VM
Change-Id: I7e89cfb4fb8a1ce845eaea64a33dbaad6bff9969
For Guest: tombstone_tranmit needs permissions for:
1. keeping track of files being written on /data/tombstones.
2. creating vsock socket to talk to virtualizationservice (to forward
these tombstones)
These permissions will be similar to tombstone_tarnsmit on cuttlefish
(device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp)
For Host (virtualizationservice) needs:
1. permission to connect to tombstoned.
2. permission to use fd belonging to tombstoned.
3. append and related permissions on tombstone_data file.
Test: Tested by crashing a process in guest (started using microdroid
demo)
Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d
VirtualizationService uses the properties to discover hypervisor
capabilities. Allow it access for this purpose.
Bug: 216639283
Test: build
Change-Id: I82f0c2ef30c8fb2eefcac1adf83531dd3917fdb8
This was fixed in https://r.android.com/1963701, as it never worked.
This partially reverts commit 2dd48d0400.
Change-Id: I6e7096e20fd594465fb1574b11d6fecc82f5d82f
We run it in our domain since it requires fairly minimal access.
Bug: 210472252
Test: atest virtualizationservice_device_test
Test: composd_cmd test-compile
Change-Id: Ia770cd38bda67f79f56549331d3a36d7979a5d5b
Virtualizationservice queries "package_native" service to get staged
apex info and then reads staged apexes to VM.
Bug: 199146189
Test: MicrodroidHostTestCases
Change-Id: Icbfe5b9a05abc08d3e0270d15969f632b3f57c66
It is a system property that keeps the last CID used by the
virtualizationservice. Although the information is local to the
process, a new system property is justified because the information has
to be kept across multiple runs of the process. A file however is not
desirable because the information shouldn't be persisted.
Bug: 196015427
Test: atest MicrodroidHostTestCases
Change-Id: If8ca4b6ad8d9c8cb3bb33dc9ef45de0ae6481d15
Remove some allow rules for odsign, since it no longer directly
modifies CompOs files. Instead allow it to run compos_verify_key in
its own domain.
Grant compos_verify_key what it needs to access the CompOs files and
start up the VM.
Currently we directly connect to the CompOs VM; that will change once
some in-flight CLs have landed.
As part of this I moved the virtualizationservice_use macro to
te_macros so I can use it here. I also expanded it to include
additional grants needed by any VM client that were previously done
for individual domains (and then deleted those rules as now
redundant).
I also removed the grant of VM access to all apps; instead we allow it
for untrusted apps, on userdebug or eng builds only. (Temporarily at
least.)
Bug: 193603140
Test: Manual - odsign successfully runs the VM at boot when needed.
Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
The test for the services has been running with selinux disabled. To
turn selinux on, required rules are allowed.
Below is the summary of the added rules.
* crosvm can read the composite disk files and other files (APKs,
APEXes) that serve as backing store of the composite disks.
* virtualizationservice has access to several binder services
- permission_service: to check Android permission
- apexd: to get apex files list (this will be removed eventually)
* Both have read access to shell_data_file (/data/local/tmp/...) for
testing purpose. This is not allowed for the user build.
* virtualizationservice has access to the pseudo terminal opened by adbd
so that it can write output to the terminal when the 'vm' tool is
invoked in shell.
Bug: 168588769
Test: /apex/com.android.virt/bin/vm run-app --log /dev/null
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img
assets/vm_config.json
without disabling selinux.
Change-Id: I54ca7c255ef301232c6e8e828517bd92c1fd8a04
Virtualizationservice should be able to read
* /apex/apex-info-list.xml: apex_info_file
* /data/apex/{active, uncompressed}: staging_data_file,
apex_data_file
and pass them to guest OS.
Bug: n/a
Test: atest MicrodroidHostTestCases
(see logcat for denials)
Change-Id: Ia9dab957a6f912aa193d58e2817a00d4a39b4536
... to connect to the programs running in the guest VM
Bug: 192904048
Test: atest MicrodroidHostTestCases
Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e
This is necessary to run tests or run VMs manually with SELinux
enforcement enabled.
Bug: 192256642
Test: atest VirtualizationTestCases
Change-Id: I03b12fefa4e79644bd2f3410cc255f923834aca4
