Commit graph

280 commits

Author SHA1 Message Date
Andrew Scull
2dba72540c Define access to AVF chosen node properties
Give microdroid_manager and the DICE HAL access to the AVF chosen node
properties that are used to indicate that the VM is booting in strict
more and that the current boot is provisioning a new VM instance.

Bug: 221051866
Bug: 217376291
Test: atest MicrodroidTests
Change-Id: Ie8451fc80671557086f8d825ad01600f9cb4557a
2022-03-14 11:38:45 +00:00
Inseob Kim
35e87367b8 microdroid: Set mls_cats to 1
Because MLS isn't really used in microdroid, setting it to 1 may help
improve performance a bit.

Bug: 223596384
Test: atest MicrodroidTests
Change-Id: Iace4a45ccda98e34fbf82b16ff2096a53b543132
2022-03-10 13:16:13 +09:00
Victor Hsieh
2a017b61a6 Allow dex2oat to use userfaultfd in microdroid
Bug: 209488862
Test: Follow instructions in b/209488862#comment12, compilation can
      only succeed with this patch
Change-Id: I6475a1be0db635de96b9f8fdbf9dd3a76c3a759b
2022-03-08 22:29:43 +00:00
Alan Stokes
ff648192d9 Block crash_dump from no_crash_dump_domain
These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.

Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
2022-02-24 16:36:40 +00:00
Treehugger Robot
275836a9af Merge "Dontaudit property access by odrefresh in the VM" 2022-02-23 12:07:45 +00:00
Victor Hsieh
e2156d071e Dontaudit property access by odrefresh in the VM
Bug: 210030607
Test: composd_cmd test-compile, no more denials in vm.log
Change-Id: I728398f812680354b813d03e0d23eecca330c47e
2022-02-22 23:10:04 +00:00
Alan Stokes
0c5449b193 Remove now-unused permissions
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.

Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
2022-02-22 17:40:05 +00:00
Treehugger Robot
5273f3a486 Merge "Modify sepolicy for compos key changes" 2022-02-18 09:03:30 +00:00
Treehugger Robot
92ec679578 Merge "Remove needless bootloader_prop rule" 2022-02-17 15:51:31 +00:00
Andrew Scull
9738638c03 Let the DICE HAL getattr the device node
Make sure all the permissions are granted to let the HAL do its work
properly.

Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1
2022-02-17 12:35:22 +00:00
Alan Stokes
766caba5de Modify sepolicy for compos key changes
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.

Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.

Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.

Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
2022-02-17 12:14:40 +00:00
Andrew Scull
12bd3d9d2e Remove needless bootloader_prop rule
Bootloader properties are available to all domains so don't need special
policy rules for microdroid_manager.

Test: atest MicrodroidTests
Change-Id: I0ccf6b28467a47c0f3cf7715b9ff34d01e8ac970
2022-02-16 09:40:29 +00:00
Andrew Scull
b13117f3ba Add ro.boot.microdroid.app_debuggable
This property is set in the bootconfig to reflect the debuggability of
the payload app. It is consumed microdroid_manager as a DICE input and
by compos to make choices based on the debuggability, e.g. not doing
test builds in non-debug states.

Bug: 219740340
Test: atest ComposHostTestCases
Test: atest MicrodroidTests
Change-Id: If84710f1fdbab957f5d19ce6ba3daad7e3e65935
2022-02-16 09:40:27 +00:00
Inseob Kim
74caef3591 Add microdroid sepolicy test support
MicrodroidHostTestCases will pull the VM's sepolicy and check it against
system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze
tool.

Bug: 218461215
Test: atest MicrodroidHostTestCases
Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
2022-02-09 23:35:44 +09:00
Jiyong Park
30c416a4bd Allow microdroid_manager to BLKFLSBUF on the instance disk
Microdroid_manager uses the ioctl to flush data to the block device.

Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
2022-02-07 15:13:22 +09:00
Andrew Scull
248e8a998f Allow the microdroid app to use diced
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9672d678c7b698d15a0efa8dab567dbc2696ca81
2022-01-30 22:42:38 +00:00
Andrew Scull
6f2529c01b Touch up microdroid sepolicy after removing keystore
Avoid divergence in the files that will eventually shared with the main
Android sepolicy and fix a style mistake.

Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I40b0bebb432d73ab6ab847c117e72d8bc18fe873
2022-01-28 13:07:16 +00:00
Andrew Scull
6c288a2676 Remove hwservicemanager from microdroid sepolicy
With the keymint HAL removed from microdroid, there are no more legacy
HALs meaning no further need for hwservicemanager.

Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I111f3456399ef91e51d1cfead67659601c23db9e
2022-01-27 21:48:37 +00:00
Andrew Scull
af2c894f2c Remove keymint from microdroid sepolicy
The keymint HAL has been removed from microdroid to remove the
corresponding sepolicy.

Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I08aae50dd9a4575954db40ec974625e43bff2335
2022-01-27 21:48:37 +00:00
Andrew Scull
f75d5cde48 Remove keystore from microdroid sepolicy
The keystore service has been removed from microdroid to remove the
corresponding sepolicy.

Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I6600b47f8b8c6bba05b1f59b4d87713283805817
2022-01-27 21:48:37 +00:00
Treehugger Robot
fabaac131a Merge "Delete more unused policies by CompOS" 2022-01-25 20:54:41 +00:00
Treehugger Robot
c8ff1677ed Merge "Add context for ro.boot.microdroid.debuggable property" 2022-01-25 20:41:07 +00:00
Victor Hsieh
ea38d6925d Delete more unused policies by CompOS
Bug: 205750213
Test: TH
Change-Id: Ie08465e8801a74d61f85715e85a856293c4232d5
2022-01-25 08:40:46 -08:00
Andrew Scull
30373f3015 Add context for ro.boot.microdroid.debuggable property
This property is read by microdroid_manager to check whether the VM is
in debug mode. Give it a context to satisfy the sepolicy.

Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9d4bda5e487324c95229c7978e8fe0a53fa9f616
2022-01-25 16:07:21 +00:00
Andrew Scull
f451a1407f Give DICE HAL access to driver
The driver facilitates the handover of values from the bootloader so
needs to be accessible by the HAL.

Bug: 214231981
Test: run microdroid with a "google,open-dice" DT node
Change-Id: Ib5317e6a42befe22d8f1dbefeb9803f5ec92b061
2022-01-25 15:22:42 +00:00
Jiyong Park
16c1ae3a3d Add use_bionic_libs macro
... to dedupe rules for allowing access to bootstrap bionic libraries.

Bug: N/A
Test: m
Change-Id: I575487416a356c22f5f06f1713032f11d979d7d4
2022-01-25 09:47:56 +09:00
Treehugger Robot
db8d838e5a Merge "Update compos permissions" 2022-01-24 17:01:52 +00:00
Andrew Scull
f94a381585 Make the DICE HAL a bootstrap process
This HAL starts before APEXs are activated so needs access to the
bootstrap bionic libraries.

Bug: 214231981
Test: run microdroid
Change-Id: If82729eb2eff812916f257d24ce206e371be0c56
2022-01-21 18:19:21 +00:00
Jiyong Park
f252d81ec9 Allow microdroid_manager to talk to diced
microdroid_manager needs to give the measurements to diced and get
per-VM secret from it for encrypting/decrypting the instance disk.

Bug: 214231981
Test: run microdroid
Change-Id: Ia4cab3f40263619e554466433cbb065e70ae0f07
2022-01-21 18:19:03 +00:00
Alan Stokes
7409470917 Update compos permissions
We no longer use keystore, nor do we run dex2oat directly.

But we do now use IDiceNode::derive() to get our CDI_seal for key
derivation.

Bug: 214233409
Bug: 210998077
Test: atest ComposKeyTestCase
Change-Id: Id8ba882e7c250ad0365a7f493801e02cb5a0b700
2022-01-21 15:15:19 +00:00
Jiyong Park
92382fe69f Make servicemanager and diced bootstrap processes
The two are now started before APEXes are activated. Therefore they need
access to the bootstrap bionic libraries.

file_contexts is also updated because their file names are changed to
avoid the conflict with their non-bootstrap variants.

Bug: 214231981
Test: m
Change-Id: I30fb1422f228b71251d6618dd7f6e4e5422717f8
2022-01-21 13:41:26 +00:00
Jiyong Park
c9a7de49ea Revert "use dalvik.vm.boot-dex2oat-threads inside microdroid"
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827.

REASON: not needed. See the other CL in the same topic.
Bug: 197358423
Test: m
Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
2022-01-19 01:37:18 +09:00
Treehugger Robot
4da68c0fe4 Merge "use dalvik.vm.boot-dex2oat-threads inside microdroid" 2022-01-18 13:40:30 +00:00
Alan Stokes
50d2195cab Allow compos to use diced
Bug: 214233409
Test: composd_cmd dice
Change-Id: I82b4bd87db879f378d2fafb6e2db7e2544fef5de
2022-01-17 15:48:00 +00:00
Alan Stokes
f3ec0742ed Add diced security class
Add diced to security_class and access_vectors so it can check its
permissions in side Microdroid.

This was part of commit 2b6c6063ae
outside the VM.

