Merge changes I4cf5d1a9,I78e9650d,Ic6ec2b14
* changes:
virtmgr: Delegate debugVmList to virtualizationservice
virtualizationservice: Refactor VM context allocation
vm_shell.sh: Remove use of daemonize
diff --git a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
index cb4e98c..d9fc70c 100644
--- a/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
+++ b/javalib/src/android/system/virtualmachine/VirtualMachineConfig.java
@@ -352,6 +352,7 @@
* that would alter the identity of the VM (e.g. using a different payload or changing the debug
* mode) are considered incompatible.
*
+ * @see VirtualMachine#setConfig
* @hide
*/
@SystemApi
@@ -536,6 +537,14 @@
/**
* Sets the debug level. Defaults to {@link #DEBUG_LEVEL_NONE}.
*
+ * <p>If {@link #DEBUG_LEVEL_FULL} is set then logs from inside the VM are exported to the
+ * host and adb connections from the host are possible. This is convenient for debugging but
+ * may compromise the integrity of the VM - including bypassing the protections offered by a
+ * {@linkplain #setProtectedVm protected VM}.
+ *
+ * <p>Note that it isn't possible to {@linkplain #isCompatibleWith change} the debug level
+ * of a VM instance; debug and non-debug VMs always have different secrets.
+ *
* @hide
*/
@SystemApi
@@ -552,6 +561,13 @@
* Sets whether to protect the VM memory from the host. No default is provided, this must be
* set explicitly.
*
+ * <p>Note that if debugging is {@linkplain #setDebugLevel enabled} for a protected VM, the
+ * VM is not truly protected - direct memory access by the host is prevented, but e.g. the
+ * debugger can be used to access the VM's internals.
+ *
+ * <p>It isn't possible to {@linkplain #isCompatibleWith change} the protected status of a
+ * VM instance; protected and non-protected VMs always have different secrets.
+ *
* @see VirtualMachineManager#getCapabilities
* @hide
*/
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index c62db2d..1fc44a2 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -582,7 +582,7 @@
name: "microdroid_kernel_signed",
src: "empty_kernel",
filename: "microdroid_kernel",
- partition_name: "bootloader",
+ partition_name: "boot",
private_key: ":microdroid_sign_key",
salt: bootloader_salt,
enabled: false,
diff --git a/microdroid/init.rc b/microdroid/init.rc
index 7402481..bc42791 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -165,7 +165,6 @@
class core
critical
seclabel u:r:ueventd:s0
- shutdown critical
capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD NET_ADMIN SETGID SETUID SYS_MODULE SYS_RAWIO
service console /system/bin/sh
diff --git a/microdroid/initrd/src/main.rs b/microdroid/initrd/src/main.rs
index 69c6ae4..3f1fab5 100644
--- a/microdroid/initrd/src/main.rs
+++ b/microdroid/initrd/src/main.rs
@@ -54,7 +54,8 @@
checksum += get_checksum(&bootconfig)?;
}
- let padding_size: usize = FOOTER_ALIGNMENT - (initrd_size + bootconfig_size) % FOOTER_ALIGNMENT;
+ let padding_size: usize =
+ (FOOTER_ALIGNMENT - (initrd_size + bootconfig_size) % FOOTER_ALIGNMENT) % FOOTER_ALIGNMENT;
output_file.write_all(&ZEROS[..padding_size])?;
output_file.write_all(&((padding_size + bootconfig_size) as u32).to_le_bytes())?;
output_file.write_all(&checksum.to_le_bytes())?;
diff --git a/pvmfw/avb/Android.bp b/pvmfw/avb/Android.bp
index cbec235..d3a5e4e 100644
--- a/pvmfw/avb/Android.bp
+++ b/pvmfw/avb/Android.bp
@@ -62,7 +62,7 @@
avb_add_hash_footer {
name: "test_image_with_one_hashdesc",
src: ":unsigned_test_image",
- partition_name: "bootloader",
+ partition_name: "boot",
private_key: ":pvmfw_sign_key",
salt: "1111",
}
diff --git a/pvmfw/avb/src/error.rs b/pvmfw/avb/src/error.rs
new file mode 100644
index 0000000..8b06150
--- /dev/null
+++ b/pvmfw/avb/src/error.rs
@@ -0,0 +1,87 @@
+// Copyright 2022, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This module contains the error thrown by the payload verification API.
