Merge "Make authfs start optional"
diff --git a/compos/apk/assets/vm_config.json b/compos/apk/assets/vm_config.json
index c4abfd9..1f5cdba 100644
--- a/compos/apk/assets/vm_config.json
+++ b/compos/apk/assets/vm_config.json
@@ -26,5 +26,6 @@
       "name": "{CLASSPATH}"
     }
   ],
-  "export_tombstones": true
+  "export_tombstones": true,
+  "enable_authfs": true
 }
diff --git a/compos/apk/assets/vm_config_staged.json b/compos/apk/assets/vm_config_staged.json
index 0be6e78..37b1d7a 100644
--- a/compos/apk/assets/vm_config_staged.json
+++ b/compos/apk/assets/vm_config_staged.json
@@ -27,5 +27,6 @@
       "name": "{CLASSPATH}"
     }
   ],
-  "export_tombstones": true
+  "export_tombstones": true,
+  "enable_authfs": true
 }
diff --git a/compos/apk/assets/vm_config_system_ext.json b/compos/apk/assets/vm_config_system_ext.json
index e60dee7..1ef43f0 100644
--- a/compos/apk/assets/vm_config_system_ext.json
+++ b/compos/apk/assets/vm_config_system_ext.json
@@ -29,5 +29,6 @@
       "name": "{CLASSPATH}"
     }
   ],
-  "export_tombstones": true
+  "export_tombstones": true,
+  "enable_authfs": true
 }
diff --git a/compos/apk/assets/vm_config_system_ext_staged.json b/compos/apk/assets/vm_config_system_ext_staged.json
index 99a4160..9103a9e 100644
--- a/compos/apk/assets/vm_config_system_ext_staged.json
+++ b/compos/apk/assets/vm_config_system_ext_staged.json
@@ -30,5 +30,6 @@
       "name": "{CLASSPATH}"
     }
   ],
-  "export_tombstones": true
+  "export_tombstones": true,
+  "enable_authfs": true
 }
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index 7ce60cd..3dbb4da 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -117,7 +117,7 @@
             ));
         }
 
-        let context = to_binder_result(OdrefreshContext::new(
+        let context = OdrefreshContext::new(
             compilation_mode,
             system_dir_fd,
             if system_ext_dir_fd >= 0 { Some(system_ext_dir_fd) } else { None },
@@ -126,21 +126,9 @@
             target_dir_name,
             zygote_arch,
             system_server_compiler_filter,
-        ))?;
+        );
 
-        let authfs_service = binder::get_interface(AUTHFS_SERVICE_NAME)?;
-        let exit_code = to_binder_result(
-            odrefresh(&self.odrefresh_path, context, authfs_service, |output_dir| {
-                // authfs only shows us the files we created, so it's ok to just sign everything
-                // under the output directory.
-                let mut artifact_signer = ArtifactSigner::new(&output_dir);
-                add_artifacts(&output_dir, &mut artifact_signer)?;
-
-                artifact_signer.write_info_and_signature(&output_dir.join("compos.info"))
-            })
-            .context("odrefresh failed"),
-        )?;
-        Ok(exit_code as i8)
+        to_binder_result(context.and_then(|c| self.do_odrefresh(c)))
     }
 
     fn getPublicKey(&self) -> BinderResult<Vec<u8>> {
@@ -158,6 +146,23 @@
     }
 }
 
+impl CompOsService {
+    fn do_odrefresh(&self, context: OdrefreshContext) -> Result<i8> {
+        let authfs_service = binder::get_interface(AUTHFS_SERVICE_NAME)
+            .context("Unable to connect to AuthFS service")?;
+        let exit_code = odrefresh(&self.odrefresh_path, context, authfs_service, |output_dir| {
+            // authfs only shows us the files we created, so it's ok to just sign everything
+            // under the output directory.
+            let mut artifact_signer = ArtifactSigner::new(&output_dir);
+            add_artifacts(&output_dir, &mut artifact_signer)?;
+
+            artifact_signer.write_info_and_signature(&output_dir.join("compos.info"))
+        })
+        .context("odrefresh failed")?;
+        Ok(exit_code as i8)
+    }
+}
+
 fn add_artifacts(target_dir: &Path, artifact_signer: &mut ArtifactSigner) -> Result<()> {
     for entry in
         read_dir(&target_dir).with_context(|| format!("Traversing {}", target_dir.display()))?
diff --git a/microdroid/init.rc b/microdroid/init.rc
index cd7332b..4e36726 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -149,7 +149,6 @@
     restorecon /data/misc
 
     mkdir /data/misc/authfs 0700 root root
-    start authfs_service
 
 on late-fs && property:ro.debuggable=1
     # Ensure that tracefs has the correct permissions.
diff --git a/microdroid/payload/config/src/lib.rs b/microdroid/payload/config/src/lib.rs
index b82544f..54b745e 100644
--- a/microdroid/payload/config/src/lib.rs
+++ b/microdroid/payload/config/src/lib.rs
@@ -42,6 +42,11 @@
     /// Whether to export the tomsbtones (VM crashes) out of VM to host
     /// This does not have a default & the value is expected to be in json for deserialization
     pub export_tombstones: bool,
+
+    /// Whether the authfs service should be started in the VM. This enables read or write of host
+    /// files with integrity checking, but not confidentiality.
+    #[serde(default)]
+    pub enable_authfs: bool,
 }
 
 /// OS config
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index e3ad495..7629291 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -323,6 +323,11 @@
 
     let config = load_config(Path::new(&metadata.payload_config_path))?;
 
+    let task = config
+        .task
+        .as_ref()
+        .ok_or_else(|| MicrodroidError::InvalidConfig("No task in VM config".to_string()))?;
+
     if config.extra_apks.len() != verified_data.extra_apks_data.len() {
         return Err(anyhow!(
             "config expects {} extra apks, but found only {}",
@@ -338,18 +343,23 @@
 
     // Start tombstone_transmit if enabled
     if config.export_tombstones {
-        system_properties::write("ctl.start", "tombstone_transmit")
-            .context("Failed to start tombstone_transmit")?;
+        control_service("start", "tombstone_transmit")?;
     } else {
-        system_properties::write("ctl.stop", "tombstoned").context("Failed to stop tombstoned")?;
+        control_service("stop", "tombstoned")?;
     }
 
-    ensure!(
-        config.task.is_some(),
-        MicrodroidError::InvalidConfig("No task in VM config".to_string())
-    );
+    // Start authfs if enabled
+    if config.enable_authfs {
+        control_service("start", "authfs_service")?;
+    }
+
     system_properties::write("dev.bootcomplete", "1").context("set dev.bootcomplete")?;
-    exec_task(&config.task.unwrap(), service)
+    exec_task(task, service)
+}
+
+fn control_service(action: &str, service: &str) -> Result<()> {
+    system_properties::write(&format!("ctl.{}", action), service)
+        .with_context(|| format!("Failed to {} {}", action, service))
 }
 
 struct ApkDmverityArgument<'a> {