Merge "Add a property to reflect the app debuggability"
diff --git a/compos/src/compilation.rs b/compos/src/compilation.rs
index 6049991..e14cd94 100644
--- a/compos/src/compilation.rs
+++ b/compos/src/compilation.rs
@@ -59,9 +59,10 @@
         system_server_compiler_filter: &'a str,
     ) -> Result<Self> {
         if compilation_mode != CompilationMode::NORMAL_COMPILE {
-            let debuggable = is_property_set("ro.boot.microdroid.debuggable")
-                || is_property_set("ro.boot.logd.enabled")
-                || is_property_set("ro.boot.adb.enabled");
+            // Conservatively check debuggability.
+            let debuggable =
+                system_properties::read_bool("ro.boot.microdroid.app_debuggable", false)
+                    .unwrap_or(false);
             if !debuggable {
                 bail!("Requested compilation mode only available in debuggable VMs");
             }
@@ -96,12 +97,6 @@
     }
 }
 
-// Return whether the named property is definitely enabled. Deliberately conservative; returns
-// false if the property does not exist or cannot be read or is malformed.
-fn is_property_set(name: &str) -> bool {
-    system_properties::read_bool(name, false).unwrap_or(false)
-}
-
 pub fn odrefresh<F>(
     odrefresh_path: &Path,
     context: OdrefreshContext,
diff --git a/microdroid/bootconfig.app_debuggable b/microdroid/bootconfig.app_debuggable
index 5257b6e..0d85186 100644
--- a/microdroid/bootconfig.app_debuggable
+++ b/microdroid/bootconfig.app_debuggable
@@ -1,3 +1,6 @@
+# The app is debuggable.
+androidboot.microdroid.app_debuggable=1
+
 # TODO(b/203369076) This should be 0 to disable adb rooting. For now, we can't do that because
 # if this is set to 0, adbd enforces the host authentication but we don't put the adb
 # public key (which represents the owner) in the VM yet.
diff --git a/microdroid/bootconfig.full_debuggable b/microdroid/bootconfig.full_debuggable
index fd8a83e..0bdd810 100644
--- a/microdroid/bootconfig.full_debuggable
+++ b/microdroid/bootconfig.full_debuggable
@@ -1,3 +1,6 @@
+# The app is debuggable as full_debuggable is a superser of app_debuggable.
+androidboot.microdroid.app_debuggable=1
+
 # ro.debuggable is set.
 androidboot.microdroid.debuggable=1
 
diff --git a/microdroid/bootconfig.normal b/microdroid/bootconfig.normal
index 4378dbc..708d64b 100644
--- a/microdroid/bootconfig.normal
+++ b/microdroid/bootconfig.normal
@@ -1,3 +1,6 @@
+# The app is not debuggable.
+androidboot.microdroid.app_debuggable=0
+
 # ro.debuggable is off
 androidboot.microdroid.debuggable=0
 
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 1b3aa7f..b644285 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -67,8 +67,7 @@
 
 const APEX_CONFIG_DONE_PROP: &str = "apex_config.done";
 const LOGD_ENABLED_PROP: &str = "ro.boot.logd.enabled";
-const ADBD_ENABLED_PROP: &str = "ro.boot.adb.enabled";
-const DEBUGGABLE_PROP: &str = "ro.boot.microdroid.debuggable";
+const APP_DEBUGGABLE_PROP: &str = "ro.boot.microdroid.app_debuggable";
 
 #[derive(thiserror::Error, Debug)]
 enum MicrodroidError {
@@ -145,15 +144,6 @@
     }
 }
 
-fn is_debuggable() -> Result<bool> {
-    // Read all the properties so the behaviour is most similar between debug and non-debug boots.
-    // Defensively default to debug enabled for unrecognised values.
-    let adb = system_properties::read_bool(ADBD_ENABLED_PROP, true)?;
-    let logd = system_properties::read_bool(LOGD_ENABLED_PROP, true)?;
-    let debuggable = system_properties::read_bool(DEBUGGABLE_PROP, true)?;
-    Ok(adb || logd || debuggable)
-}
-
 fn dice_derivation(verified_data: MicrodroidData, payload_config_path: &str) -> Result<()> {
     // Calculate compound digests of code and authorities
     let mut code_hash_ctx = digest::Context::new(&digest::SHA512);
@@ -183,6 +173,9 @@
     encode_header(3, config_path_bytes.len().try_into().unwrap(), &mut config_desc)?;
     config_desc.extend_from_slice(config_path_bytes);
 
+    // Check app debuggability, conervatively assuming it is debuggable
+    let app_debuggable = system_properties::read_bool(APP_DEBUGGABLE_PROP, true)?;
+
     // Send the details to diced
     let diced =
         wait_for_interface::<dyn IDiceMaintenance>("android.security.dice.IDiceMaintenance")
@@ -193,7 +186,7 @@
             config: Config { desc: config_desc },
             authorityHash: authority_hash,
             authorityDescriptor: None,
-            mode: if is_debuggable()? { Mode::DEBUG } else { Mode::NORMAL },
+            mode: if app_debuggable { Mode::DEBUG } else { Mode::NORMAL },
             hidden: verified_data.salt.try_into().unwrap(),
         }])
         .context("IDiceMaintenance::demoteSelf failed")?;