Merge "Make authfs start optional"
diff --git a/compos/apk/assets/vm_config.json b/compos/apk/assets/vm_config.json
index c4abfd9..1f5cdba 100644
--- a/compos/apk/assets/vm_config.json
+++ b/compos/apk/assets/vm_config.json
@@ -26,5 +26,6 @@
"name": "{CLASSPATH}"
}
],
- "export_tombstones": true
+ "export_tombstones": true,
+ "enable_authfs": true
}
diff --git a/compos/apk/assets/vm_config_staged.json b/compos/apk/assets/vm_config_staged.json
index 0be6e78..37b1d7a 100644
--- a/compos/apk/assets/vm_config_staged.json
+++ b/compos/apk/assets/vm_config_staged.json
@@ -27,5 +27,6 @@
"name": "{CLASSPATH}"
}
],
- "export_tombstones": true
+ "export_tombstones": true,
+ "enable_authfs": true
}
diff --git a/compos/apk/assets/vm_config_system_ext.json b/compos/apk/assets/vm_config_system_ext.json
index e60dee7..1ef43f0 100644
--- a/compos/apk/assets/vm_config_system_ext.json
+++ b/compos/apk/assets/vm_config_system_ext.json
@@ -29,5 +29,6 @@
"name": "{CLASSPATH}"
}
],
- "export_tombstones": true
+ "export_tombstones": true,
+ "enable_authfs": true
}
diff --git a/compos/apk/assets/vm_config_system_ext_staged.json b/compos/apk/assets/vm_config_system_ext_staged.json
index 99a4160..9103a9e 100644
--- a/compos/apk/assets/vm_config_system_ext_staged.json
+++ b/compos/apk/assets/vm_config_system_ext_staged.json
@@ -30,5 +30,6 @@
"name": "{CLASSPATH}"
}
],
- "export_tombstones": true
+ "export_tombstones": true,
+ "enable_authfs": true
}
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index 7ce60cd..3dbb4da 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -117,7 +117,7 @@
));
}
- let context = to_binder_result(OdrefreshContext::new(
+ let context = OdrefreshContext::new(
compilation_mode,
system_dir_fd,
if system_ext_dir_fd >= 0 { Some(system_ext_dir_fd) } else { None },
@@ -126,21 +126,9 @@
target_dir_name,
zygote_arch,
system_server_compiler_filter,
- ))?;
+ );
- let authfs_service = binder::get_interface(AUTHFS_SERVICE_NAME)?;
- let exit_code = to_binder_result(
- odrefresh(&self.odrefresh_path, context, authfs_service, |output_dir| {
- // authfs only shows us the files we created, so it's ok to just sign everything
- // under the output directory.
- let mut artifact_signer = ArtifactSigner::new(&output_dir);
- add_artifacts(&output_dir, &mut artifact_signer)?;
-
- artifact_signer.write_info_and_signature(&output_dir.join("compos.info"))
- })
- .context("odrefresh failed"),
- )?;
- Ok(exit_code as i8)
+ to_binder_result(context.and_then(|c| self.do_odrefresh(c)))
}
fn getPublicKey(&self) -> BinderResult<Vec<u8>> {
@@ -158,6 +146,23 @@
}
}
+impl CompOsService {
+ fn do_odrefresh(&self, context: OdrefreshContext) -> Result<i8> {
+ let authfs_service = binder::get_interface(AUTHFS_SERVICE_NAME)
+ .context("Unable to connect to AuthFS service")?;
+ let exit_code = odrefresh(&self.odrefresh_path, context, authfs_service, |output_dir| {
+ // authfs only shows us the files we created, so it's ok to just sign everything
+ // under the output directory.
+ let mut artifact_signer = ArtifactSigner::new(&output_dir);
+ add_artifacts(&output_dir, &mut artifact_signer)?;
+
+ artifact_signer.write_info_and_signature(&output_dir.join("compos.info"))
+ })
+ .context("odrefresh failed")?;
+ Ok(exit_code as i8)
+ }
+}
+
fn add_artifacts(target_dir: &Path, artifact_signer: &mut ArtifactSigner) -> Result<()> {
for entry in
read_dir(&target_dir).with_context(|| format!("Traversing {}", target_dir.display()))?
diff --git a/microdroid/init.rc b/microdroid/init.rc
index cd7332b..4e36726 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -149,7 +149,6 @@
restorecon /data/misc
mkdir /data/misc/authfs 0700 root root
- start authfs_service
on late-fs && property:ro.debuggable=1
# Ensure that tracefs has the correct permissions.
diff --git a/microdroid/payload/config/src/lib.rs b/microdroid/payload/config/src/lib.rs
index b82544f..54b745e 100644
--- a/microdroid/payload/config/src/lib.rs
+++ b/microdroid/payload/config/src/lib.rs
@@ -42,6 +42,11 @@
/// Whether to export the tomsbtones (VM crashes) out of VM to host
/// This does not have a default & the value is expected to be in json for deserialization
pub export_tombstones: bool,
+
+ /// Whether the authfs service should be started in the VM. This enables read or write of host
+ /// files with integrity checking, but not confidentiality.
+ #[serde(default)]
+ pub enable_authfs: bool,
}
/// OS config
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index e3ad495..7629291 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -323,6 +323,11 @@
let config = load_config(Path::new(&metadata.payload_config_path))?;
+ let task = config
+ .task
+ .as_ref()
+ .ok_or_else(|| MicrodroidError::InvalidConfig("No task in VM config".to_string()))?;
+
if config.extra_apks.len() != verified_data.extra_apks_data.len() {
return Err(anyhow!(
"config expects {} extra apks, but found only {}",
@@ -338,18 +343,23 @@
// Start tombstone_transmit if enabled
if config.export_tombstones {
- system_properties::write("ctl.start", "tombstone_transmit")
- .context("Failed to start tombstone_transmit")?;
+ control_service("start", "tombstone_transmit")?;
} else {
- system_properties::write("ctl.stop", "tombstoned").context("Failed to stop tombstoned")?;
+ control_service("stop", "tombstoned")?;
}
- ensure!(
- config.task.is_some(),
- MicrodroidError::InvalidConfig("No task in VM config".to_string())
- );
+ // Start authfs if enabled
+ if config.enable_authfs {
+ control_service("start", "authfs_service")?;
+ }
+
system_properties::write("dev.bootcomplete", "1").context("set dev.bootcomplete")?;
- exec_task(&config.task.unwrap(), service)
+ exec_task(task, service)
+}
+
+fn control_service(action: &str, service: &str) -> Result<()> {
+ system_properties::write(&format!("ctl.{}", action), service)
+ .with_context(|| format!("Failed to {} {}", action, service))
}
struct ApkDmverityArgument<'a> {