commit 33daaa3ca13707e63b6c43f067138a07fe1606a6
author Victor Hsieh <victorhsieh@google.com> Thu Mar 24 12:45:15 2022 -0700
committer Victor Hsieh <victorhsieh@google.com> Fri Mar 25 08:32:59 2022 -0700
tree 092c9b15e94f2d35b5f2cf4dc11f433a41db8070
parent e60c96ed15c5a13da91b66e0351fb6d6660c0d1d

compos_verity: don't write to log file

This fixes SELinux denial like:

avc: denied { write } for name="vm_console.log" dev="dm-60" ino=2815
scontext=u:r:compos_verify:s0
tcontext=u:object_r:apex_compos_data_file:s0 tclass=file permissive=0

Bug: 223784827
Test: atest com.android.tests.odsign.CompOsSigningHostTest\
       #checkFileCreationTimeAfterVmStartAndBeforeReboot
      -> Pass only with this fix
Change-Id: I823b5ac09f742bfb4d30674b7f4f23a82a152e7a

compos/common/compos_client.rs

diff --git a/compos/common/compos_client.rs b/compos/common/compos_client.rs
index d738e39..9787434 100644
--- a/compos/common/compos_client.rs
+++ b/compos/common/compos_client.rs
@@ -68,6 +68,8 @@
     pub config_path: Option<String>,
     /// If present, overrides the amount of RAM to give the VM
     pub memory_mib: Option<i32>,
+    /// Never save VM logs to files.
+    pub never_log: bool,
 }
 
 impl VmInstance {
@@ -109,7 +111,9 @@
             (true, false) => DebugLevel::NONE,
         };
 
-        let (console_fd, log_fd) = if debug_level != DebugLevel::NONE {
+        let (console_fd, log_fd) = if parameters.never_log || debug_level == DebugLevel::NONE {
+            (None, None)
+        } else {
             // Console output and the system log output from the VM are redirected to file.
             let console_fd = File::create(data_dir.join("vm_console.log"))
                 .context("Failed to create console log file")?;
@@ -117,10 +121,8 @@
                 .context("Failed to create system log file")?;
             let console_fd = ParcelFileDescriptor::new(console_fd);
             let log_fd = ParcelFileDescriptor::new(log_fd);
-            info!("Running in debug mode");
+            info!("Running in debug level {:?}", debug_level);
             (Some(console_fd), Some(log_fd))
-        } else {
-            (None, None)
         };
 
         let config_path = parameters.config_path.as_deref().unwrap_or(DEFAULT_VM_CONFIG_PATH);

compos/verify/verify.rs

diff --git a/compos/verify/verify.rs b/compos/verify/verify.rs
index 7b77c18..14ce798 100644
--- a/compos/verify/verify.rs
+++ b/compos/verify/verify.rs
@@ -104,7 +104,7 @@
         instance_image,
         &idsig,
         &idsig_manifest_apk,
-        &VmParameters { debug_mode, ..Default::default() },
+        &VmParameters { debug_mode, never_log: !debug_mode, ..Default::default() },
     )?;
     let service = vm_instance.get_service()?;