Give microdroid_manager and the DICE HAL access to the AVF chosen node
properties that are used to indicate that the VM is booting in strict
more and that the current boot is provisioning a new VM instance.
Bug: 221051866
Bug: 217376291
Test: atest MicrodroidTests
Change-Id: Ie8451fc80671557086f8d825ad01600f9cb4557a
Because MLS isn't really used in microdroid, setting it to 1 may help
improve performance a bit.
Bug: 223596384
Test: atest MicrodroidTests
Change-Id: Iace4a45ccda98e34fbf82b16ff2096a53b543132
Bug: 209488862
Test: Follow instructions in b/209488862#comment12, compilation can
only succeed with this patch
Change-Id: I6475a1be0db635de96b9f8fdbf9dd3a76c3a759b
These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.
Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
Make sure all the permissions are granted to let the HAL do its work
properly.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
Bootloader properties are available to all domains so don't need special
policy rules for microdroid_manager.
Test: atest MicrodroidTests
Change-Id: I0ccf6b28467a47c0f3cf7715b9ff34d01e8ac970
This property is set in the bootconfig to reflect the debuggability of
the payload app. It is consumed microdroid_manager as a DICE input and
by compos to make choices based on the debuggability, e.g. not doing
test builds in non-debug states.
Bug: 219740340
Test: atest ComposHostTestCases
Test: atest MicrodroidTests
Change-Id: If84710f1fdbab957f5d19ce6ba3daad7e3e65935
MicrodroidHostTestCases will pull the VM's sepolicy and check it against
system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze
tool.
Bug: 218461215
Test: atest MicrodroidHostTestCases
Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
Microdroid_manager uses the ioctl to flush data to the block device.
Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
Avoid divergence in the files that will eventually shared with the main
Android sepolicy and fix a style mistake.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I40b0bebb432d73ab6ab847c117e72d8bc18fe873
With the keymint HAL removed from microdroid, there are no more legacy
HALs meaning no further need for hwservicemanager.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I111f3456399ef91e51d1cfead67659601c23db9e
The keymint HAL has been removed from microdroid to remove the
corresponding sepolicy.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I08aae50dd9a4575954db40ec974625e43bff2335
The keystore service has been removed from microdroid to remove the
corresponding sepolicy.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I6600b47f8b8c6bba05b1f59b4d87713283805817
This property is read by microdroid_manager to check whether the VM is
in debug mode. Give it a context to satisfy the sepolicy.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9d4bda5e487324c95229c7978e8fe0a53fa9f616
The driver facilitates the handover of values from the bootloader so
needs to be accessible by the HAL.
Bug: 214231981
Test: run microdroid with a "google,open-dice" DT node
Change-Id: Ib5317e6a42befe22d8f1dbefeb9803f5ec92b061
This HAL starts before APEXs are activated so needs access to the
bootstrap bionic libraries.
Bug: 214231981
Test: run microdroid
Change-Id: If82729eb2eff812916f257d24ce206e371be0c56
microdroid_manager needs to give the measurements to diced and get
per-VM secret from it for encrypting/decrypting the instance disk.
Bug: 214231981
Test: run microdroid
Change-Id: Ia4cab3f40263619e554466433cbb065e70ae0f07
We no longer use keystore, nor do we run dex2oat directly.
But we do now use IDiceNode::derive() to get our CDI_seal for key
derivation.
Bug: 214233409
Bug: 210998077
Test: atest ComposKeyTestCase
Change-Id: Id8ba882e7c250ad0365a7f493801e02cb5a0b700
The two are now started before APEXes are activated. Therefore they need
access to the bootstrap bionic libraries.
file_contexts is also updated because their file names are changed to
avoid the conflict with their non-bootstrap variants.
Bug: 214231981
Test: m
Change-Id: I30fb1422f228b71251d6618dd7f6e4e5422717f8
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827.
REASON: not needed. See the other CL in the same topic.
Bug: 197358423
Test: m
Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
Add diced to security_class and access_vectors so it can check its
permissions in side Microdroid.
This was part of commit 2b6c6063ae
outside the VM.
