Remove the old interface that runs compiler with flags
Bug: 210998077
Test: atest ComposHostTestCases
Change-Id: I50bb4cb96e0eb4033c531d47f6620ba8ede78553
diff --git a/compos/aidl/com/android/compos/CompilationResult.aidl b/compos/aidl/com/android/compos/CompilationResult.aidl
deleted file mode 100644
index 7a50765..0000000
--- a/compos/aidl/com/android/compos/CompilationResult.aidl
+++ /dev/null
@@ -1,32 +0,0 @@
-/*
- * Copyright (C) 2021 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package com.android.compos;
-
-/** {@hide} */
-parcelable CompilationResult {
- /** Exit code of dex2oat */
- byte exitCode;
-
- /** raw signature of the output oat's fs-verity digest, may be empty */
- byte[] oatSignature;
-
- /** raw signature of the output vdex's fs-verity digest, may be empty */
- byte[] vdexSignature;
-
- /** raw signature of the output image's fs-verity digest, may be empty */
- byte[] imageSignature;
-}
diff --git a/compos/aidl/com/android/compos/ICompOsService.aidl b/compos/aidl/com/android/compos/ICompOsService.aidl
index b68cdee..b2b961a 100644
--- a/compos/aidl/com/android/compos/ICompOsService.aidl
+++ b/compos/aidl/com/android/compos/ICompOsService.aidl
@@ -17,7 +17,6 @@
package com.android.compos;
import com.android.compos.CompOsKeyData;
-import com.android.compos.CompilationResult;
import com.android.compos.FdAnnotation;
/** {@hide} */
@@ -52,19 +51,6 @@
String zygoteArch, String systemServerCompilerFilter);
/**
- * Run dex2oat command with provided args, in a context that may be specified in FdAnnotation,
- * e.g. with file descriptors pre-opened. The service is responsible to decide what executables
- * it may run.
- *
- * @param args The command line arguments to run. The 0-th args is normally the program name,
- * which may not be used by the service. The service may be configured to always use
- * a fixed executable, or possibly use the 0-th args are the executable lookup hint.
- * @param fd_annotation Additional file descriptor information of the execution
- * @return a CompilationResult
- */
- CompilationResult compile_cmd(in String[] args, in FdAnnotation fd_annotation);
-
- /**
* Runs dexopt compilation encoded in the marshaled dexopt arguments.
*
* To keep ART indepdendantly updatable, the compilation arguments are not stabilized. As a
diff --git a/compos/composd/aidl/android/system/composd/internal/ICompilationInternal.aidl b/compos/composd/aidl/android/system/composd/internal/ICompilationInternal.aidl
index 182094b..a16a0a3 100644
--- a/compos/composd/aidl/android/system/composd/internal/ICompilationInternal.aidl
+++ b/compos/composd/aidl/android/system/composd/internal/ICompilationInternal.aidl
@@ -15,21 +15,11 @@
*/
package android.system.composd.internal;
-import com.android.compos.CompilationResult;
import com.android.compos.FdAnnotation;
interface ICompilationInternal {
/**
* Run dex2oat in the currently running instance of the CompOS VM. This is a simple proxy
- * to ICompOsService#compile_cmd.
- *
- * This method can only be called from odrefresh. If there is no currently running instance
- * an error is returned.
- */
- CompilationResult compile_cmd(in String[] args, in FdAnnotation fd_annotation);
-
- /**
- * Run dex2oat in the currently running instance of the CompOS VM. This is a simple proxy
* to ICompOsService#compile.
