commit 1119d70a19cf7131329e10ba5bb99eb26f62d988
author Inseob Kim <inseob@google.com> Mon May 02 18:01:58 2022 +0900
committer Inseob Kim <inseob@google.com> Wed May 04 15:05:10 2022 +0900
tree 34e0bc9734ed96ff8bb85f4cdd03a20bc2721b0d
parent 3d5dc713d209ea5189807dd0252326ae612c56ee

Add USE_CUSTOM_VIRTUAL_MACHINE permission

A package should be granted USE_CUSTOM_VIRTUAL_MACHINE permission to
create a protected VM with a raw config.

Bug: 207769805
Test: atest MicrodroidHostTestCases
Change-Id: I222b110f0634c0e4658ed192099d4af6c5b3debe

virtualizationservice/src/aidl.rs

diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 41cc4a5..23febed 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -362,6 +362,13 @@
         is_protected: &mut bool,
     ) -> binder::Result<Strong<dyn IVirtualMachine>> {
         check_manage_access()?;
+
+        if let VirtualMachineConfig::RawConfig(config) = config {
+            if config.protectedVm {
+                check_use_custom_virtual_machine()?;
+            }
+        }
+
         let state = &mut *self.state.lock().unwrap();
         let console_fd = console_fd.map(clone_file).transpose()?;
         let log_fd = log_fd.map(clone_file).transpose()?;
@@ -729,6 +736,11 @@
     check_permission("android.permission.MANAGE_VIRTUAL_MACHINE")
 }
 
+/// Check whether the caller of the current Binder method is allowed to create custom VMs
+fn check_use_custom_virtual_machine() -> binder::Result<()> {
+    check_permission("android.permission.USE_CUSTOM_VIRTUAL_MACHINE")
+}
+
 /// Check if a partition has selinux labels that are not allowed
 fn check_label_for_partition(partition: &Partition) -> Result<()> {
     let ctx = getfilecon(partition.image.as_ref().unwrap().as_ref())?;