Bug: 214231981
Test: composd_cmd dice
Change-Id: Ia503db183d16a4efcb975f654bb4483df44f51ad
Previously, all dalvik.vm.* properties were not used / ignored in
Microdroid. However this change makes use of
dalvik.vm.boot-dex2oat-threads which controls the concurrency level of
dex2oat.
Specifically, on the host-side, the number of vCPUs in the compos VM is
configured from the system property having the same name. Then inside
the compos VM, compsvc which runs in the compos domain, sets the system
property to be the number of vCPUs in the VM. In other words, the system
properties get the same value both in the host and the guest VMs. Then
finally, the dex2oat process running inside the VM reads the system
property and configures its concurrency level accordingly.
Bug: 197358423
Test: run compos
Change-Id: I8d2394a7192a7b55a910f317e12e2b1f60b89636
We run it in the compos domain, since it doesn't require very much
additional access.
Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.
(But it no longer needs to create any directories, so removed that.)
Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
This should be read-only and corresponds to apexd.payload_metadata.path
Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases
Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
If FD use is not allowed, execve(2) returns EACCESS and the process is
killed by SIGSEGV.
Minijail closes any FDs by default and open /dev/null for FD 0-2. For
now, odrefresh doesn't use any FD. But until we could tell minijail to
not create FD 0-2 (which could be arguable), allow the permission.
Bug: 210909688
Test: composd_cmd async-odrefresh # exit 80 in enforced mode
Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb
dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs
mount. Give it permission to search along the path.
Strictly speaking, this isn't change how dex2oat execute in this
particular case, for now. Functions like LocationIsOnSystemFramework
make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of
location checks, it won't match the mount path in /data/misc/authfs
anyway.
Bug: 205750213
Test: no more SELinux denials from dex2oat
Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.
Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
The two properties are not just prefixes. See __android_log_level in
system/logging/liblog/properties.cpp.
Bug: 210030607
Test: no longer seeing denials with default_prop in odrefresh
Change-Id: If2c9cba7aa65802e81c79c7d3d9735cbf14a6efa
The `__builtin_available` macro is used in used in several libraries in
microdroid, including liblog. The macro internally uses
ro.build.version.{codename,sdk}[1]. This change defines the context for
these properties.
[1] https://reviews.llvm.org/rG516a01b5f36d4188778a34202cd11856d70ac808
Bug: 210030607
Test: No longer seeing denied access of default_prop from odrefresh
Change-Id: I51bc52f679a174daccc05a1e2d6c9fda9e6b12cb
This reverts commit a0e49cea04.
Reason for revert: I don't think this was the culprit after all
Bug: 204853211
Change-Id: Iadc1c8df5ec2affcdbbf9e7bdc3eac54c47f4ebf
This reverts commit 72c0134384.
Reason for revert: Looks like this may have broken ComposHostTestCases
Bug: 204853211
Change-Id: I83816a49d3be056e4c9a718ea02911ca022cb984
This is copied from dex2oat.te. By using minijail, the child process
currently requires to communicate with the parent by a pipe, before
actually exec'ing the executable.
Bug: 205750213
Test: no longer see the avc error
Change-Id: I4d59fc8d32150d9e08abba06203eb5164ecd3c75
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.
Process:
- Paste in all the neverallow rules from public/domain.te in Android
policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,
I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)
And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.
Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.
Currently only payload can read the files.
Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
# With SELinux enforced in the VM, plus some hacks in ART,
# observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
... so that it can ensure that the bootconfig hasn't changed since the
last boot.
Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.
Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.
Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
Similar to Cuttlefish, Microdroid now has three virtio-console devices.
Bug: 200914564
Test: run MidrodroidDemoApp
Change-Id: I86f9e6298ca0fdccfc2186989126cdd18812caef
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.
The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.
This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block"). That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
And microdroid_manager can set it to shut down when verification fails.
Bug: 204073443
Test: MicrodroidHostTestCases
Change-Id: I12ec7c8b832f5d1e382961ce7866502c2cc8a9b8
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.
The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.
Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.
Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert "Remove the bdev_type and sysfs_block_type SELinux attributes"
Revert submission 1850578-remove-selinux-bdev-type
Reason for revert: DroidMonitor-triggered revert due to breakage, bug b/203480787
BUG: 203480787
Reverted Changes:
I263bce9c4:Remove the bdev_type and sysfs_block_type SELinux ...
