Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 029977d76036af837c33e1d672bf21a29300ac8e^! / . / virtualizationservice / Android.bp
commit029977d76036af837c33e1d672bf21a29300ac8e[log] [tgz]
authorJiyong Park <jiyong@google.com>Wed Nov 24 21:56:49 2021 +0900
committerJiyong Park <jiyong@google.com>Fri Nov 26 00:28:20 2021 +0900
treef49e817947a7f0ca9f8a1319aa6ed74f99306a26
parentf67031972de783754ee2c7ba819833f058727d82 [diff] [blame]
Don't allow disk images labeled as app_data_file

At least for T, we don't want to have a VM that is running a disk image
that is not protected by AVB (Android Verified Boot). This means that
the disk images must be from file in the built-in partitions (like
system) or their updates (because updates are guaranteed to be from the
same signer).

This rule is currently being enforced by selinux policies around crosvm.
However, there is one exception. It has the following allow rule.

allow crosvm app_data_file:file { read ...};

app_data_file is for any file that is owned and dynamically created by
apps. They could be a file downloaded from Internet, and therefore is
definitely not protected by AVB. The only reason we have the above allow
rule is the instance image. The file is mutable because it has per-VM
identity information that is written when a pVM is first created. The
file is owned by the owning app, otherwise other apps would be able to
start the same VM. In other words, we don't intend to allow any
app_data_file to be loadable in a pVM. But such an intention can't be
expressed in sepolicy.

This CL augments the sepolicy by adding a runtime check in
virtualizationservice. Specifically, it rejects to spawn a VM if any of
the disk images is labeled as app_data_file, except for the disk image
for the instance partition.

Bug: 204852957
Test: adb shell chcon u:object_r:app_data_file:s0 /data/local/tmp/virt/MicrodroidDemoApp.apk
adb shell /apex/com.android.virt/bin/vm run-app --debug full \
/data/local/tmp/virt/MicrodroidDemoApp.apk \
/data/local/tmp/virt/MicrodroidDemoApp.apk.idsig \
/data/local/tmp/virt/instance.img assets/vm_config.json \

gives the following error as expected.

Status(-8, EX_SERVICE_SPECIFIC): '-1: Partition microdroid-apk shouldn't
be labeld as u:object_r:app_data_file:s0'

Change-Id: Ia7081b8ecb2db1ecc1f7d4941a305ccff6016f3e

diff --git a/virtualizationservice/Android.bp b/virtualizationservice/Android.bp
index 18d8ade..37350ff 100644
--- a/virtualizationservice/Android.bp
+++ b/virtualizationservice/Android.bp

@@ -36,9 +36,10 @@
         "libmicrodroid_payload_config",
         "libonce_cell",
         "librustutils",
+        "libselinux_bindgen",
+        "libserde",
         "libserde_json",
         "libserde_xml_rs",
-        "libserde",
         "libshared_child",
         "libvmconfig",
         "libzip",
@@ -48,6 +49,7 @@
     ],
     shared_libs: [
         "libbinder_rpc_unstable",
+        "libselinux",
     ],
 }