+
+use avb_bindgen::AvbSlotVerifyResult;
+
+use core::fmt;
+
+/// This error is the error part of `AvbSlotVerifyResult`.
+/// It is the error thrown by the payload verification API `verify_payload()`.
+#[derive(Clone, Debug, PartialEq, Eq)]
+pub enum AvbSlotVerifyError {
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT
+ InvalidArgument,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA
+ InvalidMetadata,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_IO
+ Io,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_OOM
+ Oom,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
+ PublicKeyRejected,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
+ RollbackIndex,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION
+ UnsupportedVersion,
+ /// AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION
+ Verification,
+}
+
+impl fmt::Display for AvbSlotVerifyError {
+ fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
+ match self {
+ Self::InvalidArgument => write!(f, "Invalid parameters."),
+ Self::InvalidMetadata => write!(f, "Invalid metadata."),
+ Self::Io => write!(f, "I/O error while trying to load data or get a rollback index."),
+ Self::Oom => write!(f, "Unable to allocate memory."),
+ Self::PublicKeyRejected => write!(f, "Public key rejected or data not signed."),
+ Self::RollbackIndex => write!(f, "Rollback index is less than its stored value."),
+ Self::UnsupportedVersion => write!(
+ f,
+ "Some of the metadata requires a newer version of libavb than what is in use."
+ ),
+ Self::Verification => write!(f, "Data does not verify."),
+ }
+ }
+}
+
+pub(crate) fn slot_verify_result_to_verify_payload_result(
+ result: AvbSlotVerifyResult,
+) -> Result<(), AvbSlotVerifyError> {
+ match result {
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_OK => Ok(()),
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT => {
+ Err(AvbSlotVerifyError::InvalidArgument)
+ }
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA => {
+ Err(AvbSlotVerifyError::InvalidMetadata)
+ }
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_IO => Err(AvbSlotVerifyError::Io),
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_OOM => Err(AvbSlotVerifyError::Oom),
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED => {
+ Err(AvbSlotVerifyError::PublicKeyRejected)
+ }
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX => {
+ Err(AvbSlotVerifyError::RollbackIndex)
+ }
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION => {
+ Err(AvbSlotVerifyError::UnsupportedVersion)
+ }
+ AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION => {
+ Err(AvbSlotVerifyError::Verification)
+ }
+ }
+}
diff --git a/pvmfw/avb/src/lib.rs b/pvmfw/avb/src/lib.rs
index 1f39076..6a5b16d 100644
--- a/pvmfw/avb/src/lib.rs
+++ b/pvmfw/avb/src/lib.rs
@@ -18,6 +18,8 @@
// For usize.checked_add_signed(isize), available in Rust 1.66.0
#![feature(mixed_integer_ops)]
+mod error;
mod verify;
-pub use verify::{verify_payload, AvbImageVerifyError};
+pub use error::AvbSlotVerifyError;
+pub use verify::verify_payload;
diff --git a/pvmfw/avb/src/verify.rs b/pvmfw/avb/src/verify.rs
index 8eca130..fb18626 100644
--- a/pvmfw/avb/src/verify.rs
+++ b/pvmfw/avb/src/verify.rs
@@ -14,84 +14,16 @@
//! This module handles the pvmfw payload verification.
-use avb_bindgen::{
- avb_slot_verify, AvbHashtreeErrorMode, AvbIOResult, AvbOps, AvbSlotVerifyFlags,
- AvbSlotVerifyResult,
-};
+use crate::error::{slot_verify_result_to_verify_payload_result, AvbSlotVerifyError};
+use avb_bindgen::{avb_slot_verify, AvbHashtreeErrorMode, AvbIOResult, AvbOps, AvbSlotVerifyFlags};
use core::{
ffi::{c_char, c_void, CStr},
- fmt,
ptr::{self, NonNull},
slice,
};
static NULL_BYTE: &[u8] = b"\0";
-/// Error code from AVB image verification.