*
* This method can only be called from libcompos_client. If there is no currently running
diff --git a/compos/composd/src/composd_main.rs b/compos/composd/src/composd_main.rs
index df088bc..6acf470 100644
--- a/compos/composd/src/composd_main.rs
+++ b/compos/composd/src/composd_main.rs
@@ -43,11 +43,11 @@
let virtualization_service = VmInstance::connect_to_virtualization_service()?;
let instance_manager = Arc::new(InstanceManager::new(virtualization_service));
- let composd_service = service::new_binder(instance_manager.clone());
+ let composd_service = service::new_binder(instance_manager);
register_lazy_service("android.system.composd", composd_service.as_binder())
.context("Registering composd service")?;
- let internal_service = internal_service::new_binder(instance_manager);
+ let internal_service = internal_service::new_binder();
register_lazy_service("android.system.composd.internal", internal_service.as_binder())
.context("Registering internal service")?;
diff --git a/compos/composd/src/instance_manager.rs b/compos/composd/src/instance_manager.rs
index 4fc4ad1..8950f20 100644
--- a/compos/composd/src/instance_manager.rs
+++ b/compos/composd/src/instance_manager.rs
@@ -19,8 +19,7 @@
use crate::instance_starter::{CompOsInstance, InstanceStarter};
use android_system_virtualizationservice::aidl::android::system::virtualizationservice;
-use anyhow::{bail, Context, Result};
-use compos_aidl_interface::aidl::com::android::compos::ICompOsService::ICompOsService;
+use anyhow::{bail, Result};
use compos_aidl_interface::binder::Strong;
use compos_common::compos_client::VmParameters;
use compos_common::{
@@ -43,12 +42,6 @@
Self { service, state: Default::default() }
}
- pub fn get_running_service(&self) -> Result<Strong<dyn ICompOsService>> {
- let mut state = self.state.lock().unwrap();
- let instance = state.get_running_instance().context("No running instance")?;
- Ok(instance.get_service())
- }
-
pub fn start_pending_instance(&self) -> Result<Arc<CompOsInstance>> {
let config_path = Some(PREFER_STAGED_VM_CONFIG_PATH.to_owned());
let mut vm_parameters = VmParameters { config_path, ..Default::default() };
@@ -142,17 +135,4 @@
self.running_instance = Some(Arc::downgrade(instance));
Ok(())
}
-
- // Return the running instance if we are in the Started state.
- fn get_running_instance(&mut self) -> Option<Arc<CompOsInstance>> {
- if self.is_starting {
- return None;
- }
- let instance = self.running_instance.as_ref()?.upgrade();
- if instance.is_none() {
- // No point keeping an orphaned weak reference
- self.running_instance = None;
- }
- instance
- }
}
diff --git a/compos/composd/src/internal_service.rs b/compos/composd/src/internal_service.rs
index 3fad6d4..33935ef 100644
--- a/compos/composd/src/internal_service.rs
+++ b/compos/composd/src/internal_service.rs
@@ -16,59 +16,24 @@
//! Implementation of ICompilationInternal, called from odrefresh during compilation.
-use crate::instance_manager::InstanceManager;
-use compos_common::binder::to_binder_result;
use android_system_composd_internal::aidl::android::system::composd::internal::ICompilationInternal::{
BnCompilationInternal, ICompilationInternal,
};
-use android_system_composd::binder::{
- self, BinderFeatures, ExceptionCode, Interface, Status, Strong, ThreadState,
-};
-use anyhow::{Context, Result};
+use android_system_composd::binder::{self, BinderFeatures, Interface, Strong};
use binder_common::new_binder_service_specific_error;
-use compos_aidl_interface::aidl::com::android::compos::{
- CompilationResult::CompilationResult, FdAnnotation::FdAnnotation,
-};
-use rustutils::users::AID_ROOT;
-use std::sync::Arc;
+use compos_aidl_interface::aidl::com::android::compos::FdAnnotation::FdAnnotation;
-pub struct CompilationInternalService {
- instance_manager: Arc<InstanceManager>,
-}
+pub struct CompilationInternalService {}
-pub fn new_binder(instance_manager: Arc<InstanceManager>) -> Strong<dyn ICompilationInternal> {
- let service = CompilationInternalService { instance_manager };
+pub fn new_binder() -> Strong<dyn ICompilationInternal> {
+ let service = CompilationInternalService {};
BnCompilationInternal::new_binder(service, BinderFeatures::default())
}
impl Interface for CompilationInternalService {}
impl ICompilationInternal for CompilationInternalService {
- fn compile_cmd(
- &self,
- args: &[String],
- fd_annotation: &FdAnnotation,
- ) -> binder::Result<CompilationResult> {
- let calling_uid = ThreadState::get_calling_uid();
- // This should only be called by odrefresh, which runs as root
- if calling_uid != AID_ROOT {
- return Err(Status::new_exception(ExceptionCode::SECURITY, None));
- }
- to_binder_result(self.do_compile_cmd(args, fd_annotation))
- }
-
fn compile(&self, _marshaled: &[u8], _fd_annotation: &FdAnnotation) -> binder::Result<i8> {
Err(new_binder_service_specific_error(-1, "Not yet implemented"))
}
}
-
-impl CompilationInternalService {
- fn do_compile_cmd(
- &self,
- args: &[String],
- fd_annotation: &FdAnnotation,
- ) -> Result<CompilationResult> {
- let compos = self.instance_manager.get_running_service()?;
- compos.compile_cmd(args, fd_annotation).context("Compiling")
- }
-}
diff --git a/compos/src/compilation.rs b/compos/src/compilation.rs
index 9a23bf5..6db31b6 100644
--- a/compos/src/compilation.rs
+++ b/compos/src/compilation.rs
@@ -14,31 +14,27 @@
* limitations under the License.