Bug: 214231981
Test: composd_cmd dice
Change-Id: Ia503db183d16a4efcb975f654bb4483df44f51ad
2022-01-17 15:42:32 +00:00
Jiyong Park
2832f957e7 Merge "Add policies for diced and hal_dice in microdroid" 2022-01-17 13:29:34 +00:00
Jiyong Park
1d9c9ba231 use dalvik.vm.boot-dex2oat-threads inside microdroid
Previously, all dalvik.vm.* properties were not used / ignored in
Microdroid. However this change makes use of
dalvik.vm.boot-dex2oat-threads which controls the concurrency level of
dex2oat.

Specifically, on the host-side, the number of vCPUs in the compos VM is
configured from the system property having the same name. Then inside
the compos VM, compsvc which runs in the compos domain, sets the system
property to be the number of vCPUs in the VM. In other words, the system
properties get the same value both in the host and the guest VMs. Then
finally, the dex2oat process running inside the VM reads the system
property and configures its concurrency level accordingly.

Bug: 197358423
Test: run compos

Change-Id: I8d2394a7192a7b55a910f317e12e2b1f60b89636
2022-01-14 00:40:49 +09:00
Treehugger Robot
70cd2da646 Merge "Allow authfs to read extra APK mount" 2022-01-13 01:06:01 +00:00
Jiyong Park
8948c1ce4b Add policies for diced and hal_dice in microdroid
Bug: 214231981
Test: run microdroid and check diced is up and running
Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc
2022-01-13 01:37:00 +09:00
Alan Stokes
67a8605deb Remove obsolete ioctl allow
No longer used, so remove the allow.

Bug: 199259751
Test: Presubmits
Change-Id: Iea61d29d14b13de86f7fbd6b6e416eea745b615e
2022-01-07 10:42:17 +00:00
Victor Hsieh
a59b030341 Allow authfs to read extra APK mount
Bug: 206869687
Test: Add debug log to compos.  See correct content from the proto.
Change-Id: I4f2b4096808efc1b15c218a225b451731f37e43d
2022-01-05 15:21:51 -08:00
Alan Stokes
d313282433 Allow compos to run derive_classpath
We run it in the compos domain, since it doesn't require very much
additional access.

Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
2022-01-05 18:06:27 +00:00
Treehugger Robot
76867eabd1 Merge "Remove inaccurate comment" 2021-12-20 10:59:29 +00:00
Victor Hsieh
048866ca7d Remove inaccurate comment
... from 14f188718a

Bug: None
Test: None
Change-Id: I133bc96f4cf7ae4092fef8ee4eac9533524a71b1
2021-12-16 13:56:48 -08:00
Treehugger Robot
a6d6b6aee8 Merge "Add apexd_payload_metadata_prop" 2021-12-16 19:18:43 +00:00
Victor Hsieh
6e5eb7cb11 Merge "Allow dex2oat to search in authfs directories" 2021-12-16 16:23:49 +00:00
Alan Stokes
14f188718a Grant compos permissions for signing
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.

(But it no longer needs to create any directories, so removed that.)

Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0

Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
2021-12-16 13:40:38 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-12-16 03:00:06 +00:00
Victor Hsieh
a341025f87 Allow odrefresh to use FD inherited from compsvc
If FD use is not allowed, execve(2) returns EACCESS and the process is
killed by SIGSEGV.

Minijail closes any FDs by default and open /dev/null for FD 0-2. For
now, odrefresh doesn't use any FD. But until we could tell minijail to
not create FD 0-2 (which could be arguable), allow the permission.

Bug: 210909688
Test: composd_cmd async-odrefresh # exit 80 in enforced mode
Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb
2021-12-15 16:54:28 -08:00
Victor Hsieh
e2a4d0c918 Allow dex2oat to search in authfs directories
dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs
mount. Give it permission to search along the path.

Strictly speaking, this isn't change how dex2oat execute in this
particular case, for now. Functions like LocationIsOnSystemFramework
make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of
location checks, it won't match the mount path in /data/misc/authfs
anyway.

Bug: 205750213
Test: no more SELinux denials from dex2oat
Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
2021-12-15 13:37:34 -08:00
Victor Hsieh
b415c7388f Declare dalvik.vm. property and dontaudit explicitly
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.

Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
2021-12-15 09:30:22 -08:00
Victor Hsieh
3ea775e483 Include log.tag and persist.log.tag in log_tag_prop
The two properties are not just prefixes. See __android_log_level in
system/logging/liblog/properties.cpp.

Bug: 210030607
Test: no longer seeing denials with default_prop in odrefresh
Change-Id: If2c9cba7aa65802e81c79c7d3d9735cbf14a6efa
2021-12-15 09:21:23 -08:00
Victor Hsieh
fe95b5b318 Define ro.build.version.{codename,sdk} in microdroid
The `__builtin_available` macro is used in used in several libraries in
microdroid, including liblog. The macro internally uses
ro.build.version.{codename,sdk}[1]. This change defines the context for
these properties.

