Microdroid Manager needs these permissions to sync the encryptedstore
filesystem.
Test: Builds
Test: Check selinux denials in logs
Change-Id: Iee020ae653f5d42af086ca91068e3df52c992305
It is started very early before linker namespaces are configured, thus
making it a bootstrap process.
Bug: 263398430
Test: watch boottime benchmark
Change-Id: I60411601a6be78f8401e43d136b567615002797c
The process has the exclusive access to /dev/hw_random. It instead opens
provides a socket (/dev/prng_seeder/socket) which any process can
connect to to get random numbers.
This CL is basically a Microdroid version of aosp/2215051
Bug: 247781653
Test: same as aosp/I0a7e339115a2cf6b819730dcf5f8b189a339c57d
* Verify prng_seeder daemon is running and has the
correct label (via ps -Z)
* Verify prng_seeder socket present and has correct
label (via ls -Z)
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
Change-Id: I3483132ead0f5d101b5b3365f78cc36d89528f0e
In the other change in the same topic microdroid_manager starts to drop
the capabilities before execve'ing the payload binary.
Test: m
Bug: 243633980
Change-Id: Ia70d15db413c822b174a708dedfa5557c8abde65
Create a label for the encrypted storage. encryptedstore_file & _fs
corresponding to the file & fs type.
encryptedstore process mounts the device on /mnt/encryptedstore with
fscontext & context.
microdroid_payload will have rw & related permissions on it. Also, add a
neverallow rule to deny execute permission on all domains.
encryptedstore needs relabel permission from tmpfs to
encryptedstore_file, along with mount like permissions on the later.
Bug: 261477008
Test: atest MicrodroidTests#encryptedStorageAvailable
Change-Id: Iffa1eb400f90874169d26fc2becb1dda9a1269a9
Nothing in Microdroid uses tcp/udp/rawip sockets. Removing netdomain
attribute for the capability. Note that some processes can use
networking via vsock.
Bug: N/A
Test: watch TH
Change-Id: Id10861d0520770578503dd93b0c72c3d6be993e8
Allow one property per APK for zipfuse to signal readiness to
microdroid manager.
Bug: 252811466
Test: atest MicrodroidTests
Test: composd_cmd test-compile
Change-Id: Ibe5d0756cda807e677de68335258b96364e91880
In Android, adb root is disabled at build-time by not compiling
sepolicies which allows adbd to run in the `su` domain.
However in Microdroid, adb root should be supported even on user builds
because fully-debuggable VMs can be started and adb root is expected
there. Note that adb root is still not supported in non-debuggable VMs
by not starting it at all.
This change removes `userdebug_or_end` conditions from the policies for
adb root. In addition, the `su` domain where adbd runs when rooted is
explicitly marked as a permissive domain allowed.
Bug: 259729287
Test: build a user variant, run fully debuggable microdroid VM. adb root
works there.
Test: run non-debuggable microdroid VM. adb shell (not even adb root)
doesn't work.
Change-Id: I8bb40b7472dcda6619a587e832e22d3cb290c6b9
Microdroid doesn't have the executable `su`. Removing su_exec and any
reference to it.
Bug: N/A
Test: run Microdroid instance and adb root works.
Change-Id: If6c356acbf85ba20a1face3e29e4cb38d002ea06
We introduced selinux context: microdroid_lifecycle_prop to group the
properties set by microdroid_manager related to its boot lifecycle.
microdroid_manager.config_done is more suitable to be grouped in this
context.
Test: MicrodroidHostTests#testMicrodroidBoots which also checks selinux
denials
Bug: 260005615
Change-Id: I81729146c2fc98479b9a71053e4cf8ba5d89de5e
Add a new selinux context: microdroid_lifecycle_prop for properties like
microdroid_manager.init_done. Also adding neverallow rule to not let
anyone other than init & microdroid_manager set it.
Bug: 260713790
Test: Builds
Change-Id: I81470ce596cfe5870b6777b6ae6fde3a0dc486d1
The binder_device in microdroid has been removed in aosp/2310572.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: Ie87e3b5ca1afc4046d5b35cba5fc2f99bbc09f43
As service_manager has been removed in microdroid.
Bug: 257260848
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: I05b3366a14ecd8d6aabfff5eca9b6fbf804dc97a
The binderfs in microdroid has been removed in aosp/2310572.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: I757ae39ebc841e8bb23300c4f65a3646ad8031fb
Add selinux policies required for formatting the crypt device.
1. Allow encryptedstore to execute mk2fs.
2. The execution will happen without domain transition - so add
permissions related to formatting the device.
3. Allow encryptedstore to write on /dev/vd device - required to zero
starting bits initially
Test: Run vm with --storage & --storage-size option
Bug: 241541860
Change-Id: I9766e3c67e47a58707beee8b3a156944e3b0a9ce
As servicemanager is removed from microdroid.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: Ie39e4b214f297258f3dceecc11fa3d8289af3be4
Since the microdroid.servicemanager has been removed.
Bug: 222479468
Test: atest MicrodroidTests MicrodroidHostTests
Change-Id: I90228ca2d1bc3c66a6967412942e1c3372ed09ca
This cl removes SELinux policies related to
authfs_service / servicemanager communication as authfs_service
now uses rpc binder instead of servicemanager.
Bug: 257260848
Test: atest ComposHostTestCases
Change-Id: I3e3de94a837c95e8f486438cc6a76fea39ffc6f3
microdroid_manager has stdio_to_kmsg, so it's good to have the same
permission to microdroid_manager's children for better debuggability.
Bug: 259241719
Test: atest MicrodroidHostTestCases MicrodroidTestApp
Change-Id: Ibaaed365e970e6b9f2d458ccae4d128fd3b84f38
encryptedstore is Microdroid's dm-crypt based encryption solution. It
requires access to block device, mapper devices etc.
Test: Run a VM & look for sepolicy denials.
Bug: 241541860
Change-Id: I556f56a184fc7a1ea71d67c3e591cc567dab2431