*/
-use anyhow::{anyhow, bail, Context, Result};
-use log::{debug, error, info, warn};
+use anyhow::{bail, Context, Result};
+use log::{debug, info, warn};
use minijail::{self, Minijail};
use regex::Regex;
use std::env;
use std::ffi::OsString;
-use std::fs::{read_dir, File};
-use std::os::unix::io::{AsRawFd, RawFd};
+use std::fs::read_dir;
+use std::os::unix::io::AsRawFd;
use std::path::{self, Path, PathBuf};
use std::process::Command;
use crate::artifact_signer::ArtifactSigner;
use crate::compos_key_service::Signer;
-use crate::fsverity;
use authfs_aidl_interface::aidl::com::android::virt::fs::{
AuthFsConfig::{
AuthFsConfig, InputDirFdAnnotation::InputDirFdAnnotation,
- InputFdAnnotation::InputFdAnnotation, OutputDirFdAnnotation::OutputDirFdAnnotation,
- OutputFdAnnotation::OutputFdAnnotation,
+ OutputDirFdAnnotation::OutputDirFdAnnotation,
},
- IAuthFs::IAuthFs,
IAuthFsService::IAuthFsService,
};
use authfs_aidl_interface::binder::{ParcelFileDescriptor, Strong};
-use compos_aidl_interface::aidl::com::android::compos::FdAnnotation::FdAnnotation;
use compos_common::odrefresh::ExitCode;
const FD_SERVER_PORT: i32 = 3264; // TODO: support dynamic port
@@ -47,23 +43,6 @@
/// meaningless in the current process.
pub type PseudoRawFd = i32;
-pub enum CompilerOutput {
- /// Fs-verity digests of output files, if the compiler finishes successfully.
- Digests {
- oat: fsverity::Sha256Digest,
- vdex: fsverity::Sha256Digest,
- image: fsverity::Sha256Digest,
- },
- /// Exit code returned by the compiler, if not 0.
- ExitCode(i8),
-}
-
-struct CompilerOutputParcelFds {
- oat: ParcelFileDescriptor,
- vdex: ParcelFileDescriptor,
- image: ParcelFileDescriptor,
-}
-
pub struct OdrefreshContext<'a> {
system_dir_fd: i32,
output_dir_fd: i32,
@@ -259,131 +238,6 @@
Ok(())
}
-/// Runs the compiler with given flags with file descriptors described in `fd_annotation` retrieved
-/// via `authfs_service`. Returns exit code of the compiler process.
-pub fn compile_cmd(
- compiler_path: &Path,
- compiler_args: &[String],
- authfs_service: Strong<dyn IAuthFsService>,
- fd_annotation: &FdAnnotation,
-) -> Result<CompilerOutput> {
- // Mount authfs (via authfs_service). The authfs instance unmounts once the `authfs` variable
- // is out of scope.
- let authfs_config = build_authfs_config(fd_annotation);
- let authfs = authfs_service.mount(&authfs_config)?;
-
- // The task expects to receive FD numbers that match its flags (e.g. --zip-fd=42) prepared
- // on the host side. Since the local FD opened from authfs (e.g. /authfs/42) may not match
- // the task's expectation, prepare a FD mapping and let minijail prepare the correct FD
- // setup.