Ibc9039f96:Revert "Add the 'bdev_type' attribute to all block...
Ic6ae83576:Remove the bdev_type and sysfs_block_type SELinux ...
Ie493022a8:Remove the bdev_type and sysfs_block_type SELinux ...
I1f1ca439b:Revert "Add the 'bdev_type' attribute to all block...
I283f8676b:Revert "Add the 'bdev_type' attribute to all block...
I7c5c242c5:Revert "Add the 'bdev_type' attribute to all block...
Id78d8f7dc:Remove the bdev_type and sysfs_block_type SELinux ...
I9c4b2c48b:Remove the bdev_type and sysfs_block_type SELinux ...
I51e9d384a:Remove the bdev_type and sysfs_block_type SELinux ...
I2c414de3b:Remove the sysfs_block_type SELinux attribute
Change-Id: I55609803d530772d507d9dca8ba202a96daf24b7
Some permissions used to make denials, but it seems that it's not the
case anymore.
Bug: 195751698
Test: atest MicrodroidHostTestCases
Change-Id: I3329bb9a6d4d17dc49a2469bae2cf17e6f0e49a9
Remove these SELinux attributes since adding these attributes introduces
a depencency from vendor SELinux policies on the generic SELinux policy,
something that is not allowed. This patch includes a revert of commit
8b2b951349 ("Restore permission for shell to list /sys/class/block").
That commit is no longer necessary since it was a bug fix for the
introduction of the sysfs_block type.
Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: Ic6ae835768212648ca09fd5c83c39180103c3b1b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We are no longer reading the ashmem size on every transaction.
Fixes: 195752513
Test: atest ComposHostTestCases (no denial logs)
Change-Id: If27c2b1d0efdccf30bc8c09e1004feb789e2425d
microdroid_manager and microdroid_payload have been accessing /dev/vsock
to get the local cid. But it's labeled as device, so microdroid_manager
and microdroid_payload have had too permissive access. This adds
vsock_device to relax the access.
Test: run demo app
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I1a5955ad28817124f250f206b90c8d4e344ea865
microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.
Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
This adds properties necessary to run microdroid to property_contexts,
and then removes default_prop access to all domains except for init, as
init should be able to write all properties.
Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I2f80c71ce257613b3c3b019a3e988a5a0653d879
fs_mgr::ReadDefaultFstab calls fs_mgr:ReadFstabFromDt() which eventually
calls fs_mgr_get_boot_config_from_bootconfig_source to read boot config.
Therefore bundle permission to read proc_bootconfig. This resolves some
selinux denials for update_engine
Test: th
Change-Id: Ia8bd94eb33a38ccd939577b54910645fec4ccda8
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.
Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
microdroid_payload needs to open a vsock server, so this change grants
permissions for that. This change also temporarily grants permissions to
get local CID, which should be removed once the RPC binder API supports
getting CID.
Bug: 195381416
Test: atest MicrodroidHostTestCases
Change-Id: I57a603e74d7552e13a83fa4934621e09e13015fd
Previously, the boot process of microdroid was mostly implemented in the
init.rc file. microdroid_manager was started first in the background,
then apexd, apkdmverity, and zipfuse were executed in sequence. However,
in order to correctly implement the app payload verification scheme,
most of the early boot process has to be controlled by
microdroid_manager. Specifically, apkdmverity should be started "after"
the apk roothash is read from the instance disk by microdroid_manager.
As an alternative, we could let apkdmverity the read instance disk by
itself. However, this is undesirable because doing so requires multiple
processes - microdroid_manager and apkdmverity - have access to the
instance disk and more seriously the secret key to decrypt it.
Another alternative is to let microdroid_manager do the dm-verity
configuration which apkdmverity does. This also is considered
undesirable because then we would give the permissions for configuring
dm-verity devices to microdroid_manager which is a long-running daemon
process. Note that apkdmverity is not a daemon process.
This CL introduces a few number of changes which are required to let
microdroid_manager directly control the early boot process:
1) microdroid_manager is allowed to start the services apkdmverity and
zipfuse by using the `ctl.start` sysprop.