[1] https://reviews.llvm.org/rG516a01b5f36d4188778a34202cd11856d70ac808

Bug: 210030607
Test: No longer seeing denied access of default_prop from odrefresh
Change-Id: I51bc52f679a174daccc05a1e2d6c9fda9e6b12cb
2021-12-15 08:11:13 -08:00
Jeff Vander Stoep
bc0fa66cbe Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
2021-12-14 13:54:03 +01:00
Alan Stokes
6e48ea981a Merge "Revert "Revert "More neverallow rules""" 2021-12-10 10:27:13 +00:00
Alan Stokes
9c2e162e87 Revert "Revert "More neverallow rules""
This reverts commit a0e49cea04.

Reason for revert: I don't think this was the culprit after all
Bug: 204853211

Change-Id: Iadc1c8df5ec2affcdbbf9e7bdc3eac54c47f4ebf
2021-12-10 09:06:08 +00:00
Alan Stokes
c6c31eb7b3 Merge "Revert "More neverallow rules"" 2021-12-09 14:06:35 +00:00
Treehugger Robot
c9d812e359 Merge "Run Virtualization tests when we change microdroid policy" 2021-12-09 13:12:55 +00:00
Treehugger Robot
8a564d32b7 Merge "Remove obsolete TODO" 2021-12-09 11:53:29 +00:00
Alan Stokes
fe9cfa610e Run Virtualization tests when we change microdroid policy
Bug: 204853211
Test: N/A
Change-Id: Ic5c921ad4980fb01e20a5765e5049812f6664dfb
2021-12-09 11:35:36 +00:00
Alan Stokes
a0e49cea04 Revert "More neverallow rules"
This reverts commit 72c0134384.

Reason for revert: Looks like this may have broken ComposHostTestCases
Bug: 204853211

Change-Id: I83816a49d3be056e4c9a718ea02911ca022cb984
2021-12-09 11:19:52 +00:00
Inseob Kim
28d0530c35 Remove obsolete TODO
Bug: 208722875
Test: N/A
Change-Id: I7ac440164140d7b95a1a7674e219bf9c2b1b83bd
2021-12-09 19:05:54 +09:00
Treehugger Robot
3e664a0e6d Merge "Allow odrefresh to read from a pipe from compos" 2021-12-09 09:45:30 +00:00
Victor Hsieh
1494f6b9a5 Allow odrefresh to read from a pipe from compos
This is copied from dex2oat.te. By using minijail, the child process
currently requires to communicate with the parent by a pipe, before
actually exec'ing the executable.

Bug: 205750213
Test: no longer see the avc error
Change-Id: I4d59fc8d32150d9e08abba06203eb5164ecd3c75
2021-12-08 15:00:22 -08:00
Alan Stokes
72c0134384 More neverallow rules
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.

Process:
- Paste in all the neverallow rules from public/domain.te in Android
  policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,

I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)

And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.

Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
2021-12-08 14:56:45 +00:00
Alan Stokes
26239da92b Restrict making memory executable
All code must reside in files.

Bug: 204853211
Test: Builds, no neverallow violations
Change-Id: I124a4c567fff76e143582e189b8cb9feeae5d7d0
2021-12-08 12:36:05 +00:00
Inseob Kim
8565b96a3a microdroid: Add support for extra apk files
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.

Currently only payload can read the files.

Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
2021-12-08 14:10:28 +09:00
Treehugger Robot
9a93d79a92 Merge changes I81ab0a73,Ia66015b7
* changes:
  Allow compsvc to execute odrefresh
  Allow composd to run fd_server
2021-12-08 00:28:52 +00:00
Victor Hsieh
f97cc1fd26 Allow compsvc to execute odrefresh
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
      # With SELinux enforced in the VM, plus some hacks in ART,
      # observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
2021-12-07 08:08:00 -08:00
Jiyong Park
3db645b83d Allow microdroid_manager to read /proc/bootconfig
... so that it can ensure that the bootconfig hasn't changed since the
last boot.

Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
2021-12-06 21:16:09 +09:00
Treehugger Robot
f5646ff42b Merge "Add logd.ready" 2021-12-02 03:34:00 +00:00
Inseob Kim
2df19cba08 microdroid: Run apk mount utils from MM
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.

Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
2021-12-01 19:46:33 +09:00
Jiyong Park
ff3048349a Add logd.ready
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.

Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
2021-11-30 15:10:53 +09:00
Bart Van Assche
5e016c1721 Merge "Stop using the bdev_type and sysfs_block_type SELinux attributes" 2021-11-05 20:36:02 +00:00
Jiyong Park
2f3e4c0bec microdroid: add /dev/hvc2
Similar to Cuttlefish, Microdroid now has three virtio-console devices.

Bug: 200914564
Test: run MidrodroidDemoApp
Change-Id: I86f9e6298ca0fdccfc2186989126cdd18812caef
2021-11-01 18:41:46 +09:00
Bart Van Assche
4374a1fd83 Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.

The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.

This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block").  That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-29 15:22:09 -07:00
Jooyung Han
c75eca682e microdroid: add sys.powerctl property
And microdroid_manager can set it to shut down when verification fails.

Bug: 204073443
Test: MicrodroidHostTestCases
Change-Id: I12ec7c8b832f5d1e382961ce7866502c2cc8a9b8
2021-10-28 11:09:48 +09:00
Jiyong Park
bd35627371 microdroid: introduce logcat domain
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.

The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.

Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.

Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
2021-10-25 20:29:28 +09:00
Treehugger Robot
c0cd637049 Merge "Label /dev/hvcN paths" 2021-10-20 08:17:15 +00:00
Treehugger Robot
028e88f578 Merge "microdroid: Remove microdroid_app dontaudit" 2021-10-20 07:10:32 +00:00
Jiyong Park
f264d79bf8 Label /dev/hvcN paths
They are virtual console devices. Label them as serial_devices.

Bug: 200914564
Test: m
Change-Id: I6a178360fa9977e9b50b0c07da2a506114369189
2021-10-19 22:43:45 +09:00
Michał Brzeziński
e8739ba23a Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"

Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"

Revert submission 1850578-remove-selinux-bdev-type

Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787

BUG: 203480787

Reverted Changes:
I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ...
Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block...
Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ...
Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ...
I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block...
I283f8676b:Revert "Add the 'bdev_type' attribute to all block...
I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block...
Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ...
I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ...
I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ...
I2c414de3b:Remove the sysfs_block_type SELinux attribute

Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
2021-10-19 10:57:42 +00:00
Inseob Kim
e4ef85e65a microdroid: Remove microdroid_app dontaudit
Some permissions used to make denials, but it seems that it's not the
case anymore.

Bug: 195751698
Test: atest MicrodroidHostTestCases
Change-Id: I3329bb9a6d4d17dc49a2469bae2cf17e6f0e49a9
2021-10-19 10:46:17 +00:00
Bart Van Assche
c50f66900f Remove the bdev_type and sysfs_block_type SELinux attributes
Remove these SELinux attributes since adding these attributes introduces
a depencency from vendor SELinux policies on the generic SELinux policy,
something that is not allowed. This patch includes a revert of commit
8b2b951349 ("Restore permission for shell to list /sys/class/block").
That commit is no longer necessary since it was a bug fix for the
introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: Ic6ae835768212648ca09fd5c83c39180103c3b1b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-18 11:37:09 -07:00
Bart Van Assche
e475c8f1b5 Microdroid: Allow apexd again to access block device information
This patch is the Microdroid equivalent of
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850655

Bug: 202520796
Tests: Treehugger
Change-Id: I3428934115a62f64390738b144fbb801fc595561
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-14 15:38:28 -07:00
Steven Moreland
2868112dff authfs - remove getattr perm for fd pass
We are no longer reading the ashmem size on every transaction.

Fixes: 195752513
Test: atest ComposHostTestCases (no denial logs)
Change-Id: If27c2b1d0efdccf30bc8c09e1004feb789e2425d
2021-10-12 21:54:42 +00:00
Inseob Kim
4d90b7e78b Migrate system sepolicy binaries to Soong
Bug: 33691272
Test: m selinux_policy
Test: boot microdroid
Change-Id: I9210be15b06e0dba01677d5bfe7b27a0ec21eb11
2021-09-28 01:21:39 +00:00
Inseob Kim
5530ab0269 microdroid: Add vsock_device & restrict dev access
microdroid_manager and microdroid_payload have been accessing /dev/vsock
to get the local cid. But it's labeled as device, so microdroid_manager
and microdroid_payload have had too permissive access. This adds
vsock_device to relax the access.

Test: run demo app
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I1a5955ad28817124f250f206b90c8d4e344ea865
2021-09-24 09:49:59 +09:00
Inseob Kim
5ee61a7628 microdroid: Narrow property permissions
microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.

Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
2021-09-23 17:23:28 +09:00
Inseob Kim
e17b985e1c microdroid: Remove default_prop access
This adds properties necessary to run microdroid to property_contexts,
and then removes default_prop access to all domains except for init, as
init should be able to write all properties.

Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I2f80c71ce257613b3c3b019a3e988a5a0653d879
2021-09-15 05:26:03 +00:00
Treehugger Robot
855f16dd87 Merge "Bundle proc_bootconfig permission into read_fstab" 2021-09-15 03:36:24 +00:00
Kelvin Zhang
2b5f108143 Bundle proc_bootconfig permission into read_fstab
fs_mgr::ReadDefaultFstab calls fs_mgr:ReadFstabFromDt() which eventually
calls fs_mgr_get_boot_config_from_bootconfig_source to read boot config.
Therefore bundle permission to read proc_bootconfig. This resolves some
selinux denials for update_engine

Test: th
Change-Id: Ia8bd94eb33a38ccd939577b54910645fec4ccda8
2021-09-14 18:44:42 -07:00
Jooyung Han
6e60287a1f Allow microdroid_manager to create a /apex/* file
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.

Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
2021-09-10 17:35:26 +09:00
Jooyung Han
f19cd64a0e Merge "make zipfuse a bootstrap process" 2021-09-10 08:16:31 +00:00
Treehugger Robot
68e5958902 Merge "Add the 'bdev_type' attribute to all block device types" 2021-09-10 01:27:48 +00:00
Jooyung Han
53c773a3fd make zipfuse a bootstrap process
Bug: n/a
Test: MicrodroidHostTestCases
Change-Id: Ia2ad615e919f4fcb0452d8458e505ecfbdd5818f
2021-09-10 08:56:08 +09:00
Inseob Kim
2f7600920d Add vsock permissions to microdroid_payload
microdroid_payload needs to open a vsock server, so this change grants
permissions for that. This change also temporarily grants permissions to
get local CID, which should be removed once the RPC binder API supports
getting CID.

Bug: 195381416
Test: atest MicrodroidHostTestCases
Change-Id: I57a603e74d7552e13a83fa4934621e09e13015fd
2021-09-09 02:30:59 +00:00
Bart Van Assche
8a6f8e51bc Add the 'bdev_type' attribute to all block device types
The following patch iterates over all block devices:
https://android-review.googlesource.com/c/platform/system/core/+/1783847/9

The following patch grants 'init' and 'apexd' permission to iterate over
all block devices:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947

The above SELinux policy change requires to add the 'bdev_type'
attribute to all block devices. Hence this patch.

Bug: 194450129
Test: Untested.
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change-Id: Iee1c984f176eb2752194493999921cb1aa24ac64
2021-09-08 16:13:25 -07:00
Jooyung Han
6f3b5e2edc microdroid: rename property to "apk_root_hash"
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: I3bd0fd337d85b29e5dfdfba49ee5328e48f5be89
2021-09-08 16:05:29 +09:00
Jiyong Park
27bb6c6608 Microdroid boot process is controlled by microdroid_manager
Previously, the boot process of microdroid was mostly implemented in the
init.rc file. microdroid_manager was started first in the background,
then apexd, apkdmverity, and zipfuse were executed in sequence. However,
in order to correctly implement the app payload verification scheme,
most of the early boot process has to be controlled by
microdroid_manager. Specifically, apkdmverity should be started "after"
the apk roothash is read from the instance disk by microdroid_manager.

As an alternative, we could let apkdmverity the read instance disk by
itself. However, this is undesirable because doing so requires multiple
processes - microdroid_manager and apkdmverity - have access to the
instance disk and more seriously the secret key to decrypt it.

Another alternative is to let microdroid_manager do the dm-verity
configuration which apkdmverity does. This also is considered
undesirable because then we would give the permissions for configuring
dm-verity devices to microdroid_manager which is a long-running daemon
process. Note that apkdmverity is not a daemon process.

This CL introduces a few number of changes which are required to let
microdroid_manager directly control the early boot process:

1) microdroid_manager is allowed to start the services apkdmverity and
zipfuse by using the `ctl.start` sysprop.

2) apkdmverity is allowed to use bootstrap bionic libraries as it is now
executed before APEXd activates the APEXes.

3) A new sysprop `microdroid_manager.apk_roothash` is added. It is
written by microdroid_manager and read by apkdmverity. It contains the
roothash read from the instance disk. This value is not a secret.

4) Another new sysprop `apex_config.done` is added. It is set by init
just after `perform_apex_config` and read by microdroid_manager.
Microdroid_manager uses this to wait until linker configuration is ready
so that it can execute app payloads with the config.

Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: If29ce17d7a6cb4859e8ceeffb321724e7f11bf82
2021-09-07 17:13:43 +09:00
Jiyong Park
ee3661ef2b Allow microdroid_manager to write instance.img
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: Icac8aa7e1badc90d2725c81e3c0f9594b7e18608
2021-08-31 17:14:09 +09:00
Treehugger Robot
037a21ba15 Merge "Add /dev/vsock permissions to microdroid" 2021-08-24 23:35:34 +00:00
Inseob Kim
2e0fb00f22 Add /dev/vsock permissions to microdroid
microdroid_manager needs to know its own CID until the full RPC binder
support is landed.

Bug: 191845268
Test: run MicrodroidDemoApp
Test: atest MicrodroidHostTestCases
Change-Id: I8f6c667f0827d1089baa21417c2b0ba382d94d26
2021-08-24 14:23:18 +09:00
Victor Hsieh
dedb4909c3 Remove unnecessary privileges from dex2oat in VM
With a change in dex2oat to avoid opening /proc/self/fd, this change
removes open and a few other privileges from dex2oat.

Bug: 196404749
Test: ComposHostTestCases
Change-Id: I822c7ef3886a1cde8601e71afa2eb79973cd573c
2021-08-19 14:01:59 -07:00
Bart Van Assche
4dcefe8898 Merge "Add the 'bdev_type' attribute to all block devices" 2021-08-16 16:39:24 +00:00
Victor Hsieh
5f6e4324b3 Allow compos to getattr on authfs
Bug: 161471326
Bug: 196635431
Test: ComposTestCase
Change-Id: I3a4073726d31686c8eb945ba9417cb2afe238d79
2021-08-13 15:48:21 -07:00
Bart Van Assche
27ecd60a79 Add the 'bdev_type' attribute to all block devices
The following patch iterates over all block devices:
https://android-review.googlesource.com/c/platform/system/core/+/1783847/9

The following patch grants 'init' and 'apexd' permission to iterate over
all block devices:
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1783947

The above SELinux policy change requires to add the 'bdev_type'
attribute to all block devices. Hence this patch.

Bug: 194450129
Test: Untested.
Change-Id: I959bae6f9590b1867905d46e194c45b0ea4248df
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-08-13 13:54:02 -07:00
Treehugger Robot
1ca4b5c045 Merge "Define sepolicy for compos and dex2oat" 2021-08-12 14:27:09 +00:00
Victor Hsieh
aa987aaa2d Define sepolicy for compos and dex2oat
Bug: 194474784
Test: ComposTestCase # with debug disabled
Change-Id: I2a53df337356fc8e299837358da2a5a88c9c20d3
2021-08-11 10:42:19 -07:00
Victor Hsieh
5f7c02328c Grant authfs_service and authfs CAP_SYS_ADMIN
CAP_SYS_ADMIN is required to mount a filesystem (currently in authfs, a
child process of authfs_service). It seems the parent also needs to be
allowed.

Bug: 194474784
Test: Use the service (from compsvc), no longer seeing the denials
Change-Id: I122734ee9f11899af4d7b647bc3049e4dbdad09e
2021-08-11 15:48:14 +00:00
Victor Hsieh
a70e6052c2 Allow authfs_service to add itself to service manager
Fixes: 196018177
Test: atest MicrodroidHostTestCases
Change-Id: Ib47b8bf5d5d683e7f163e8f69d8a06ffe8f2675b
2021-08-10 10:55:54 -07:00
Jooyung Han
996da475a1 Merge "microdroid_manager: allow to read dm_device" 2021-08-09 17:49:16 +00:00
Victor Hsieh
14aad3711d Merge "SELinux policy for authfs_service and authfs" 2021-08-09 17:12:22 +00:00
Jooyung Han
797acf9072 Don't audit microdroid_app getattr vsock_socket
Microdroid_manager creates a vsock socket and app's output is redirected
to it.

Bug: 195751698
Test: MicrodroidHostTestCases
Change-Id: I66759067169cc97a6c1fc084395761e06c6e20f6
2021-08-09 12:50:41 +00:00
Victor Hsieh
49c0ec7a67 SELinux policy for authfs_service and authfs
authfs_service is a binder service on microdroid. Upon a request by the
client, the service will create the mount directory, execute authfs to
mount the FUSE, and finally unmount and delete the mount directory.

authfs currently requires more privileges than it should, but it's ok
because the client owns the VM, and all input will be verified by
signatures. But there is plan to keep the privileges isoated in the
service (b/195554831).

Bug: 194717985
Bug: 195554831
Test: Start the service from init, use a test executable to call the
      service API. Only observed denial from the test executable.
Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef
2021-08-06 09:16:48 -07:00
Jooyung Han
2ac60775e0 microdroid_manager: allow to read dm_device
Microdroid_manager should verify payloads(APK/APEXes). APK is mounted to
dm_device first and then verified. So, microdroid_manager needs to read
it.

Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I530fb8d2394952486f0bad7fb3bed770611cd311
2021-08-07 00:52:00 +09:00
Inseob Kim
7687600c50 Suppress power_supply access inside microdroid
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I3dbdcb831c61e9bd24cfdaa10beba9e856e605af
2021-08-05 02:05:16 +00:00
Inseob Kim
2f4b03654a Add servicemanager's service to microdroid policy
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I0e57fa913fe857626634f94502b1ad5a0989bdc8
2021-08-04 11:35:57 +00:00
Inseob Kim
0abc4fdf2b Temporarily dontaudit ueventd->tmpfs access
This is the only blocker for SELinux denial test on microdroid. Rather
than consuming more time, this temporarily suppresses the audit message
to turn on the test.

Bug: 193118220
Test: atest MicrodroidHostTestCases -c
Change-Id: Id703107cbaae42352bebe34d0a6373f0701c0f6f
2021-08-04 10:58:22 +00:00
Inseob Kim
ebc11f6a99 Merge "Suppress keystore F2FS related audit" 2021-08-03 02:19:15 +00:00
Inseob Kim
6b5eafedf9 Suppress keystore F2FS related audit
keystore uses sqlite3. sqlite3 calls F2FS_IOC_GET_FEATURES. As
microdroid has nothing to do with that, we just suppress the audit.

Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I1da00d1fd4b7e208e80a1d9bc5f49c21af684516
2021-07-29 12:18:31 +00:00
Jooyung Han
f9a7dab645 Microdroid_manager is a bootstrap process
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: Iaec029726a34f46fd9123d34765a20a1c5dd254a
2021-07-29 17:40:05 +09:00
Alan Stokes
80bb558584 Remove compos_key_cmd from policy
It's a test tool which is generally run as root, and will be deleted
eventually. It doesn't need its own label; system_file works fine.

We never actually allowed it anything, nor defined a transition into
the domain.

Bug: 194474784
Test: Device boots, no denials
Test: compos_key_cmd run from root works
Change-Id: If118798086dae2faadeda658bc02b6eb6e6bf606
2021-07-28 14:36:50 +01:00
Inseob Kim
1f87fbd9fa Add microdroid_payload attribute
microdroid_payload attribute is for processes meant to be run by
microdroid_manager as a payload. Other than microdroid_payload and
crash_dump, transition from microdroid_manager will not be permitted.

Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I959a8ad8ed83c8de254d7af61fd30bcbffe6b070
2021-07-27 08:30:22 +00:00
Alan Stokes
72cac09097 Add rules for dex2oat.
This is necessary (but not sufficient) to allow CompOsTestCase to
run. Without it we have problems because
system/sepolicy/apex/com.android.art-file_contexts references
dex2oat_exec, and we get an error:

SELinux : Context u:object_r:dex2oat_exec:s0 is not valid (left unmapped).

Bug: 194474784
Test: atest CompOsTestCase (with memory fix patched in)
Change-Id: If229b9891c8fb1acce8d0502675c1712bfed180c
2021-07-23 12:26:26 +01:00
Treehugger Robot
6a4bc81a2b Merge changes I43bf09d8,I1fd35d0e
* changes:
  Disallow microdroid from running arbitrary domains
  Add domain for compos binaries
2021-07-23 09:29:53 +00:00
Inseob Kim
a89d6aa301 Disallow microdroid from running arbitrary domains
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I43bf09d85efa4276e929babd854c49ccedfd8058
2021-07-23 06:58:52 +00:00
Jiyong Park
f326072b40 Add more rules around cgroup files in microdroid
The added rules are copied from Android.

Bug: 193118995
Bug: 193118220
Test: adb shell /apex/com.android.virt/bin/vm run-app
/data/local/tmp/virt/MicrodroidDemoApp.apk
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig
/data/local/tmp/virt/instance.img assets/vm_config.json doesn't show
a selinux denial like the below:
avc:  denied  { create } for  pid=1 comm="init" name="cpus"
scontext=u:r:init:s0 tcontext=u:object_r:cgroup:s0 tclass=file
permissive=0

Change-Id: I3d958e4788fdee5993ff1048e86b81cd93b72b03
2021-07-23 15:48:17 +09:00
Inseob Kim
7560aed40a Add domain for compos binaries
Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I1fd35d0efe83d2cecaa41580e6d1d0b8f6242b3f
2021-07-23 06:01:39 +00:00
Inseob Kim
e1389977e0 Move microdroid sepolicy to system/sepolicy
Bug: 190511750
Test: boot microdroid
Change-Id: I4aa4a56e9be5103d70469c3508110a973f3e4f12
2021-07-19 07:48:34 +00:00