Only delete owned VM IDs
When a VM is deleted, only delete its secret from Secretkeeper (and
our tracking DB) if we believe it is owned by the caller.
This is intended to handle the VM transfer case - on transfer we mark
the recipient as owner, and we want them to retain access until they
delete the VM. The previous owner is encouraged to delete their copy
immediately, which shouldn't invalidate the secret.
Modify our e2e test for VM transfer to do the deletion after transfer
and before starting the VM, so we are exercising the expected use
case. This test then fails, as expected, without the code chage and
passed with it.
Bug: 340563554
Test: atest com.android.microdroid.test.MicrodroidTests#testShareVmWithAnotherApp
Change-Id: I1929a1a3e2f92343629f15893a3a68f51d244afc
diff --git a/virtualizationservice/src/aidl.rs b/virtualizationservice/src/aidl.rs
index 8fe4167..2fc9b4c 100644
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@@ -469,8 +469,16 @@
fn removeVmInstance(&self, instance_id: &[u8; 64]) -> binder::Result<()> {
let state = &mut *self.state.lock().unwrap();
if let Some(sk_state) = &mut state.sk_state {
- info!("removeVmInstance(): delete secret");
- sk_state.delete_ids(&[*instance_id]);
+ let uid = get_calling_uid();
+ info!(
+ "Removing a VM's instance_id: {:?}, for uid: {:?}",
+ hex::encode(instance_id),
+ uid
+ );
+
+ let user_id = multiuser_get_user_id(uid);
+ let app_id = multiuser_get_app_id(uid);
+ sk_state.delete_id(instance_id, user_id, app_id);
} else {
info!("ignoring removeVmInstance() as no ISecretkeeper");
}