Commit graph

99 commits

Author SHA1 Message Date
Jiyong Park
c9a7de49ea Revert "use dalvik.vm.boot-dex2oat-threads inside microdroid"
This reverts commit eee72d6cb3d9f5c6001192247861b28cb0787827.

REASON: not needed. See the other CL in the same topic.
Bug: 197358423
Test: m
Change-Id: Ice0813ed9e349e37c83b163e2c21f17bb1105013
2022-01-19 01:37:18 +09:00
Treehugger Robot
4da68c0fe4 Merge "use dalvik.vm.boot-dex2oat-threads inside microdroid" 2022-01-18 13:40:30 +00:00
Alan Stokes
50d2195cab Allow compos to use diced
Bug: 214233409
Test: composd_cmd dice
Change-Id: I82b4bd87db879f378d2fafb6e2db7e2544fef5de
2022-01-17 15:48:00 +00:00
Alan Stokes
f3ec0742ed Add diced security class
Add diced to security_class and access_vectors so it can check its
permissions in side Microdroid.

This was part of commit 2b6c6063ae
outside the VM.

Bug: 214231981
Test: composd_cmd dice
Change-Id: Ia503db183d16a4efcb975f654bb4483df44f51ad
2022-01-17 15:42:32 +00:00
Jiyong Park
2832f957e7 Merge "Add policies for diced and hal_dice in microdroid" 2022-01-17 13:29:34 +00:00
Jiyong Park
1d9c9ba231 use dalvik.vm.boot-dex2oat-threads inside microdroid
Previously, all dalvik.vm.* properties were not used / ignored in
Microdroid. However this change makes use of
dalvik.vm.boot-dex2oat-threads which controls the concurrency level of
dex2oat.

Specifically, on the host-side, the number of vCPUs in the compos VM is
configured from the system property having the same name. Then inside
the compos VM, compsvc which runs in the compos domain, sets the system
property to be the number of vCPUs in the VM. In other words, the system
properties get the same value both in the host and the guest VMs. Then
finally, the dex2oat process running inside the VM reads the system
property and configures its concurrency level accordingly.

Bug: 197358423
Test: run compos

Change-Id: I8d2394a7192a7b55a910f317e12e2b1f60b89636
2022-01-14 00:40:49 +09:00
Treehugger Robot
70cd2da646 Merge "Allow authfs to read extra APK mount" 2022-01-13 01:06:01 +00:00
Jiyong Park
8948c1ce4b Add policies for diced and hal_dice in microdroid
Bug: 214231981
Test: run microdroid and check diced is up and running
Change-Id: I605d7d6a790b8a14e575e67e1dcf02eaf7a5eafc
2022-01-13 01:37:00 +09:00
Alan Stokes
67a8605deb Remove obsolete ioctl allow
No longer used, so remove the allow.

Bug: 199259751
Test: Presubmits
Change-Id: Iea61d29d14b13de86f7fbd6b6e416eea745b615e
2022-01-07 10:42:17 +00:00
Victor Hsieh
a59b030341 Allow authfs to read extra APK mount
Bug: 206869687
Test: Add debug log to compos.  See correct content from the proto.
Change-Id: I4f2b4096808efc1b15c218a225b451731f37e43d
2022-01-05 15:21:51 -08:00
Alan Stokes
d313282433 Allow compos to run derive_classpath
We run it in the compos domain, since it doesn't require very much
additional access.

Bug: 189164487
Test: composd_cmd test-compile
Change-Id: I9ef26dd60225505086e45185289e3e03d0a8de8e
2022-01-05 18:06:27 +00:00
Treehugger Robot
76867eabd1 Merge "Remove inaccurate comment" 2021-12-20 10:59:29 +00:00
Victor Hsieh
048866ca7d Remove inaccurate comment
... from 14f188718a

Bug: None
Test: None
Change-Id: I133bc96f4cf7ae4092fef8ee4eac9533524a71b1
2021-12-16 13:56:48 -08:00
Treehugger Robot
a6d6b6aee8 Merge "Add apexd_payload_metadata_prop" 2021-12-16 19:18:43 +00:00
Victor Hsieh
6e5eb7cb11 Merge "Allow dex2oat to search in authfs directories" 2021-12-16 16:23:49 +00:00
Alan Stokes
14f188718a Grant compos permissions for signing
CompOS needs to read the artifacts on authfs that odrefresh has
created and write signature files for them.

