Check file contexts only for protected VMs
... and stop relabelling the Debian OS image files downloaded.
Bug: 376194294
Bug: 377996109
Test: run Ferrochrome
Change-Id: Ie0745e623ed52869d1bc9b40b35df3e13e0cdc15
diff --git a/android/TerminalApp/java/com/android/virtualization/terminal/InstallerService.java b/android/TerminalApp/java/com/android/virtualization/terminal/InstallerService.java
index 4b2e640..a8b4ca2 100644
--- a/android/TerminalApp/java/com/android/virtualization/terminal/InstallerService.java
+++ b/android/TerminalApp/java/com/android/virtualization/terminal/InstallerService.java
@@ -64,9 +64,6 @@
? "https://dl.google.com/android/ferrochrome/latest/x86_64/images.tar.gz"
: "https://dl.google.com/android/ferrochrome/latest/aarch64/images.tar.gz";
- private static final String SELINUX_FILE_CONTEXT =
- "u:object_r:virtualizationservice_data_file:";
-
private final Object mLock = new Object();
private Notification mNotification;
@@ -162,9 +159,6 @@
mExecutorService.execute(
() -> {
boolean success = downloadFromSdcard() || downloadFromUrl(isWifiOnly);
- if (success) {
- reLabelImagesSELinuxContext();
- }
stopForeground(STOP_FOREGROUND_REMOVE);
synchronized (mLock) {
@@ -176,24 +170,6 @@
});
}
- private void reLabelImagesSELinuxContext() {
- File payloadFolder = InstallUtils.getInternalStorageDir(this).toFile();
-
- // The context should be u:object_r:privapp_data_file:s0:c35,c257,c512,c768
- // and we want to get s0:c35,c257,c512,c768 part
- String level = SELinux.getFileContext(payloadFolder.toString()).split(":", 4)[3];
- String targetContext = SELINUX_FILE_CONTEXT + level;
-
- File[] files = payloadFolder.listFiles();
- for (File file : files) {
- if (file.isFile() &&
- !Objects.equals(SELinux.getFileContext(file.toString()),
- targetContext)) {
- SELinux.setFileContext(file.toString(), targetContext);
- }
- }
- }
-
private boolean downloadFromSdcard() {
// Installing from sdcard is preferred, but only supported only in debuggable build.
if (Build.isDebuggable()) {
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index 1cae344..9a733b6 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -573,41 +573,42 @@
.or_binder_exception(ExceptionCode::SECURITY)?;
}
- // Check if partition images are labeled incorrectly. This is to prevent random images
- // which are not protected by the Android Verified Boot (e.g. bits downloaded by apps) from
- // being loaded in a pVM. This applies to everything but the instance image in the raw
- // config, and everything but the non-executable, generated partitions in the app
- // config.
- config
- .disks
- .iter()
- .flat_map(|disk| disk.partitions.iter())
- .filter(|partition| {
- if is_app_config {
- !is_safe_app_partition(&partition.label)
- } else {
- !is_safe_raw_partition(&partition.label)
- }
- })
- .try_for_each(check_label_for_partition)
- .or_service_specific_exception(-1)?;
+ let kernel = maybe_clone_file(&config.kernel)?;
+ let initrd = maybe_clone_file(&config.initrd)?;
+
+ if config.protectedVm {
+ // Fail fast with a meaningful error message in case device doesn't support pVMs.
+ check_protected_vm_is_supported()?;
+
+ // In a protected VM, we require custom kernels to come from a trusted source
+ // (b/237054515).
+ check_label_for_kernel_files(&kernel, &initrd).or_service_specific_exception(-1)?;
+
+ // Check if partition images are labeled incorrectly. This is to prevent random images
+ // which are not protected by the Android Verified Boot (e.g. bits downloaded by apps)
+ // from being loaded in a pVM. This applies to everything but the instance image in the
+ // raw config, and everything but the non-executable, generated partitions in the app
+ // config.
+ config
+ .disks
+ .iter()
+ .flat_map(|disk| disk.partitions.iter())
+ .filter(|partition| {
+ if is_app_config {
+ !is_safe_app_partition(&partition.label)
+ } else {
+ !is_safe_raw_partition(&partition.label)
+ }
+ })
+ .try_for_each(check_label_for_partition)
+ .or_service_specific_exception(-1)?;
+ }
// Check if files for payloads and bases are NOT coming from /vendor and /odm, as they may
// have unstable interfaces.
// TODO(b/316431494): remove once Treble interfaces are stabilized.
check_partitions_for_files(config).or_service_specific_exception(-1)?;
- let kernel = maybe_clone_file(&config.kernel)?;
- let initrd = maybe_clone_file(&config.initrd)?;
-
- if config.protectedVm {
- // In a protected VM, we require custom kernels to come from a trusted source
- // (b/237054515).
- check_label_for_kernel_files(&kernel, &initrd).or_service_specific_exception(-1)?;
- // Fail fast with a meaningful error message in case device doesn't support pVMs.
- check_protected_vm_is_supported()?;
- }
-
let zero_filler_path = temporary_directory.join("zero.img");
write_zero_filler(&zero_filler_path)
.context("Failed to make composite image")