Commit graph

77 commits

Author SHA1 Message Date
Jiyong Park
8948c1ce4b Add policies for diced and hal_dice in microdroid
Bug: 214231981
Test: run microdroid and check diced is up and running
Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc
2022-01-13 01:37:00 +09:00
Alan Stokes
67a8605deb Remove obsolete ioctl allow
No longer used, so remove the allow.

Bug: 199259751
Test: Presubmits
Change-Id: Iea61d29d14b13de86f7fbd6b6e416eea745b615e
2022-01-07 10:42:17 +00:00
Alan Stokes
d313282433 Allow compos to run derive_classpath
We run it in the compos domain, since it doesn't require very much
additional access.

Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
2022-01-05 18:06:27 +00:00
Treehugger Robot
76867eabd1 Merge "Remove inaccurate comment" 2021-12-20 10:59:29 +00:00
Victor Hsieh
048866ca7d Remove inaccurate comment
... from 14f188718a

Bug: None
Test: None
Change-Id: I133bc96f4cf7ae4092fef8ee4eac9533524a71b1
2021-12-16 13:56:48 -08:00
Treehugger Robot
a6d6b6aee8 Merge "Add apexd_payload_metadata_prop" 2021-12-16 19:18:43 +00:00
Victor Hsieh
6e5eb7cb11 Merge "Allow dex2oat to search in authfs directories" 2021-12-16 16:23:49 +00:00
Alan Stokes
14f188718a Grant compos permissions for signing
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.

(But it no longer needs to create any directories, so removed that.)

Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0

Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
2021-12-16 13:40:38 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-12-16 03:00:06 +00:00
Victor Hsieh
a341025f87 Allow odrefresh to use FD inherited from compsvc
If FD use is not allowed, execve(2) returns EACCESS and the process is
killed by SIGSEGV.

Minijail closes any FDs by default and open /dev/null for FD 0-2. For
now, odrefresh doesn't use any FD. But until we could tell minijail to
not create FD 0-2 (which could be arguable), allow the permission.

Bug: 210909688
Test: composd_cmd async-odrefresh # exit 80 in enforced mode
Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb
2021-12-15 16:54:28 -08:00
Victor Hsieh
e2a4d0c918 Allow dex2oat to search in authfs directories
dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs
mount. Give it permission to search along the path.

Strictly speaking, this isn't change how dex2oat execute in this
particular case, for now. Functions like LocationIsOnSystemFramework
make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of
location checks, it won't match the mount path in /data/misc/authfs
anyway.

Bug: 205750213
Test: no more SELinux denials from dex2oat
Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
2021-12-15 13:37:34 -08:00
Victor Hsieh
b415c7388f Declare dalvik.vm. property and dontaudit explicitly
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.

Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
2021-12-15 09:30:22 -08:00
Victor Hsieh
3ea775e483 Include log.tag and persist.log.tag in log_tag_prop
The two properties are not just prefixes. See __android_log_level in
system/logging/liblog/properties.cpp.

Bug: 210030607
Test: no longer seeing denials with default_prop in odrefresh
Change-Id: If2c9cba7aa65802e81c79c7d3d9735cbf14a6efa
2021-12-15 09:21:23 -08:00
Victor Hsieh
fe95b5b318 Define ro.build.version.{codename,sdk} in microdroid
The `__builtin_available` macro is used in used in several libraries in
microdroid, including liblog. The macro internally uses
ro.build.version.{codename,sdk}[1]. This change defines the context for
these properties.

[1] https://reviews.llvm.org/rG516a01b5f36d4188778a34202cd11856d70ac808

Bug: 210030607
Test: No longer seeing denied access of default_prop from odrefresh
Change-Id: I51bc52f679a174daccc05a1e2d6c9fda9e6b12cb
2021-12-15 08:11:13 -08:00
Jeff Vander Stoep
bc0fa66cbe Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
2021-12-14 13:54:03 +01:00
Alan Stokes
6e48ea981a Merge "Revert "Revert "More neverallow rules""" 2021-12-10 10:27:13 +00:00
Alan Stokes
9c2e162e87 Revert "Revert "More neverallow rules""
This reverts commit a0e49cea04.

Reason for revert: I don't think this was the culprit after all
Bug: 204853211

Change-Id: Iadc1c8df5ec2affcdbbf9e7bdc3eac54c47f4ebf
2021-12-10 09:06:08 +00:00
Alan Stokes
c6c31eb7b3 Merge "Revert "More neverallow rules"" 2021-12-09 14:06:35 +00:00
Treehugger Robot
8a564d32b7 Merge "Remove obsolete TODO" 2021-12-09 11:53:29 +00:00
Alan Stokes
a0e49cea04 Revert "More neverallow rules"
This reverts commit 72c0134384.