-#[derive(Clone, Debug, PartialEq, Eq)]
-pub enum AvbImageVerifyError {
- /// AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT
- InvalidArgument,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA
- InvalidMetadata,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_IO
- Io,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_OOM
- Oom,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
- PublicKeyRejected,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX
- RollbackIndex,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION
- UnsupportedVersion,
- /// AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION
- Verification,
-}
-
-impl fmt::Display for AvbImageVerifyError {
- fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
- match self {
- Self::InvalidArgument => write!(f, "Invalid parameters."),
- Self::InvalidMetadata => write!(f, "Invalid metadata."),
- Self::Io => write!(f, "I/O error while trying to load data or get a rollback index."),
- Self::Oom => write!(f, "Unable to allocate memory."),
- Self::PublicKeyRejected => write!(f, "Public key rejected or data not signed."),
- Self::RollbackIndex => write!(f, "Rollback index is less than its stored value."),
- Self::UnsupportedVersion => write!(
- f,
- "Some of the metadata requires a newer version of libavb than what is in use."
- ),
- Self::Verification => write!(f, "Data does not verify."),
- }
- }
-}
-
-fn to_avb_verify_result(result: AvbSlotVerifyResult) -> Result<(), AvbImageVerifyError> {
- match result {
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_OK => Ok(()),
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_ARGUMENT => {
- Err(AvbImageVerifyError::InvalidArgument)
- }
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA => {
- Err(AvbImageVerifyError::InvalidMetadata)
- }
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_IO => Err(AvbImageVerifyError::Io),
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_OOM => Err(AvbImageVerifyError::Oom),
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED => {
- Err(AvbImageVerifyError::PublicKeyRejected)
- }
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX => {
- Err(AvbImageVerifyError::RollbackIndex)
- }
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION => {
- Err(AvbImageVerifyError::UnsupportedVersion)
- }
- AvbSlotVerifyResult::AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION => {
- Err(AvbImageVerifyError::Verification)
- }
- }
-}
-
enum AvbIOError {
/// AVB_IO_RESULT_ERROR_OOM,
#[allow(dead_code)]
@@ -354,6 +286,41 @@
}
}
+#[derive(Clone, Debug, PartialEq, Eq)]
+enum PartitionName {
+ Kernel,
+ InitrdNormal,
+ InitrdDebug,
+}
+
+impl PartitionName {
+ const KERNEL_PARTITION_NAME: &[u8] = b"boot\0";
+ const INITRD_NORMAL_PARTITION_NAME: &[u8] = b"initrd_normal\0";
+ const INITRD_DEBUG_PARTITION_NAME: &[u8] = b"initrd_debug\0";
+
+ fn as_cstr(&self) -> &CStr {
+ let partition_name = match self {
+ Self::Kernel => Self::KERNEL_PARTITION_NAME,
+ Self::InitrdNormal => Self::INITRD_NORMAL_PARTITION_NAME,
+ Self::InitrdDebug => Self::INITRD_DEBUG_PARTITION_NAME,
+ };
+ CStr::from_bytes_with_nul(partition_name).unwrap()
+ }
+}
+
+impl TryFrom<&CStr> for PartitionName {
+ type Error = AvbIOError;
+
+ fn try_from(partition_name: &CStr) -> Result<Self, Self::Error> {
+ match partition_name.to_bytes_with_nul() {
+ Self::KERNEL_PARTITION_NAME => Ok(Self::Kernel),
+ Self::INITRD_NORMAL_PARTITION_NAME => Ok(Self::InitrdNormal),
+ Self::INITRD_DEBUG_PARTITION_NAME => Ok(Self::InitrdDebug),
+ _ => Err(AvbIOError::NoSuchPartition),
+ }
+ }
+}
+
struct Payload<'a> {
kernel: &'a [u8],
initrd: Option<&'a [u8]>,
@@ -372,28 +339,23 @@
}
impl<'a> Payload<'a> {
- const KERNEL_PARTITION_NAME: &[u8] = b"bootloader\0";
- const INITRD_NORMAL_PARTITION_NAME: &[u8] = b"initrd_normal\0";
- const INITRD_DEBUG_PARTITION_NAME: &[u8] = b"initrd_debug\0";
-
const MAX_NUM_OF_HASH_DESCRIPTORS: usize = 3;
fn get_partition(&self, partition_name: *const c_char) -> Result<&[u8], AvbIOError> {
is_not_null(partition_name)?;
// SAFETY: It is safe as the raw pointer `partition_name` is a nonnull pointer.
