Restrict access to certain vm_payload APIs
Require the USE_CUSTOM_VIRTUAL_MACHINE permission in order to use
certain APIs from the VM payload that should not be exposed to all
clients of the AVF API. The permission is inferred from the use of a VM
config file, which requires the permission. The permission is only
granted to platform and test components.
Use this new ability to prevent VM payloads from accessing the raw DICE
chain and attestation CDI.
Fix: 243514248
Test: atest MicrodroidTests ComposHostTestCases
Change-Id: I1fd65ee1d0f624bc3ff9143f597e455c84ed2b02
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 748b497..00c3dce 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -404,6 +404,13 @@
)
.context("Failed to run zipfuse")?;
+ // Restricted APIs are only allowed to be used by platform or test components. Infer this from
+ // the use of a VM config file since those can only be used by platform and test components.
+ let allow_restricted_apis = match payload_metadata {
+ PayloadMetadata::config_path(_) => true,
+ PayloadMetadata::config(_) => false,
+ };
+
let config = load_config(payload_metadata).context("Failed to load payload metadata")?;
let task = config
@@ -439,7 +446,7 @@
// Wait until zipfuse has mounted the APK so we can access the payload
wait_for_property_true(APK_MOUNT_DONE_PROP).context("Failed waiting for APK mount done")?;
- register_vm_payload_service(service.clone(), dice)?;
+ register_vm_payload_service(allow_restricted_apis, service.clone(), dice)?;
ProcessState::start_thread_pool();
system_properties::write("dev.bootcomplete", "1").context("set dev.bootcomplete")?;