(But it no longer needs to create any directories, so removed that.)

Fixes:
avc: denied { open } for comm="compsvc"
path="/data/misc/authfs/1/11/test-artifacts/...art" dev="fuse" ino=81
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0
avc: denied { create } for comm="compsvc" name="compos.info"
scontext=u:r:compos:s0 tcontext=u:object_r:authfs_fuse:s0 tclass=file
permissive=0

Bug: 161471326
Test: composd_cmd async_odrefresh (with microdroid selinux enforced)
Change-Id: Ie02dedf1f18926cdbbd39e4a950c5aec80adee32
2021-12-16 13:40:38 +00:00
Richard Fung
0c7c2679b0 Add apexd_payload_metadata_prop
This should be read-only and corresponds to apexd.payload_metadata.path

Bug: 191097666
Test: android-sh -c 'setprop apexd.payload_metadata.path'
See permission denied
atest MicrodroidHostTestCases

Change-Id: Ifcb7da1266769895974d4fef86139bad5891a4ec
2021-12-16 03:00:06 +00:00
Victor Hsieh
a341025f87 Allow odrefresh to use FD inherited from compsvc
If FD use is not allowed, execve(2) returns EACCESS and the process is
killed by SIGSEGV.

Minijail closes any FDs by default and open /dev/null for FD 0-2. For
now, odrefresh doesn't use any FD. But until we could tell minijail to
not create FD 0-2 (which could be arguable), allow the permission.

Bug: 210909688
Test: composd_cmd async-odrefresh # exit 80 in enforced mode
Change-Id: I8643d8bfc8da03439a04491fba5ba6de663760eb
2021-12-15 16:54:28 -08:00
Victor Hsieh
e2a4d0c918 Allow dex2oat to search in authfs directories
dex2oat checks $ANDROID_ROOT exist, which is a directory in an authfs
mount. Give it permission to search along the path.

Strictly speaking, this isn't change how dex2oat execute in this
particular case, for now. Functions like LocationIsOnSystemFramework
make sure getenv(ANDROID_ROOT) exists. But either way, for those kind of
location checks, it won't match the mount path in /data/misc/authfs
anyway.

Bug: 205750213
Test: no more SELinux denials from dex2oat
Change-Id: I1b52dfdeb057443304f02784b6aa180d7db28bd8
2021-12-15 13:37:34 -08:00
Victor Hsieh
b415c7388f Declare dalvik.vm. property and dontaudit explicitly
dex2oat currently uses some properties as flags (see
art/libartbase/base/flags.cc). For CompOS, we don't really need such
properties, and actually should avoid global state. So dontaudit
explicitly.

Bug: 210030607
Test: no more default_prop denials for dex2oat
Change-Id: I10852f2a7df4dac7a9389eab3f53f91328104f96
2021-12-15 09:30:22 -08:00
Victor Hsieh
3ea775e483 Include log.tag and persist.log.tag in log_tag_prop
The two properties are not just prefixes. See __android_log_level in
system/logging/liblog/properties.cpp.

Bug: 210030607
Test: no longer seeing denials with default_prop in odrefresh
Change-Id: If2c9cba7aa65802e81c79c7d3d9735cbf14a6efa
2021-12-15 09:21:23 -08:00
Victor Hsieh
fe95b5b318 Define ro.build.version.{codename,sdk} in microdroid
The `__builtin_available` macro is used in used in several libraries in
microdroid, including liblog. The macro internally uses
ro.build.version.{codename,sdk}[1]. This change defines the context for
these properties.

[1] https://reviews.llvm.org/rG516a01b5f36d4188778a34202cd11856d70ac808

Bug: 210030607
Test: No longer seeing denied access of default_prop from odrefresh
Change-Id: I51bc52f679a174daccc05a1e2d6c9fda9e6b12cb
2021-12-15 08:11:13 -08:00
Jeff Vander Stoep
bc0fa66cbe Policy for using Apex sepolicy
Bug: 199914227
Test: aosp/1910032
Change-Id: I0726facbf0c28c486ef6501718a6013a040e4b0e
2021-12-14 13:54:03 +01:00
Alan Stokes
6e48ea981a Merge "Revert "Revert "More neverallow rules""" 2021-12-10 10:27:13 +00:00
Alan Stokes
9c2e162e87 Revert "Revert "More neverallow rules""
This reverts commit a0e49cea04.