let partition_name = unsafe { CStr::from_ptr(partition_name) };
- match partition_name.to_bytes_with_nul() {
- Self::KERNEL_PARTITION_NAME => Ok(self.kernel),
- Self::INITRD_NORMAL_PARTITION_NAME | Self::INITRD_DEBUG_PARTITION_NAME => {
+ match partition_name.try_into()? {
+ PartitionName::Kernel => Ok(self.kernel),
+ PartitionName::InitrdNormal | PartitionName::InitrdDebug => {
self.initrd.ok_or(AvbIOError::NoSuchPartition)
}
- _ => Err(AvbIOError::NoSuchPartition),
}
}
- fn verify_partitions(&mut self, partition_names: &[&CStr]) -> Result<(), AvbImageVerifyError> {
+ fn verify_partitions(&mut self, partition_names: &[&CStr]) -> Result<(), AvbSlotVerifyError> {
if partition_names.len() > Self::MAX_NUM_OF_HASH_DESCRIPTORS {
- return Err(AvbImageVerifyError::InvalidArgument);
+ return Err(AvbSlotVerifyError::InvalidArgument);
}
let mut requested_partitions = [ptr::null(); Self::MAX_NUM_OF_HASH_DESCRIPTORS + 1];
partition_names
@@ -434,7 +396,7 @@
out_data,
)
};
- to_avb_verify_result(result)
+ slot_verify_result_to_verify_payload_result(result)
}
}
@@ -443,10 +405,9 @@
kernel: &[u8],
initrd: Option<&[u8]>,
trusted_public_key: &[u8],
-) -> Result<(), AvbImageVerifyError> {
+) -> Result<(), AvbSlotVerifyError> {
let mut payload = Payload { kernel, initrd, trusted_public_key };
- let kernel = CStr::from_bytes_with_nul(Payload::KERNEL_PARTITION_NAME).unwrap();
- let requested_partitions = [kernel];
+ let requested_partitions = [PartitionName::Kernel.as_cstr()];
payload.verify_partitions(&requested_partitions)
}
@@ -496,7 +457,7 @@
&load_latest_signed_kernel()?,
&load_latest_initrd_normal()?,
/*trusted_public_key=*/ &[0u8; 0],
- AvbImageVerifyError::PublicKeyRejected,
+ AvbSlotVerifyError::PublicKeyRejected,
)
}
@@ -506,7 +467,7 @@
&load_latest_signed_kernel()?,
&load_latest_initrd_normal()?,
/*trusted_public_key=*/ &[0u8; 512],
- AvbImageVerifyError::PublicKeyRejected,
+ AvbSlotVerifyError::PublicKeyRejected,
)
}
@@ -516,7 +477,7 @@
&load_latest_signed_kernel()?,
&load_latest_initrd_normal()?,
&fs::read(PUBLIC_KEY_RSA2048_PATH)?,
- AvbImageVerifyError::PublicKeyRejected,
+ AvbSlotVerifyError::PublicKeyRejected,
)
}
@@ -526,7 +487,7 @@
&fs::read(UNSIGNED_TEST_IMG_PATH)?,
&load_latest_initrd_normal()?,
&fs::read(PUBLIC_KEY_RSA4096_PATH)?,
- AvbImageVerifyError::Io,
+ AvbSlotVerifyError::Io,
)
}
@@ -539,7 +500,7 @@
&kernel,
&load_latest_initrd_normal()?,
&fs::read(PUBLIC_KEY_RSA4096_PATH)?,
- AvbImageVerifyError::Verification,
+ AvbSlotVerifyError::Verification,
)
}
@@ -553,7 +514,7 @@
&kernel,
&load_latest_initrd_normal()?,
&fs::read(PUBLIC_KEY_RSA4096_PATH)?,
- AvbImageVerifyError::InvalidMetadata,
+ AvbSlotVerifyError::InvalidMetadata,
)
}
@@ -561,7 +522,7 @@
kernel: &[u8],
initrd: &[u8],
trusted_public_key: &[u8],
- expected_error: AvbImageVerifyError,
+ expected_error: AvbSlotVerifyError,
) -> Result<()> {
assert_eq!(Err(expected_error), verify_payload(kernel, Some(initrd), trusted_public_key));
Ok(())
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 8f28289..1c82155 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -684,6 +684,16 @@
.try_for_each(check_label_for_partition)
.map_err(|e| Status::new_service_specific_error_str(-1, Some(format!("{:?}", e))))?;
+ let kernel = maybe_clone_file(&config.kernel)?;
+ let initrd = maybe_clone_file(&config.initrd)?;
+
+ // In a protected VM, we require custom kernels to come from a trusted source (b/237054515).