Reason for revert: Looks like this may have broken ComposHostTestCases
Bug: 204853211

Change-Id: I83816a49d3be056e4c9a718ea02911ca022cb984
2021-12-09 11:19:52 +00:00
Inseob Kim
28d0530c35 Remove obsolete TODO
Bug: 208722875
Test: N/A
Change-Id: I7ac440164140d7b95a1a7674e219bf9c2b1b83bd
2021-12-09 19:05:54 +09:00
Treehugger Robot
3e664a0e6d Merge "Allow odrefresh to read from a pipe from compos" 2021-12-09 09:45:30 +00:00
Victor Hsieh
1494f6b9a5 Allow odrefresh to read from a pipe from compos
This is copied from dex2oat.te. By using minijail, the child process
currently requires to communicate with the parent by a pipe, before
actually exec'ing the executable.

Bug: 205750213
Test: no longer see the avc error
Change-Id: I4d59fc8d32150d9e08abba06203eb5164ecd3c75
2021-12-08 15:00:22 -08:00
Alan Stokes
72c0134384 More neverallow rules
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.

Process:
- Paste in all the neverallow rules from public/domain.te in Android
  policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,

I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)

And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.

Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
2021-12-08 14:56:45 +00:00
Alan Stokes
26239da92b Restrict making memory executable
All code must reside in files.

Bug: 204853211
Test: Builds, no neverallow violations
Change-Id: I124a4c567fff76e143582e189b8cb9feeae5d7d0
2021-12-08 12:36:05 +00:00
Inseob Kim
8565b96a3a microdroid: Add support for extra apk files
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.

Currently only payload can read the files.

Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
2021-12-08 14:10:28 +09:00
Treehugger Robot
9a93d79a92 Merge changes I81ab0a73,Ia66015b7
* changes:
  Allow compsvc to execute odrefresh
  Allow composd to run fd_server
2021-12-08 00:28:52 +00:00
Victor Hsieh
f97cc1fd26 Allow compsvc to execute odrefresh
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
      # With SELinux enforced in the VM, plus some hacks in ART,
      # observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
2021-12-07 08:08:00 -08:00
Jiyong Park
3db645b83d Allow microdroid_manager to read /proc/bootconfig
... so that it can ensure that the bootconfig hasn't changed since the
last boot.

Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
2021-12-06 21:16:09 +09:00
Treehugger Robot
f5646ff42b Merge "Add logd.ready" 2021-12-02 03:34:00 +00:00
Inseob Kim
2df19cba08 microdroid: Run apk mount utils from MM
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.

Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
2021-12-01 19:46:33 +09:00
Jiyong Park
ff3048349a Add logd.ready
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.

Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
2021-11-30 15:10:53 +09:00
Jiyong Park
2f3e4c0bec microdroid: add /dev/hvc2
Similar to Cuttlefish, Microdroid now has three virtio-console devices.

Bug: 200914564
Test: run MidrodroidDemoApp
Change-Id: I86f9e6298ca0fdccfc2186989126cdd18812caef
2021-11-01 18:41:46 +09:00
Jooyung Han
c75eca682e microdroid: add sys.powerctl property
And microdroid_manager can set it to shut down when verification fails.

Bug: 204073443
Test: MicrodroidHostTestCases
Change-Id: I12ec7c8b832f5d1e382961ce7866502c2cc8a9b8
2021-10-28 11:09:48 +09:00
Jiyong Park
bd35627371 microdroid: introduce logcat domain
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.

The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.

Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.

Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
2021-10-25 20:29:28 +09:00
Treehugger Robot
c0cd637049 Merge "Label /dev/hvcN paths" 2021-10-20 08:17:15 +00:00
Treehugger Robot
028e88f578 Merge "microdroid: Remove microdroid_app dontaudit" 2021-10-20 07:10:32 +00:00
Jiyong Park
f264d79bf8 Label /dev/hvcN paths
They are virtual console devices. Label them as serial_devices.

Bug: 200914564
Test: m
Change-Id: I6a178360fa9977e9b50b0c07da2a506114369189
2021-10-19 22:43:45 +09:00
Inseob Kim
e4ef85e65a microdroid: Remove microdroid_app dontaudit
Some permissions used to make denials, but it seems that it's not the
case anymore.

Bug: 195751698
Test: atest MicrodroidHostTestCases
Change-Id: I3329bb9a6d4d17dc49a2469bae2cf17e6f0e49a9
2021-10-19 10:46:17 +00:00
Bart Van Assche
e475c8f1b5 Microdroid: Allow apexd again to access block device information
This patch is the Microdroid equivalent of
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850655

Bug: 202520796
Tests: Treehugger
Change-Id: I3428934115a62f64390738b144fbb801fc595561
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-14 15:38:28 -07:00
Steven Moreland
2868112dff authfs - remove getattr perm for fd pass
We are no longer reading the ashmem size on every transaction.

