Mount extra APKs with noexc
Extra APKs are used to provide extra data to a microdroid payload so
their contents should not be executable. Have zipfuse enforce this when
mounting them.
Bug: 237742605
Test: atest MicrodroidTestApp
Change-Id: I3d9e258e4a2941b05b8a3f107520b9cfb37c0d95
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 15d6663..350fbc5 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -299,7 +299,9 @@
dice_derivation(&verified_data, &metadata.payload_config_path)?;
// Before reading a file from the APK, start zipfuse
+ let noexec = false;
run_zipfuse(
+ noexec,
"fscontext=u:object_r:zipfusefs:s0,context=u:object_r:system_file:s0",
Path::new("/dev/block/mapper/microdroid-apk"),
Path::new("/mnt/apk"),
@@ -364,9 +366,12 @@
cmd.spawn().context("Spawn apkdmverity")
}
-fn run_zipfuse(option: &str, zip_path: &Path, mount_dir: &Path) -> Result<Child> {
- Command::new(ZIPFUSE_BIN)
- .arg("-o")
+fn run_zipfuse(noexec: bool, option: &str, zip_path: &Path, mount_dir: &Path) -> Result<Child> {
+ let mut cmd = Command::new(ZIPFUSE_BIN);
+ if noexec {
+ cmd.arg("--noexec");
+ }
+ cmd.arg("-o")
.arg(option)
.arg(zip_path)
.arg(mount_dir)
@@ -537,7 +542,9 @@
create_dir(Path::new(&mount_dir)).context("Failed to create mount dir for extra apks")?;
// don't wait, just detach
+ let noexec = true;
run_zipfuse(
+ noexec,
"fscontext=u:object_r:zipfusefs:s0,context=u:object_r:extra_apk_file:s0",
Path::new(&format!("/dev/block/mapper/extra-apk-{}", i)),
Path::new(&mount_dir),