Run app payloads as non-root.
This is in preparation before moving to running multiple payload
processes in multiple UIDs.
Add a new payload user and group in the system-reserved range, only
within Microdroid, and assign them to the payload process. Fix up a
bunch of DAC permissions to make sure the payload still has access to
the things it should have.
Add a test to check we aren't running as root, and make some minor
test fixes.
This is a potentially breaking change, so for now I've disabled it via
Rust conditional compilation (and marked the new test as @Ignore). I
claim the changes that aren't protected by this are harmless.
I've run tests with and without the cfg option enabled.
Unrelated changes done in passing:
- Move a comment from reference to definition.
- Make sure encryptedstore logs any errors in full.
- Use with_context in a few more places.
Bug: 296393106
Test: atest MicrodroidTests
Change-Id: I6648580615a9fce906dd170f999e11f63e5874d9
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 2d3f084..1e594b7 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -54,6 +54,8 @@
deps: [
"init_second_stage.microdroid",
"microdroid_build_prop",
+ "microdroid_etc_passwd",
+ "microdroid_etc_group",
"microdroid_init_debug_policy",
"microdroid_init_rc",
"microdroid_ueventd_rc",
@@ -156,6 +158,20 @@
installable: false, // avoid collision with system partition's ueventd.rc
}
+prebuilt_etc {
+ name: "microdroid_etc_passwd",
+ src: "microdroid_passwd",
+ filename: "passwd",
+ installable: false,
+}
+
+prebuilt_etc {
+ name: "microdroid_etc_group",
+ src: "microdroid_group",
+ filename: "group",
+ installable: false,
+}
+
prebuilt_root {
name: "microdroid_build_prop",
filename: "build.prop",
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 42033d6..91931ab 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -28,6 +28,10 @@
on init
mkdir /mnt/apk 0755 system system
mkdir /mnt/extra-apk 0755 root root
+
+ # Allow the payload access to the console (default is 0600)
+ chmod 0666 /dev/console
+
# Microdroid_manager starts apkdmverity/zipfuse/apexd
start microdroid_manager
diff --git a/microdroid/microdroid_group b/microdroid/microdroid_group
new file mode 100644
index 0000000..4eb8fa5
--- /dev/null
+++ b/microdroid/microdroid_group
@@ -0,0 +1 @@
+system_payload::6000:
diff --git a/microdroid/microdroid_passwd b/microdroid/microdroid_passwd
new file mode 100644
index 0000000..bd15182
--- /dev/null
+++ b/microdroid/microdroid_passwd
@@ -0,0 +1 @@
+system_payload_0::6000:6000:::