If export_tombstones is false, leaving tombstoned running has no
meaning. However, we still can't selectively start tombstoned, because
post-fs-data happens eariler than config parsing. Thus, this change
allows microdroid_manager to stop tombstoned on demand.
Bug: 236588647
Test: atest MicrodroidTests
Change-Id: I813fe667f3394bdd234e204f3d35a27f3a182cb2
Because we want to collect early kernel logs, before apexd is run.
Bug: 236451404
Test: atest MicrodroidTests
Change-Id: Id84f5b36df00394eb3444fdef5654c6ec0759faf
A serial device is used to pass failure reason to host.
Bug: 220071963
Test: atest MicrodroidTests
Change-Id: I085e902b4f0a79d3c8d2cd5c737ad169caac3659
r.android.com/2060021 made it possible for tombstone_transmit to remove
the tombstone file from guest after reading it. This is the required
Selinux policy for that.
Bug: 232403725
Test: atest MicrodroidHostTestCases & check vm logs for avc:
denials
Change-Id: Ic071c0bd5ecb85f4ceae84e435afdec155fbba0b
We recently started to forward dalvik related system properties to
CompOS for odrefresh to use. The properties are set indeed, but we
still need to allow odrefresh to use.
Bug: 231579544
Test: Cherry pick aosp/2096406, run composd_cmd test-compile
See ro.dalvik.vm.*, dalvik.vm.* and
persist.device_config.runtime_native_boot.enable_uffd_gc
properties in cache-info.xml
Ignore-AOSP-First: Will cherry pick
Change-Id: I5a44384bf39c572878b1d305c3df9860d9324eda
Merged-In: I5a44384bf39c572878b1d305c3df9860d9324eda
LOOP_CONFIGURE is more efficient than LOOP_SET_FD/SET_STATUS64.
apkdmverity has used the latter because LOOP_CONFIGURE didn't work for
loop-mounting IDSIG file.
apkdmverity can use LOOP_CONFIGURE and enabling DIRECT_IO only when
necessary.
Bug: 191344832
Test: atest MicrodroidTestApp
Change-Id: I9503f17a689e2447acee1f6ef9c2aac53cf3c457
For Guest: tombstone_tranmit needs permissions for:
1. keeping track of files being written on /data/tombstones.
2. creating vsock socket to talk to virtualizationservice (to forward
these tombstones)
These permissions will be similar to tombstone_tarnsmit on cuttlefish
(device/google/cuttlefish/guest/monitoring/tombstone_transmit/tombstone_transmit.cpp)
For Host (virtualizationservice) needs:
1. permission to connect to tombstoned.
2. permission to use fd belonging to tombstoned.
3. append and related permissions on tombstone_data file.
Test: Tested by crashing a process in guest (started using microdroid
demo)
Change-Id: Ifd0728d792bda98ba139f18fa9406494a714879d
commit 7fd8933f0c removed this from host
sepolicy. It's redundant here as well.
Bug: 223596375
Test: Builds
Change-Id: I39d7432c6e31f49de5eb8dca8acc7e9c5d190617
This isn't really used at the moment, but since the decision was to keep
the capability for future ART change, we should also allow it in CompOS
for consistency.
While I'm on in, rearrange the policy to group mirrored policies
together.
Bug: 209488862
Test: None
Change-Id: Id6afafc42005e711127a1e0831d4dd03e48959eb
Init will try restorecon /dev/console, together with /dev, at the second
stage boot.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ie9796368b54bb0773eabf5ff6feb2b4aa41d0bfa
We don't use MLS in Microdroid, so we don't need MLS rules, nor
mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy
checkpolicy.)
A lot of attributes are unused in Microdroid, so we can remove their
declarations and any references to them. (That may not make the
compiled policy smaller, since hopefully they get optimised out
anyway, but it means there is less policy for humans to deal with.)
Remove labels that relate only to apps, which we don't have - MAC
permissions, run-as, seapp_contexts.
In passing, fix a comment snafu in both system & microdroid policy.
Bug: 223596375
Test: Run staged-apex-compile & compos_verify, no denials
Test: atest MicrodroidTests MicrodroidHostTestCases
Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
Give microdroid_manager and the DICE HAL access to the AVF chosen node
properties that are used to indicate that the VM is booting in strict
more and that the current boot is provisioning a new VM instance.