- let fd_mapping =
- open_authfs_files_for_fd_mapping(&authfs, &authfs_config).context("Open on authfs")?;
-
- let jail =
- spawn_jailed_task(compiler_path, compiler_args, fd_mapping).context("Spawn dex2oat")?;
- let jail_result = jail.wait();
-
- let parcel_fds = parse_compiler_args(&authfs, compiler_args)?;
- let oat_file: &File = parcel_fds.oat.as_ref();
- let vdex_file: &File = parcel_fds.vdex.as_ref();
- let image_file: &File = parcel_fds.image.as_ref();
-
- match jail_result {
- Ok(()) => Ok(CompilerOutput::Digests {
- oat: fsverity::measure(oat_file.as_raw_fd())?,
- vdex: fsverity::measure(vdex_file.as_raw_fd())?,
- image: fsverity::measure(image_file.as_raw_fd())?,
- }),
- Err(minijail::Error::ReturnCode(exit_code)) => {
- error!("dex2oat failed with exit code {}", exit_code);
- Ok(CompilerOutput::ExitCode(exit_code as i8))
- }
- Err(e) => {
- bail!("Unexpected minijail error: {}", e)
- }
- }
-}
-
-fn parse_compiler_args(
- authfs: &Strong<dyn IAuthFs>,
- args: &[String],
-) -> Result<CompilerOutputParcelFds> {
- const OAT_FD_PREFIX: &str = "--oat-fd=";
- const VDEX_FD_PREFIX: &str = "--output-vdex-fd=";
- const IMAGE_FD_PREFIX: &str = "--image-fd=";
- const APP_IMAGE_FD_PREFIX: &str = "--app-image-fd=";
-
- let mut oat = None;
- let mut vdex = None;
- let mut image = None;
-
- for arg in args {
- if let Some(value) = arg.strip_prefix(OAT_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --oat-fd flag")?;
- debug_assert!(oat.is_none());
- oat = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(VDEX_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --output-vdex-fd flag")?;
- debug_assert!(vdex.is_none());
- vdex = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(IMAGE_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --image-fd flag")?;
- debug_assert!(image.is_none());
- image = Some(authfs.openFile(fd, false)?);
- } else if let Some(value) = arg.strip_prefix(APP_IMAGE_FD_PREFIX) {
- let fd = value.parse::<RawFd>().context("Invalid --app-image-fd flag")?;
- debug_assert!(image.is_none());
- image = Some(authfs.openFile(fd, false)?);
- }
- }
-
- Ok(CompilerOutputParcelFds {
- oat: oat.ok_or_else(|| anyhow!("Missing --oat-fd"))?,
- vdex: vdex.ok_or_else(|| anyhow!("Missing --vdex-fd"))?,
- image: image.ok_or_else(|| anyhow!("Missing --image-fd or --app-image-fd"))?,
- })
-}
-
-fn build_authfs_config(fd_annotation: &FdAnnotation) -> AuthFsConfig {
- AuthFsConfig {
- port: FD_SERVER_PORT,
- inputFdAnnotations: fd_annotation
- .input_fds
- .iter()
- .map(|fd| InputFdAnnotation { fd: *fd })
- .collect(),
- outputFdAnnotations: fd_annotation
- .output_fds
- .iter()
- .map(|fd| OutputFdAnnotation { fd: *fd })
- .collect(),
- ..Default::default()
- }
-}
-
-fn open_authfs_files_for_fd_mapping(
- authfs: &Strong<dyn IAuthFs>,
- config: &AuthFsConfig,
-) -> Result<Vec<(ParcelFileDescriptor, PseudoRawFd)>> {
- let mut fd_mapping = Vec::new();
-
- let results: Result<Vec<_>> = config
- .inputFdAnnotations
- .iter()
- .map(|annotation| Ok((authfs.openFile(annotation.fd, false)?, annotation.fd)))
- .collect();
- fd_mapping.append(&mut results?);
-
- let results: Result<Vec<_>> = config
- .outputFdAnnotations
- .iter()
- .map(|annotation| Ok((authfs.openFile(annotation.fd, true)?, annotation.fd)))
- .collect();
- fd_mapping.append(&mut results?);
-
- Ok(fd_mapping)
-}
-
fn spawn_jailed_task(
executable: &Path,
args: &[String],
diff --git a/compos/src/compsvc.rs b/compos/src/compsvc.rs
index 28bf5d9..356cc7e 100644
--- a/compos/src/compsvc.rs
+++ b/compos/src/compsvc.rs
@@ -26,14 +26,12 @@
use std::path::PathBuf;
use std::sync::RwLock;
-use crate::compilation::{compile_cmd, odrefresh, CompilerOutput, OdrefreshContext};
+use crate::compilation::{odrefresh, OdrefreshContext};
use crate::compos_key_service::{CompOsKeyService, Signer};
use crate::dice::Dice;
-use crate::fsverity;
use authfs_aidl_interface::aidl::com::android::virt::fs::IAuthFsService::IAuthFsService;
use compos_aidl_interface::aidl::com::android::compos::{
CompOsKeyData::CompOsKeyData,
- CompilationResult::CompilationResult,
FdAnnotation::FdAnnotation,
ICompOsService::{BnCompOsService, ICompOsService},
};
@@ -43,12 +41,10 @@
use compos_common::odrefresh::ODREFRESH_PATH;
const AUTHFS_SERVICE_NAME: &str = "authfs_service";
-const DEX2OAT_PATH: &str = "/apex/com.android.art/bin/dex2oat64";
/// Constructs a binder object that implements ICompOsService.
