Require custom permission for non-Microdroid
Running with an os other than "microdroid" should require the
USE_CUSTOM_CONFIG permissions (as do our other @TestApi).
Add check, fix up tests.
Bug: 323513087
Test: atest MicrodroidTestApp MicrodroidHostTestCases
Change-Id: If7bc577b275f2a55c80c302ed00d5947676daa6a
diff --git a/javalib/api/test-current.txt b/javalib/api/test-current.txt
index 0a988d8..36a82f7 100644
--- a/javalib/api/test-current.txt
+++ b/javalib/api/test-current.txt
@@ -16,7 +16,7 @@
public static final class VirtualMachineConfig.Builder {
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder addExtraApk(@NonNull String);
- method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
+ method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setOs(@NonNull String);
method @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setPayloadConfigPath(@NonNull String);
method @FlaggedApi("com.android.system.virtualmachine.flags.avf_v_test_apis") @NonNull @RequiresPermission(android.system.virtualmachine.VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION) public android.system.virtualmachine.VirtualMachineConfig.Builder setVendorDiskImage(@NonNull java.io.File);
method @NonNull public android.system.virtualmachine.VirtualMachineConfig.Builder setVmConsoleInputSupported(boolean);
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index 3e5e2f7..144989e 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -1024,6 +1024,7 @@
*/
@TestApi
@FlaggedApi(Flags.FLAG_AVF_V_TEST_APIS)
+ @RequiresPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION)
@NonNull
public Builder setOs(@NonNull String os) {
mOs = requireNonNull(os, "os must not be null");
diff --git a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
index 20b5a50..4503cd3 100644
--- a/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
+++ b/tests/hostside/java/com/android/microdroid/test/MicrodroidHostTests.java
@@ -1084,6 +1084,13 @@
}
mOs = (mGki != null) ? "microdroid_gki-" + mGki : "microdroid";
+
+ new CommandRunner(getDevice())
+ .tryRun(
+ "pm",
+ "grant",
+ SHELL_PACKAGE_NAME,
+ "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
@After
@@ -1098,21 +1105,13 @@
mTestLogs, getDevice(), LOG_PATH, "vm.log-" + mTestName.getMethodName());
getDevice().uninstallPackage(PACKAGE_NAME);
-
- // testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
- new CommandRunner(getDevice())
- .tryRun(
- "pm",
- "grant",
- SHELL_PACKAGE_NAME,
- "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
- private void assumeProtectedVm() throws Exception {
+ private void assumeProtectedVm() {
assumeTrue("This test is only for protected VM.", mProtectedVm);
}
- private void assumeNonProtectedVm() throws Exception {
+ private void assumeNonProtectedVm() {
assumeFalse("This test is only for non-protected VM.", mProtectedVm);
}
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 68e7875..0132b0d 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -140,13 +140,17 @@
@Before
public void setup() {
prepareTestSetup(mProtectedVm, mGki);
- // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development, meaning
- // that it will be automatically granted when test apk is installed. We have some tests
- // checking the behavior when caller doesn't have this permission (e.g.
- // createVmWithConfigRequiresPermission). Proactively revoke the permission so that such
- // tests can pass when ran by itself, e.g.:
- // atest com.android.microdroid.test.MicrodroidTests#createVmWithConfigRequiresPermission
- revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ if (mGki != null) {
+ // Using a non-default VM always needs the custom permission.
+ grantPermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ } else {
+ // USE_CUSTOM_VIRTUAL_MACHINE permission has protection level signature|development,
+ // meaning that it will be automatically granted when test apk is installed.
+ // But most callers shouldn't need this permission, so by default we run tests with it
+ // revoked.
+ // Tests that rely on the state of the permission should explicitly grant or revoke it.
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
+ }
}
@After
@@ -780,6 +784,7 @@
})
public void createVmWithConfigRequiresPermission() throws Exception {
assumeSupportedDevice();
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
VirtualMachineConfig config =
newVmConfigBuilderWithPayloadConfig("assets/" + os() + "/vm_config.json")
@@ -2138,6 +2143,7 @@
assumeFalse(
"boot with vendor partition is failing in HWASAN enabled Microdroid.", isHwasan());
assumeFeatureEnabled(VirtualMachineManager.FEATURE_VENDOR_MODULES);
+ revokePermission(VirtualMachine.USE_CUSTOM_VIRTUAL_MACHINE_PERMISSION);
File vendorDiskImage =
new File("/data/local/tmp/cts/microdroid/test_microdroid_vendor_image.img");
diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index a2194cc..da842e7 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -603,10 +603,14 @@
} else {
// Additional custom features not included in CustomConfig:
// - specifying a config file;
- // - specifying extra APKs.
+ // - specifying extra APKs;
+ // - specifying an OS other than Microdroid.
match &config.payload {
Payload::ConfigPath(_) => true,
- Payload::PayloadConfig(payload_config) => !payload_config.extraApks.is_empty(),
+ Payload::PayloadConfig(payload_config) => {
+ !payload_config.extraApks.is_empty()
+ || payload_config.osName != MICRODROID_OS_NAME
+ }
}
}
}