Bug: 221051866
Bug: 217376291
Test: atest MicrodroidTests
Change-Id: Ie8451fc80671557086f8d825ad01600f9cb4557a
Because MLS isn't really used in microdroid, setting it to 1 may help
improve performance a bit.
Bug: 223596384
Test: atest MicrodroidTests
Change-Id: Iace4a45ccda98e34fbf82b16ff2096a53b543132
Bug: 209488862
Test: Follow instructions in b/209488862#comment12, compilation can
only succeed with this patch
Change-Id: I6475a1be0db635de96b9f8fdbf9dd3a76c3a759b
These domains already can't transition to crash_dump, but also need to
make sure crash_dump can't be run and pointed at them.
Bug: 218494522
Test: Builds
Change-Id: I76f88faf8ff4c88e85eaf6a8db546dc644a71928
CompOS no longer talks directly to DICE (compos_key_helper does). odsign
no longer promotes or deletes instance CompOS files, and the key files
don't exist any more.
Bug: 218494522
Test: Manual; trigger compilation, reboot & watch odsign
Change-Id: Ibc251180122e6e4789b4be5669da3da67517b49c
Make sure all the permissions are granted to let the HAL do its work
properly.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I54c633b8163ea313c87856fb0513074a76ac86a1
Add the compos_key_helper domain for the process which has access to
the signing key, make sure it can't be crashdumped. Also extend that
protection to diced & its HAL.
Rename compos_verify_key to compos_verify, because it doesn't verify
keys any more.
Move exec types used by Microdroid to file.te in the host rather than
their own dedicated files.
Bug: 218494522
Test: atest CompOsSigningHostTest CompOsDenialHostTest
Change-Id: I942667355d8ce29b3a9eb093e0b9c4f6ee0df6c1
Bootloader properties are available to all domains so don't need special
policy rules for microdroid_manager.
Test: atest MicrodroidTests
Change-Id: I0ccf6b28467a47c0f3cf7715b9ff34d01e8ac970
This property is set in the bootconfig to reflect the debuggability of
the payload app. It is consumed microdroid_manager as a DICE input and
by compos to make choices based on the debuggability, e.g. not doing
test builds in non-debug states.
Bug: 219740340
Test: atest ComposHostTestCases
Test: atest MicrodroidTests
Change-Id: If84710f1fdbab957f5d19ce6ba3daad7e3e65935
MicrodroidHostTestCases will pull the VM's sepolicy and check it against
system/sepolicy/microdroid's neverallow rules, using sepolicy-analyze
tool.
Bug: 218461215
Test: atest MicrodroidHostTestCases
Change-Id: I62a69053996b71d69dd2bf6b7eabc8b701095477
Microdroid_manager uses the ioctl to flush data to the block device.
Bug: 208639280
Test: atest MicrodroidTestApp
Change-Id: Icd708702618850e1f003b16bdc8a1698c45f6442
Avoid divergence in the files that will eventually shared with the main
Android sepolicy and fix a style mistake.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I40b0bebb432d73ab6ab847c117e72d8bc18fe873
With the keymint HAL removed from microdroid, there are no more legacy
HALs meaning no further need for hwservicemanager.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I111f3456399ef91e51d1cfead67659601c23db9e
The keymint HAL has been removed from microdroid to remove the
corresponding sepolicy.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I08aae50dd9a4575954db40ec974625e43bff2335
The keystore service has been removed from microdroid to remove the
corresponding sepolicy.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I6600b47f8b8c6bba05b1f59b4d87713283805817
This property is read by microdroid_manager to check whether the VM is
in debug mode. Give it a context to satisfy the sepolicy.
Bug: 214231981
Test: atest MicrodroidTestApp
Change-Id: I9d4bda5e487324c95229c7978e8fe0a53fa9f616
The driver facilitates the handover of values from the bootloader so
needs to be accessible by the HAL.
Bug: 214231981
Test: run microdroid with a "google,open-dice" DT node
Change-Id: Ib5317e6a42befe22d8f1dbefeb9803f5ec92b061