Merge "apkdmverity: enable AndroidTest"
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
index 5983cb7..35286a6 100644
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ b/microdroid/sepolicy/system/private/microdroid_launcher.te
@@ -5,17 +5,6 @@
type microdroid_launcher, domain, coredomain;
type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-# allow executing files on the zipfuse fs
-# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# allow microdroid_launcher zipfusefs:dir r_dir_perms;
-# allow microdroid_launcher zipfusefs:file rx_file_perms;
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_launcher fuse:dir r_dir_perms;
- allow microdroid_launcher fuse:file rx_file_perms;
-')
-
# Allow to communicate use, read and write over the adb connection.
allow microdroid_launcher adbd:fd use;
allow microdroid_launcher adbd:unix_stream_socket { read write };
diff --git a/microdroid/sepolicy/system/private/zipfuse.te b/microdroid/sepolicy/system/private/zipfuse.te
index 9d5faad..65da9d3 100644
--- a/microdroid/sepolicy/system/private/zipfuse.te
+++ b/microdroid/sepolicy/system/private/zipfuse.te
@@ -22,13 +22,11 @@
# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;
-# TODO(b/188400186) uncomment the following when this filesystem is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# type zipfusefs, fs_type, contextmount_type;
-# allow zipfuse fuse:filesystem relabelfrom;
-# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+# allow mounting with fscontext=u:object_r:zipfusefs:s0
+type zipfusefs, fs_type, contextmount_type;
+allow zipfuse fuse:filesystem relabelfrom;
+allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
-userdebug_or_eng(`
- allow zipfuse fuse:filesystem mount;
-')
+# allow mounting with context=u:object_r:system_file:s0 so that files provided
+# by zipfuse are treated the same as the other files in /system or /apex
+allow system_file zipfusefs:filesystem associate;
diff --git a/tests/AndroidTest.xml b/tests/AndroidTest.xml
index a8fdf19..a58c08c 100644
--- a/tests/AndroidTest.xml
+++ b/tests/AndroidTest.xml
@@ -15,6 +15,9 @@
-->
<configuration description="Config for Virtualization tests">
+ <!-- virtualizationservice doesn't have access to shell_data_file. Instead of giving it
+ a test-only permission, run it without selinux -->
+ <target_preparer class="com.android.tradefed.targetprep.DisableSELinuxTargetPreparer"/>
<!-- Basic checks that the device has all the prerequisites. -->
<target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index 13ca434..b3c3e27 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -177,7 +177,9 @@
assertThat(abiList.length, is(1));
final String libPath = "/mnt/apk/lib/" + abiList[0] + "/MicrodroidTestNativeLib.so";
- assertThat(executeCommandOnMicrodroid("shell ls " + libPath), is(libPath));
+ assertThat(
+ executeCommandOnMicrodroid("shell ls -Z " + libPath),
+ is("u:object_r:system_file:s0 " + libPath));
assertThat(
executeCommandOnMicrodroid(
diff --git a/zipfuse/src/main.rs b/zipfuse/src/main.rs
index 12c891c..9b70d08 100644
--- a/zipfuse/src/main.rs
+++ b/zipfuse/src/main.rs
@@ -39,35 +39,48 @@
fn main() -> Result<()> {
let matches = App::new("zipfuse")
+ .arg(
+ Arg::with_name("options")
+ .short("o")
+ .takes_value(true)
+ .required(false)
+ .help("Comma separated list of mount options")
+ )
.arg(Arg::with_name("ZIPFILE").required(true))
.arg(Arg::with_name("MOUNTPOINT").required(true))
.get_matches();
let zip_file = matches.value_of("ZIPFILE").unwrap().as_ref();
let mount_point = matches.value_of("MOUNTPOINT").unwrap().as_ref();
- run_fuse(zip_file, mount_point)?;
+ let options = matches.value_of("options");
+ run_fuse(zip_file, mount_point, options)?;
Ok(())
}
/// Runs a fuse filesystem by mounting `zip_file` on `mount_point`.
-pub fn run_fuse(zip_file: &Path, mount_point: &Path) -> Result<()> {
+pub fn run_fuse(zip_file: &Path, mount_point: &Path, extra_options: Option<&str>) -> Result<()> {
const MAX_READ: u32 = 1 << 20; // TODO(jiyong): tune this
const MAX_WRITE: u32 = 1 << 13; // This is a read-only filesystem
let dev_fuse = OpenOptions::new().read(true).write(true).open("/dev/fuse")?;
+ let mut mount_options = vec![
+ MountOption::FD(dev_fuse.as_raw_fd()),
+ MountOption::RootMode(libc::S_IFDIR | libc::S_IXUSR | libc::S_IXGRP | libc::S_IXOTH),
+ MountOption::AllowOther,
+ MountOption::UserId(0),
+ MountOption::GroupId(0),
+ MountOption::MaxRead(MAX_READ),
+ ];
+ if let Some(value) = extra_options {
+ mount_options.push(MountOption::Extra(value));
+ }
+
fuse::mount(
mount_point,
"zipfuse",
libc::MS_NOSUID | libc::MS_NODEV | libc::MS_RDONLY,
- &[
- MountOption::FD(dev_fuse.as_raw_fd()),
- MountOption::RootMode(libc::S_IFDIR | libc::S_IXUSR | libc::S_IXGRP | libc::S_IXOTH),
- MountOption::AllowOther,
- MountOption::UserId(0),
- MountOption::GroupId(0),
- MountOption::MaxRead(MAX_READ),
- ],
+ &mount_options,
)?;
Ok(fuse::worker::start_message_loop(dev_fuse, MAX_READ, MAX_WRITE, ZipFuse::new(zip_file)?)?)
}
@@ -388,7 +401,7 @@
let zip_path = PathBuf::from(zip_path);
let mnt_path = PathBuf::from(mnt_path);
std::thread::spawn(move || {
- crate::run_fuse(&zip_path, &mnt_path).unwrap();
+ crate::run_fuse(&zip_path, &mnt_path, None).unwrap();
});
}
diff --git a/zipfuse/zipfuse.rc b/zipfuse/zipfuse.rc
index 97306ea..ccd94b6 100644
--- a/zipfuse/zipfuse.rc
+++ b/zipfuse/zipfuse.rc
@@ -1,2 +1,2 @@
-service zipfuse /system/bin/zipfuse /dev/block/by-name/microdroid-apk /mnt/apk
+service zipfuse /system/bin/zipfuse -o fscontext=u:object_r:zipfusefs:s0,context=u:object_r:system_file:s0 /dev/block/by-name/microdroid-apk /mnt/apk
disabled