Fixes: 195752513
Test: atest ComposHostTestCases (no denial logs)
Change-Id: If27c2b1d0efdccf30bc8c09e1004feb789e2425d
2021-10-12 21:54:42 +00:00
Inseob Kim
5530ab0269 microdroid: Add vsock_device & restrict dev access
microdroid_manager and microdroid_payload have been accessing /dev/vsock
to get the local cid. But it's labeled as device, so microdroid_manager
and microdroid_payload have had too permissive access. This adds
vsock_device to relax the access.

Test: run demo app
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I1a5955ad28817124f250f206b90c8d4e344ea865
2021-09-24 09:49:59 +09:00
Inseob Kim
5ee61a7628 microdroid: Narrow property permissions
microdroid's domains have been able to read/write any properties. That's
just for convenience while bringing up microdroid. This cleans up such
global permission and grants minimal access.

Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Test: run microdroid demo app
Change-Id: I09ce1174d4af9c228b788a522a6ab845cafd4505
2021-09-23 17:23:28 +09:00
Inseob Kim
e17b985e1c microdroid: Remove default_prop access
This adds properties necessary to run microdroid to property_contexts,
and then removes default_prop access to all domains except for init, as
init should be able to write all properties.

Bug: 194447534
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I2f80c71ce257613b3c3b019a3e988a5a0653d879
2021-09-15 05:26:03 +00:00
Jooyung Han
6e60287a1f Allow microdroid_manager to create a /apex/* file
Microdroid_manager needs to pass APEX pubkeys to APEXd. Since the data
is too big for a system property, it creates a file
/apex/vm-payload-metadata so that APEXd reads/uses it.

Bug: 199371341
Test: MicrodroidHostTestCases
Change-Id: Iaf2b4fc08b36610032d9c339f787e5e34994448b
2021-09-10 17:35:26 +09:00
Jooyung Han
53c773a3fd make zipfuse a bootstrap process
Bug: n/a
Test: MicrodroidHostTestCases
Change-Id: Ia2ad615e919f4fcb0452d8458e505ecfbdd5818f
2021-09-10 08:56:08 +09:00
Inseob Kim
2f7600920d Add vsock permissions to microdroid_payload
microdroid_payload needs to open a vsock server, so this change grants
permissions for that. This change also temporarily grants permissions to
get local CID, which should be removed once the RPC binder API supports
getting CID.

Bug: 195381416
Test: atest MicrodroidHostTestCases
Change-Id: I57a603e74d7552e13a83fa4934621e09e13015fd
2021-09-09 02:30:59 +00:00
Jooyung Han
6f3b5e2edc microdroid: rename property to "apk_root_hash"
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: I3bd0fd337d85b29e5dfdfba49ee5328e48f5be89
2021-09-08 16:05:29 +09:00
Jiyong Park
27bb6c6608 Microdroid boot process is controlled by microdroid_manager
Previously, the boot process of microdroid was mostly implemented in the
init.rc file. microdroid_manager was started first in the background,
then apexd, apkdmverity, and zipfuse were executed in sequence. However,
in order to correctly implement the app payload verification scheme,
most of the early boot process has to be controlled by
microdroid_manager. Specifically, apkdmverity should be started "after"
the apk roothash is read from the instance disk by microdroid_manager.

As an alternative, we could let apkdmverity the read instance disk by
itself. However, this is undesirable because doing so requires multiple
processes - microdroid_manager and apkdmverity - have access to the
instance disk and more seriously the secret key to decrypt it.

Another alternative is to let microdroid_manager do the dm-verity
configuration which apkdmverity does. This also is considered
undesirable because then we would give the permissions for configuring
dm-verity devices to microdroid_manager which is a long-running daemon
process. Note that apkdmverity is not a daemon process.

This CL introduces a few number of changes which are required to let
microdroid_manager directly control the early boot process:

1) microdroid_manager is allowed to start the services apkdmverity and
zipfuse by using the `ctl.start` sysprop.

2) apkdmverity is allowed to use bootstrap bionic libraries as it is now
executed before APEXd activates the APEXes.

3) A new sysprop `microdroid_manager.apk_roothash` is added. It is
written by microdroid_manager and read by apkdmverity. It contains the
roothash read from the instance disk. This value is not a secret.

4) Another new sysprop `apex_config.done` is added. It is set by init
just after `perform_apex_config` and read by microdroid_manager.
Microdroid_manager uses this to wait until linker configuration is ready
so that it can execute app payloads with the config.

Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: If29ce17d7a6cb4859e8ceeffb321724e7f11bf82
2021-09-07 17:13:43 +09:00
Jiyong Park
ee3661ef2b Allow microdroid_manager to write instance.img
Bug: 193504400
Test: atest MicrodroidHostTestCases
Change-Id: Icac8aa7e1badc90d2725c81e3c0f9594b7e18608
2021-08-31 17:14:09 +09:00