2) apkdmverity is allowed to use bootstrap bionic libraries as it is now
executed before APEXd activates the APEXes.
3) A new sysprop `microdroid_manager.apk_roothash` is added. It is
written by microdroid_manager and read by apkdmverity. It contains the
roothash read from the instance disk. This value is not a secret.
4) Another new sysprop `apex_config.done` is added. It is set by init
just after `perform_apex_config` and read by microdroid_manager.
Microdroid_manager uses this to wait until linker configuration is ready
so that it can execute app payloads with the config.
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: If29ce17d7a6cb4859e8ceeffb321724e7f11bf82
microdroid_manager needs to know its own CID until the full RPC binder
support is landed.
Bug: 191845268
Test: run MicrodroidDemoApp
Test: atest MicrodroidHostTestCases
Change-Id: I8f6c667f0827d1089baa21417c2b0ba382d94d26
With a change in dex2oat to avoid opening /proc/self/fd, this change
removes open and a few other privileges from dex2oat.
Bug: 196404749
Test: ComposHostTestCases
Change-Id: I822c7ef3886a1cde8601e71afa2eb79973cd573c
CAP_SYS_ADMIN is required to mount a filesystem (currently in authfs, a
child process of authfs_service). It seems the parent also needs to be
allowed.
Bug: 194474784
Test: Use the service (from compsvc), no longer seeing the denials
Change-Id: I122734ee9f11899af4d7b647bc3049e4dbdad09e
Microdroid_manager creates a vsock socket and app's output is redirected
to it.
Bug: 195751698
Test: MicrodroidHostTestCases
Change-Id: I66759067169cc97a6c1fc084395761e06c6e20f6
authfs_service is a binder service on microdroid. Upon a request by the
client, the service will create the mount directory, execute authfs to
mount the FUSE, and finally unmount and delete the mount directory.
authfs currently requires more privileges than it should, but it's ok
because the client owns the VM, and all input will be verified by
signatures. But there is plan to keep the privileges isoated in the
service (b/195554831).
Bug: 194717985
Bug: 195554831
Test: Start the service from init, use a test executable to call the
service API. Only observed denial from the test executable.
Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef
Microdroid_manager should verify payloads(APK/APEXes). APK is mounted to
dm_device first and then verified. So, microdroid_manager needs to read
it.
Bug: 190343842
Test: MicrodroidHostTestCases
Change-Id: I530fb8d2394952486f0bad7fb3bed770611cd311
This is the only blocker for SELinux denial test on microdroid. Rather
than consuming more time, this temporarily suppresses the audit message
to turn on the test.
Bug: 193118220
Test: atest MicrodroidHostTestCases -c
Change-Id: Id703107cbaae42352bebe34d0a6373f0701c0f6f
keystore uses sqlite3. sqlite3 calls F2FS_IOC_GET_FEATURES. As
microdroid has nothing to do with that, we just suppress the audit.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: I1da00d1fd4b7e208e80a1d9bc5f49c21af684516
It's a test tool which is generally run as root, and will be deleted
eventually. It doesn't need its own label; system_file works fine.
We never actually allowed it anything, nor defined a transition into
the domain.
Bug: 194474784
Test: Device boots, no denials
Test: compos_key_cmd run from root works
Change-Id: If118798086dae2faadeda658bc02b6eb6e6bf606
microdroid_payload attribute is for processes meant to be run by
microdroid_manager as a payload. Other than microdroid_payload and
crash_dump, transition from microdroid_manager will not be permitted.
Bug: 191263171
Test: atest MicrodroidHostTestCases
Test: atest ComposHostTestCases
Change-Id: I959a8ad8ed83c8de254d7af61fd30bcbffe6b070
This is necessary (but not sufficient) to allow CompOsTestCase to
run. Without it we have problems because
system/sepolicy/apex/com.android.art-file_contexts references
dex2oat_exec, and we get an error:
SELinux : Context u:object_r:dex2oat_exec:s0 is not valid (left unmapped).
Bug: 194474784
Test: atest CompOsTestCase (with memory fix patched in)
Change-Id: If229b9891c8fb1acce8d0502675c1712bfed180c