pub fn new_binder() -> Result<Strong<dyn ICompOsService>> {
let service = CompOsService {
- dex2oat_path: PathBuf::from(DEX2OAT_PATH),
odrefresh_path: PathBuf::from(ODREFRESH_PATH),
key_service: CompOsKeyService::new()?,
key_blob: RwLock::new(Vec::new()),
@@ -57,21 +53,12 @@
}
struct CompOsService {
- dex2oat_path: PathBuf,
odrefresh_path: PathBuf,
key_service: CompOsKeyService,
key_blob: RwLock<Vec<u8>>,
}
impl CompOsService {
- fn generate_raw_fsverity_signature(
- &self,
- fsverity_digest: &fsverity::Sha256Digest,
- ) -> BinderResult<Vec<u8>> {
- let formatted_digest = fsverity::to_formatted_digest(fsverity_digest);
- to_binder_result(self.new_signer()?.sign(&formatted_digest[..]))
- }
-
fn new_signer(&self) -> BinderResult<Signer> {
let key = &*self.key_blob.read().unwrap();
if key.is_empty() {
@@ -126,34 +113,6 @@
Ok(exit_code as i8)
}
- fn compile_cmd(
- &self,
- args: &[String],
- fd_annotation: &FdAnnotation,
- ) -> BinderResult<CompilationResult> {
- let authfs_service = get_authfs_service()?;
- let output = to_binder_result(
- compile_cmd(&self.dex2oat_path, args, authfs_service, fd_annotation)
- .context("Compilation failed"),
- )?;
- match output {
- CompilerOutput::Digests { oat, vdex, image } => {
- let oat_signature = self.generate_raw_fsverity_signature(&oat)?;
- let vdex_signature = self.generate_raw_fsverity_signature(&vdex)?;
- let image_signature = self.generate_raw_fsverity_signature(&image)?;
- Ok(CompilationResult {
- exitCode: 0,
- oatSignature: oat_signature,
- vdexSignature: vdex_signature,
- imageSignature: image_signature,
- })
- }
- CompilerOutput::ExitCode(exit_code) => {
- Ok(CompilationResult { exitCode: exit_code, ..Default::default() })
- }
- }
- }
-
fn compile(&self, _marshaled: &[u8], _fd_annotation: &FdAnnotation) -> BinderResult<i8> {
Err(new_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION, "Not yet implemented"))
}
diff --git a/compos/src/fsverity.rs b/compos/src/fsverity.rs
index a1e2314..f5df5f7 100644
--- a/compos/src/fsverity.rs
+++ b/compos/src/fsverity.rs
@@ -20,20 +20,8 @@
use std::io;
use std::os::unix::io::RawFd;
-/// Magic used in fs-verity digest
-const FS_VERITY_MAGIC: &[u8; 8] = b"FSVerity";
-
-/// Hash algorithm to use from linux/fsverity.h
-const FS_VERITY_HASH_ALG_SHA256: u8 = 1;
-
const SHA256_HASH_SIZE: usize = 32;
-/// Size of `struct fsverity_formatted_digest` with SHA-256 in bytes.
-const FORMATTED_SHA256_DIGEST_SIZE: usize = 12 + SHA256_HASH_SIZE;
-
-/// Bytes of `struct fsverity_formatted_digest` in Linux with SHA-256.
-pub type FormattedSha256Digest = [u8; FORMATTED_SHA256_DIGEST_SIZE];
-
/// Bytes of SHA256 digest
pub type Sha256Digest = [u8; SHA256_HASH_SIZE];
@@ -56,12 +44,3 @@
Ok(buf)
}
}
-
-pub fn to_formatted_digest(digest: &Sha256Digest) -> FormattedSha256Digest {
- let mut formatted_digest: FormattedSha256Digest = [0; FORMATTED_SHA256_DIGEST_SIZE];
- formatted_digest[0..8].copy_from_slice(FS_VERITY_MAGIC);
- formatted_digest[8..10].copy_from_slice(&(FS_VERITY_HASH_ALG_SHA256 as u16).to_le_bytes());
- formatted_digest[10..12].copy_from_slice(&(SHA256_HASH_SIZE as u16).to_le_bytes());
- formatted_digest[12..].copy_from_slice(digest);
- formatted_digest
-}