commit 94a8a18be61f459120e48d6c3d4e058a22cf0592
author Nikita Ioffe <ioffe@google.com> Thu Nov 16 16:37:48 2023 +0000
committer Nikita Ioffe <ioffe@google.com> Thu Nov 16 16:37:48 2023 +0000
tree c0c3b3a3c08f3481671a82be031f6a50556872c3
parent ae152412f18af5ba194ab9612fd5b9e625637da5

Flag guard vfio_handler

Guard the following on the value of the
RELEASE_AVF_ENABLE_DEVICE_ASSIGNMENT flag:

* vfio_handler binary & vfio_handler.rc in com.android.virt APEX;
* --devices flag in the vm shell binary
* Usage of the CustomConfig.devices field in the
  VirtualMachineAppConfig;

Test: atest MicrodroidTests
Change-Id: I40611b0cd93d17aacd68acf74f442e479a80d488

virtualizationmanager/src/aidl.rs

diff --git a/virtualizationmanager/src/aidl.rs b/virtualizationmanager/src/aidl.rs
index c6a30aa..19768b5 100644
--- a/virtualizationmanager/src/aidl.rs
+++ b/virtualizationmanager/src/aidl.rs
@@ -1195,10 +1195,24 @@
     Ok(())
 }
 
+fn check_no_devices(config: &VirtualMachineConfig) -> binder::Result<()> {
+    let VirtualMachineConfig::AppConfig(config) = config else { return Ok(()) };
+    if let Some(custom_config) = &config.customConfig {
+        if !custom_config.devices.is_empty() {
+            return Err(anyhow!("device assignment feature is disabled"))
+                .or_binder_exception(ExceptionCode::UNSUPPORTED_OPERATION);
+        }
+    }
+    Ok(())
+}
+
 fn check_config_features(config: &VirtualMachineConfig) -> binder::Result<()> {
     if !cfg!(vendor_modules) {
         check_no_vendor_modules(config)?;
     }
+    if !cfg!(device_assignment) {
+        check_no_devices(config)?;
+    }
     Ok(())
 }