+ if config.protectedVm {
+ check_label_for_kernel_files(&kernel, &initrd).map_err(|e| {
+ Status::new_service_specific_error_str(-1, Some(format!("{:?}", e)))
+ })?;
+ }
+
let zero_filler_path = temporary_directory.join("zero.img");
write_zero_filler(&zero_filler_path).map_err(|e| {
error!("Failed to make composite image: {:?}", e);
@@ -726,8 +736,8 @@
cid,
name: config.name.clone(),
bootloader: maybe_clone_file(&config.bootloader)?,
- kernel: maybe_clone_file(&config.kernel)?,
- initrd: maybe_clone_file(&config.initrd)?,
+ kernel,
+ initrd,
disks,
params: config.params.to_owned(),
protected: *is_protected,
@@ -991,14 +1001,8 @@
check_permission("android.permission.USE_CUSTOM_VIRTUAL_MACHINE")
}
-/// Check if a partition has selinux labels that are not allowed
-fn check_label_for_partition(partition: &Partition) -> Result<()> {
- let ctx = getfilecon(partition.image.as_ref().unwrap().as_ref())?;
- check_label_is_allowed(&ctx).with_context(|| format!("Partition {} invalid", &partition.label))
-}
-
-// Return whether a partition is exempt from selinux label checks, because we know that it does
-// not contain code and is likely to be generated in an app-writable directory.
+/// Return whether a partition is exempt from selinux label checks, because we know that it does
+/// not contain code and is likely to be generated in an app-writable directory.
fn is_safe_app_partition(label: &str) -> bool {
// See add_microdroid_system_images & add_microdroid_payload_images in payload.rs.
label == "vm-instance"
@@ -1008,23 +1012,46 @@
|| label.starts_with("extra-idsig-")
}
-fn check_label_is_allowed(ctx: &SeContext) -> Result<()> {
- // We only want to allow code in a VM payload to be sourced from places that apps, and the
- // system, do not have write access to.
- // (Note that sepolicy must also grant read access for these types to both virtualization
- // service and crosvm.)
- // App private data files are deliberately excluded, to avoid arbitrary payloads being run on
- // user devices (W^X).
- match ctx.selinux_type()? {
+/// Check that a file SELinux label is acceptable.
+///
+/// We only want to allow code in a VM to be sourced from places that apps, and the
+/// system, do not have write access to.
+///
+/// Note that sepolicy must also grant read access for these types to both virtualization
+/// service and crosvm.
+///
+/// App private data files are deliberately excluded, to avoid arbitrary payloads being run on
+/// user devices (W^X).
+fn check_label_is_allowed(context: &SeContext) -> Result<()> {
+ match context.selinux_type()? {
| "system_file" // immutable dm-verity protected partition
| "apk_data_file" // APKs of an installed app
| "staging_data_file" // updated/staged APEX images
| "shell_data_file" // test files created via adb shell
=> Ok(()),
- _ => bail!("Label {} is not allowed", ctx),
+ _ => bail!("Label {} is not allowed", context),
}
}
+fn check_label_for_partition(partition: &Partition) -> Result<()> {
+ let file = partition.image.as_ref().unwrap().as_ref();
+ check_label_is_allowed(&getfilecon(file)?)
+ .with_context(|| format!("Partition {} invalid", &partition.label))
+}
+
+fn check_label_for_kernel_files(kernel: &Option<File>, initrd: &Option<File>) -> Result<()> {
+ if let Some(f) = kernel {
+ check_label_for_file(f, "kernel")?;
+ }
+ if let Some(f) = initrd {
+ check_label_for_file(f, "initrd")?;
+ }
+ Ok(())
+}
+fn check_label_for_file(file: &File, name: &str) -> Result<()> {
+ check_label_is_allowed(&getfilecon(file)?).with_context(|| format!("{} file invalid", name))
+}
+
/// Implementation of the AIDL `IVirtualMachine` interface. Used as a handle to a VM.
#[derive(Debug)]
struct VirtualMachine {