Reason for revert: I don't think this was the culprit after all
Bug: 204853211

Change-Id: Iadc1c8df5ec2affcdbbf9e7bdc3eac54c47f4ebf
2021-12-10 09:06:08 +00:00
Alan Stokes
c6c31eb7b3 Merge "Revert "More neverallow rules"" 2021-12-09 14:06:35 +00:00
Treehugger Robot
c9d812e359 Merge "Run Virtualization tests when we change microdroid policy" 2021-12-09 13:12:55 +00:00
Treehugger Robot
8a564d32b7 Merge "Remove obsolete TODO" 2021-12-09 11:53:29 +00:00
Alan Stokes
fe9cfa610e Run Virtualization tests when we change microdroid policy
Bug: 204853211
Test: N/A
Change-Id: Ic5c921ad4980fb01e20a5765e5049812f6664dfb
2021-12-09 11:35:36 +00:00
Alan Stokes
a0e49cea04 Revert "More neverallow rules"
This reverts commit 72c0134384.

Reason for revert: Looks like this may have broken ComposHostTestCases
Bug: 204853211

Change-Id: I83816a49d3be056e4c9a718ea02911ca022cb984
2021-12-09 11:19:52 +00:00
Inseob Kim
28d0530c35 Remove obsolete TODO
Bug: 208722875
Test: N/A
Change-Id: I7ac440164140d7b95a1a7674e219bf9c2b1b83bd
2021-12-09 19:05:54 +09:00
Treehugger Robot
3e664a0e6d Merge "Allow odrefresh to read from a pipe from compos" 2021-12-09 09:45:30 +00:00
Victor Hsieh
1494f6b9a5 Allow odrefresh to read from a pipe from compos
This is copied from dex2oat.te. By using minijail, the child process
currently requires to communicate with the parent by a pipe, before
actually exec'ing the executable.

Bug: 205750213
Test: no longer see the avc error
Change-Id: I4d59fc8d32150d9e08abba06203eb5164ecd3c75
2021-12-08 15:00:22 -08:00
Alan Stokes
72c0134384 More neverallow rules
When we cut down microdroid policy we removed a whole lot of
neverallow rules that were in public/domain.te. Many of these are
irrelevant, but there are some that look quite important. So this CL
restores many of them. This makes no immediate difference (none of
these rules are currently violated, except as mentioned below), but it
might catch mistakes, or at least make us stop and think before
introducing potentially risky policy changes.

Process:
- Paste in all the neverallow rules from public/domain.te in Android
  policy.
- Delete all references to non-existent labels.
- Delete everything makred full-trebly-only,

I also deleted some attributes we clearly don't need, and hence
associated neverallows. (I suspect there are more attributes we could
remove.)

And then I fixed a neverallow violation for microdroid_payload - we
were allowing it unrestricted ioctl access.

Bug: 204853211
Test: Policy builds without error
Test: No denials running composd_cmd forced-compile-test
Change-Id: I21035dee93a881b34941338cc7ce82503cc65e59
2021-12-08 14:56:45 +00:00
Alan Stokes
26239da92b Restrict making memory executable
All code must reside in files.

Bug: 204853211
Test: Builds, no neverallow violations
Change-Id: I124a4c567fff76e143582e189b8cb9feeae5d7d0
2021-12-08 12:36:05 +00:00
Inseob Kim
8565b96a3a microdroid: Add support for extra apk files
extra_apk_file is a new label only for APK files passed to microdroid.
microdroid_manager will create directories under /mnt/extra-apk/, and
zipfuse will mount APK block devices to the directories.

Currently only payload can read the files.

Bug: 205224817
Test: manually edit vm config and see APK files mounted
Change-Id: Ie5afb3156f22bb18979ec70904be675e8ff285a7
2021-12-08 14:10:28 +09:00
Treehugger Robot
9a93d79a92 Merge changes I81ab0a73,Ia66015b7
* changes:
  Allow compsvc to execute odrefresh
  Allow composd to run fd_server
2021-12-08 00:28:52 +00:00
Victor Hsieh
f97cc1fd26 Allow compsvc to execute odrefresh
Bug: 205750213
Test: /apex/com.android.compos/bin/composd_cmd forced-odrefresh
      # With SELinux enforced in the VM, plus some hacks in ART,
      # observed odrefresh exited 80.
Change-Id: I81ab0a73314fdcea69c69350c792ff7acab5aab8
2021-12-07 08:08:00 -08:00
Jiyong Park
3db645b83d Allow microdroid_manager to read /proc/bootconfig
... so that it can ensure that the bootconfig hasn't changed since the
last boot.

