Pass payload disk images as file descriptors rather than paths.
Converting to "/proc/self/fd/N" and then opening it again is not allowed
by SELinux policy.
Bug: 193402941
Test: atest VirtualizationTestCases MicrodroidHostTestCases
Change-Id: Ic0a96e2f5977972d21d2ead47f1fbf4dd079eafa
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 12c46ee..1d99c2d 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -16,7 +16,7 @@
use crate::composite::make_composite_image;
use crate::crosvm::{CrosvmConfig, DiskFile, VmInstance};
-use crate::payload::make_payload_disk;
+use crate::payload::add_microdroid_images;
use crate::{Cid, FIRST_GUEST_CID};
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
@@ -38,7 +38,7 @@
use anyhow::{bail, Context, Result};
use disk::QcowFile;
use log::{debug, error, warn, info};
-use microdroid_payload_config::{ApexConfig, VmPayloadConfig};
+use microdroid_payload_config::VmPayloadConfig;
use std::convert::TryInto;
use std::ffi::CString;
use std::fs::{File, OpenOptions, create_dir};
@@ -46,7 +46,7 @@
use std::os::unix::io::{AsRawFd, FromRawFd, IntoRawFd};
use std::path::{Path, PathBuf};
use std::sync::{Arc, Mutex, Weak};
-use vmconfig::{VmConfig, Partition};
+use vmconfig::VmConfig;
use vsock::{VsockListener, SockAddr, VsockStream};
use zip::ZipArchive;
@@ -55,11 +55,6 @@
/// Directory in which to write disk image files used while running VMs.
pub const TEMPORARY_DIRECTORY: &str = "/data/misc/virtualizationservice";
-/// The list of APEXes which microdroid requires.
-/// TODO(b/192200378) move this to microdroid.json?
-const MICRODROID_REQUIRED_APEXES: [&str; 3] =
- ["com.android.adbd", "com.android.i18n", "com.android.os.statsd"];
-
/// The CID representing the host VM
const VMADDR_CID_HOST: u32 = 2;
@@ -365,53 +360,43 @@
config: &VirtualMachineAppConfig,
temporary_directory: &Path,
) -> Result<VirtualMachineRawConfig> {
- let apk_file = config.apk.as_ref().unwrap().as_ref();
- let idsig_file = config.idsig.as_ref().unwrap().as_ref();
+ let apk_file = clone_file(config.apk.as_ref().unwrap())?;
+ let idsig_file = clone_file(config.idsig.as_ref().unwrap())?;
// TODO(b/193504400) pass this to crosvm
- let _instance_file = config.instanceImage.as_ref().unwrap().as_ref();
+ let _instance_file = clone_file(config.instanceImage.as_ref().unwrap())?;
let config_path = &config.configPath;
- let mut apk_zip = ZipArchive::new(apk_file)?;
+ let mut apk_zip = ZipArchive::new(&apk_file)?;
let config_file = apk_zip.by_name(config_path)?;
let vm_payload_config: VmPayloadConfig = serde_json::from_reader(config_file)?;
let os_name = &vm_payload_config.os.name;
+
// For now, the only supported "os" value is "microdroid"
if os_name != "microdroid" {
- bail!("unknown os: {}", os_name);
+ bail!("Unknown OS \"{}\"", os_name);
}
+
+ // It is safe to construct a filename based on the os_name because we've already checked that it
+ // is one of the allowed values.
let vm_config_path = PathBuf::from(format!("/apex/com.android.virt/etc/{}.json", os_name));
let vm_config_file = File::open(vm_config_path)?;
- let mut vm_config = VmConfig::load(&vm_config_file)?;
+ let mut vm_config = VmConfig::load(&vm_config_file)?.to_parcelable()?;
- // Microdroid requires additional payload disk image and the bootconfig partition
+ // Microdroid requires an additional payload disk image and the bootconfig partition.
if os_name == "microdroid" {
- let mut apexes = vm_payload_config.apexes.clone();
- apexes.extend(
- MICRODROID_REQUIRED_APEXES.iter().map(|name| ApexConfig { name: name.to_string() }),
- );
- apexes.dedup_by(|a, b| a.name == b.name);
-
- vm_config.disks.push(make_payload_disk(
- format!("/proc/self/fd/{}", apk_file.as_raw_fd()).into(),
- format!("/proc/self/fd/{}", idsig_file.as_raw_fd()).into(),
- config_path,
- &apexes,
+ let apexes = vm_payload_config.apexes.clone();
+ add_microdroid_images(
+ config,
temporary_directory,
- )?);
-
- if config.debug {
- vm_config.disks[1].partitions.push(Partition {
- label: "bootconfig".to_owned(),
- paths: vec![PathBuf::from(
- "/apex/com.android.virt/etc/microdroid_bootconfig.debug",
- )],
- writable: false,
- });
- }
+ apk_file,
+ idsig_file,
+ apexes,
+ &mut vm_config,
+ )?;
}
- vm_config.to_parcelable()
+ Ok(vm_config)
}
/// Generates a unique filename to use for a composite disk image.