Merge "Add a property to reflect the app debuggability"
diff --git a/compos/src/compilation.rs b/compos/src/compilation.rs
index 6049991..e14cd94 100644
--- a/compos/src/compilation.rs
+++ b/compos/src/compilation.rs
@@ -59,9 +59,10 @@
system_server_compiler_filter: &'a str,
) -> Result<Self> {
if compilation_mode != CompilationMode::NORMAL_COMPILE {
- let debuggable = is_property_set("ro.boot.microdroid.debuggable")
- || is_property_set("ro.boot.logd.enabled")
- || is_property_set("ro.boot.adb.enabled");
+ // Conservatively check debuggability.
+ let debuggable =
+ system_properties::read_bool("ro.boot.microdroid.app_debuggable", false)
+ .unwrap_or(false);
if !debuggable {
bail!("Requested compilation mode only available in debuggable VMs");
}
@@ -96,12 +97,6 @@
}
}
-// Return whether the named property is definitely enabled. Deliberately conservative; returns
-// false if the property does not exist or cannot be read or is malformed.
-fn is_property_set(name: &str) -> bool {
- system_properties::read_bool(name, false).unwrap_or(false)
-}
-
pub fn odrefresh<F>(
odrefresh_path: &Path,
context: OdrefreshContext,
diff --git a/microdroid/bootconfig.app_debuggable b/microdroid/bootconfig.app_debuggable
index 5257b6e..0d85186 100644
--- a/microdroid/bootconfig.app_debuggable
+++ b/microdroid/bootconfig.app_debuggable
@@ -1,3 +1,6 @@
+# The app is debuggable.
+androidboot.microdroid.app_debuggable=1
+
# TODO(b/203369076) This should be 0 to disable adb rooting. For now, we can't do that because
# if this is set to 0, adbd enforces the host authentication but we don't put the adb
# public key (which represents the owner) in the VM yet.
diff --git a/microdroid/bootconfig.full_debuggable b/microdroid/bootconfig.full_debuggable
index fd8a83e..0bdd810 100644
--- a/microdroid/bootconfig.full_debuggable
+++ b/microdroid/bootconfig.full_debuggable
@@ -1,3 +1,6 @@
+# The app is debuggable as full_debuggable is a superser of app_debuggable.
+androidboot.microdroid.app_debuggable=1
+
# ro.debuggable is set.
androidboot.microdroid.debuggable=1
diff --git a/microdroid/bootconfig.normal b/microdroid/bootconfig.normal
index 4378dbc..708d64b 100644
--- a/microdroid/bootconfig.normal
+++ b/microdroid/bootconfig.normal
@@ -1,3 +1,6 @@
+# The app is not debuggable.
+androidboot.microdroid.app_debuggable=0
+
# ro.debuggable is off
androidboot.microdroid.debuggable=0
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 1b3aa7f..b644285 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -67,8 +67,7 @@
const APEX_CONFIG_DONE_PROP: &str = "apex_config.done";
const LOGD_ENABLED_PROP: &str = "ro.boot.logd.enabled";
-const ADBD_ENABLED_PROP: &str = "ro.boot.adb.enabled";
-const DEBUGGABLE_PROP: &str = "ro.boot.microdroid.debuggable";
+const APP_DEBUGGABLE_PROP: &str = "ro.boot.microdroid.app_debuggable";
#[derive(thiserror::Error, Debug)]
enum MicrodroidError {
@@ -145,15 +144,6 @@
}
}
-fn is_debuggable() -> Result<bool> {
- // Read all the properties so the behaviour is most similar between debug and non-debug boots.
- // Defensively default to debug enabled for unrecognised values.
- let adb = system_properties::read_bool(ADBD_ENABLED_PROP, true)?;
- let logd = system_properties::read_bool(LOGD_ENABLED_PROP, true)?;
- let debuggable = system_properties::read_bool(DEBUGGABLE_PROP, true)?;
- Ok(adb || logd || debuggable)
-}
-
fn dice_derivation(verified_data: MicrodroidData, payload_config_path: &str) -> Result<()> {
// Calculate compound digests of code and authorities
let mut code_hash_ctx = digest::Context::new(&digest::SHA512);
@@ -183,6 +173,9 @@
encode_header(3, config_path_bytes.len().try_into().unwrap(), &mut config_desc)?;
config_desc.extend_from_slice(config_path_bytes);
+ // Check app debuggability, conervatively assuming it is debuggable
+ let app_debuggable = system_properties::read_bool(APP_DEBUGGABLE_PROP, true)?;
+
// Send the details to diced
let diced =
wait_for_interface::<dyn IDiceMaintenance>("android.security.dice.IDiceMaintenance")
@@ -193,7 +186,7 @@
config: Config { desc: config_desc },
authorityHash: authority_hash,
authorityDescriptor: None,
- mode: if is_debuggable()? { Mode::DEBUG } else { Mode::NORMAL },
+ mode: if app_debuggable { Mode::DEBUG } else { Mode::NORMAL },
hidden: verified_data.salt.try_into().unwrap(),
}])
.context("IDiceMaintenance::demoteSelf failed")?;