Bug: 208639280
Test: m
Change-Id: I2310a0df0ebbef9d6fe47dbad2538ecbe7bc84e6
2021-12-06 21:16:09 +09:00
Treehugger Robot
f5646ff42b Merge "Add logd.ready" 2021-12-02 03:34:00 +00:00
Inseob Kim
2df19cba08 microdroid: Run apk mount utils from MM
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.

Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
2021-12-01 19:46:33 +09:00
Jiyong Park
ff3048349a Add logd.ready
logd.ready is a system property that logd sets when it is ready to
serve incoming socket requests for reading and writing logs. Clients of
logd (e.g. logcat) can use this to synchronize with logd, otherwise they
may experience a crash due to the refused socket connection to logd when
they are started before logd is ready.

Bug: 206826522
Test: run microdroid. see logcat logs are shown immediately
Change-Id: Iee13485b0f4c2beda9bc8434f514c4e32e119492
2021-11-30 15:10:53 +09:00
Bart Van Assche
5e016c1721 Merge "Stop using the bdev_type and sysfs_block_type SELinux attributes" 2021-11-05 20:36:02 +00:00
Jiyong Park
2f3e4c0bec microdroid: add /dev/hvc2
Similar to Cuttlefish, Microdroid now has three virtio-console devices.

Bug: 200914564
Test: run MidrodroidDemoApp
Change-Id: I86f9e6298ca0fdccfc2186989126cdd18812caef
2021-11-01 18:41:46 +09:00
Bart Van Assche
4374a1fd83 Stop using the bdev_type and sysfs_block_type SELinux attributes
Stop using these SELinux attributes since the apexd and init SELinux
policies no longer rely on these attributes.

The difference between the previous versions of this patch and the
current patch is that the current patch does not remove any SELinux
attributes. See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1850656.
See also
https://android-review.googlesource.com/c/platform/system/sepolicy/+/1862919.

This patch includes a revert of commit 8b2b951349 ("Restore permission
for shell to list /sys/class/block").  That commit is no longer necessary
since it was a bug fix for the introduction of the sysfs_block type.

Bug: 202520796
Test: source build/envsetup.sh && lunch aosp_x86_64 && m && launch_cvd
Change-Id: I73e1133af8146c154af95d4b96132e49dbec730c
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2021-10-29 15:22:09 -07:00
Jooyung Han
c75eca682e microdroid: add sys.powerctl property
And microdroid_manager can set it to shut down when verification fails.

Bug: 204073443
Test: MicrodroidHostTestCases
Change-Id: I12ec7c8b832f5d1e382961ce7866502c2cc8a9b8
2021-10-28 11:09:48 +09:00
Jiyong Park
bd35627371 microdroid: introduce logcat domain
In Microdroid, logcat is started as a daemon process (whose service name
is seriallogging) whose job is to read logs from logd and sends them to
the host side via a virtual console.

The daemon process is controlled by microdroid_manager, so the process
is given write access to ctl.start$seriallogging and also to some
sysprops originated from bootconfig so that it can know if the VM is
configured as debuggable or not.

Bug: 200914564
Test: start microdroid using the vm tool. logcat logs are shown in
stdout.

Change-Id: I79bc6486ae1f84515ad31a09e24d8368fb54bc6d
2021-10-25 20:29:28 +09:00
Treehugger Robot
c0cd637049 Merge "Label /dev/hvcN paths" 2021-10-20 08:17:15 +00:00
Treehugger Robot
028e88f578 Merge "microdroid: Remove microdroid_app dontaudit" 2021-10-20 07:10:32 +00:00
Jiyong Park
f264d79bf8 Label /dev/hvcN paths
They are virtual console devices. Label them as serial_devices.

Bug: 200914564
Test: m
Change-Id: I6a178360fa9977e9b50b0c07da2a506114369189
2021-10-19 22:43:45 +09:00