Expose encryptedstore feature to system apps
This patch adds 2 api functions: set/get EncryptedStorageKib &
isEncryptedStorageEnabled() which can be used to specify the size of
storage required. VirtualMachine, on being initialized, will create the
backing (empty) file if storageSize > 0.
The (storage) allocation happens when VirtualMachine.create() is called:
by using VS' initializeWritablePartition() called over binder.
Test that EncryptedStore is available & accessible -
encryptedStorageAvailable() is a device test which uses these system
apis to enable encrypted storage in VM. It then verifies that the native
api(getEncryptedStoragePath()) inside VM indeed returns the right mount
point, hence verifying both the ends of the encryptedstore infra :)
Test: atest MicrodroidTests#encryptedStorageAvailable
Bug: 254454175
Bug: 260084116
Change-Id: I4842ebac6af795beaf250525252087545895b231
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 7d24a32..3e4323d 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -881,8 +881,9 @@
// Return whether a partition is exempt from selinux label checks, because we know that it does
// not contain code and is likely to be generated in an app-writable directory.
fn is_safe_app_partition(label: &str) -> bool {
- // See make_payload_disk in payload.rs.
+ // See add_microdroid_system_images & add_microdroid_payload_images in payload.rs.
label == "vm-instance"
+ || label == "encryptedstore"
|| label == "microdroid-apk-idsig"
|| label == "payload-metadata"
|| label.starts_with("extra-idsig-")
@@ -898,7 +899,7 @@
match ctx.selinux_type()? {
| "system_file" // immutable dm-verity protected partition
| "apk_data_file" // APKs of an installed app
- | "staging_data_file" // updated/staged APEX imagess
+ | "staging_data_file" // updated/staged APEX images
| "shell_data_file" // test files created via adb shell
=> Ok(()),
_ => bail!("Label {} is not allowed", ctx),