Merge "Use preserved_fds rather than fd_mappings."
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 13c68d7..69d4568 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -1,8 +1,13 @@
{
- "postsubmit": [
+ "presubmit": [
{
"name": "MicrodroidHostTestCases"
- },
+ }
+ ],
+ "postsubmit": [
+ // TODO(jiyong): promote this to presubmit. That currently doesn't work because
+ // this test is skipped for cf_x86_64_phone (not aosp_cf_x86_64_phone), but tradefed
+ // somehow thinks that the test wasn't executed at all and reports it as a failure.
{
"name": "VirtualizationTestCases"
}
diff --git a/apex/Android.bp b/apex/Android.bp
index 2194c67..c06740a 100644
--- a/apex/Android.bp
+++ b/apex/Android.bp
@@ -7,6 +7,7 @@
// TODO(jiyong): make it updatable
updatable: false,
+ platform_apis: true,
manifest: "manifest.json",
diff --git a/apkdmverity/TEST_MAPPING b/apkdmverity/TEST_MAPPING
index 997b3f9..1bbec76 100644
--- a/apkdmverity/TEST_MAPPING
+++ b/apkdmverity/TEST_MAPPING
@@ -1,5 +1,5 @@
{
- "postsubmit" : [
+ "presubmit" : [
{
"name" : "apkdmverity.test"
}
diff --git a/authfs/TEST_MAPPING b/authfs/TEST_MAPPING
index cabd5df..d0c0b09 100644
--- a/authfs/TEST_MAPPING
+++ b/authfs/TEST_MAPPING
@@ -3,10 +3,5 @@
{
"name": "authfs_device_test_src_lib"
}
- ],
- "postsubmit": [
- {
- "name": "MicrodroidHostTestCases"
- }
]
}
diff --git a/compos/apex/Android.bp b/compos/apex/Android.bp
index 95463d0..9942e09 100644
--- a/compos/apex/Android.bp
+++ b/compos/apex/Android.bp
@@ -34,6 +34,7 @@
// TODO(victorhsieh): make it updatable
updatable: false,
+ platform_apis: true,
binaries: [
"compos_key_service",
diff --git a/compositediskconfig/src/lib.rs b/compositediskconfig/src/lib.rs
index 3546dd3..dc199e4 100644
--- a/compositediskconfig/src/lib.rs
+++ b/compositediskconfig/src/lib.rs
@@ -15,7 +15,6 @@
//! JSON configuration for composite disks, as used for running `mk_cdisk` and by the `vm` tool.
use serde::{Deserialize, Serialize};
-use std::io::Write;
use std::path::PathBuf;
/// Configuration for running `mk_cdisk`.
@@ -36,10 +35,3 @@
#[serde(default)]
pub writable: bool,
}
-
-impl Config {
- /// Write the configuration as JSON, in the format used by `mk_cdisk`.
- pub fn write_json(&self, writer: impl Write) -> serde_json::Result<()> {
- serde_json::to_writer(writer, self)
- }
-}
diff --git a/microdroid/payload/metadata/Android.bp b/microdroid/payload/metadata/Android.bp
new file mode 100644
index 0000000..4b23394
--- /dev/null
+++ b/microdroid/payload/metadata/Android.bp
@@ -0,0 +1,16 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library {
+ name: "libmicrodroid_metadata",
+ host_supported: true,
+ crate_name: "microdroid_metadata",
+ srcs: ["src/lib.rs"],
+ prefer_rlib: true,
+ edition: "2018",
+ rustlibs: [
+ "libmicrodroid_metadata_proto_rust",
+ "libprotobuf",
+ ],
+}
diff --git a/microdroid/payload/metadata/src/lib.rs b/microdroid/payload/metadata/src/lib.rs
new file mode 100644
index 0000000..9c97411
--- /dev/null
+++ b/microdroid/payload/metadata/src/lib.rs
@@ -0,0 +1,42 @@
+// Copyright 2021, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! Read/write metadata blob for VM payload image. The blob is supposed to be used as a metadata
+//! partition in the VM payload image.
+//! The layout of metadata blob is like:
+//! 4 bytes : size(N) in big endian
+//! N bytes : protobuf message for Metadata
+
+use protobuf::Message;
+use std::io;
+use std::io::Read;
+use std::io::Write;
+
+pub use microdroid_metadata::metadata::{ApexPayload, ApkPayload, Metadata};
+
+/// Reads a metadata from a reader
+pub fn read_metadata<T: Read>(mut r: T) -> io::Result<Metadata> {
+ let mut buf = [0u8; 4];
+ r.read_exact(&mut buf)?;
+ let size = i32::from_be_bytes(buf);
+ Ok(Metadata::parse_from_reader(&mut r.take(size as u64))?)
+}
+
+/// Writes a metadata to a writer
+pub fn write_metadata<T: Write>(metadata: &Metadata, mut w: T) -> io::Result<()> {
+ let mut buf = Vec::new();
+ metadata.write_to_writer(&mut buf)?;
+ w.write_all(&(buf.len() as i32).to_be_bytes())?;
+ w.write_all(&buf)
+}
diff --git a/microdroid/sepolicy/system/private/hwservice_contexts b/microdroid/sepolicy/system/private/hwservice_contexts
index 5b6e79d..f4583e2 100644
--- a/microdroid/sepolicy/system/private/hwservice_contexts
+++ b/microdroid/sepolicy/system/private/hwservice_contexts
@@ -1,85 +1,6 @@
-android.frameworks.automotive.display::IAutomotiveDisplayProxyService u:object_r:fwk_automotive_display_hwservice:s0
-android.frameworks.bufferhub::IBufferHub u:object_r:fwk_bufferhub_hwservice:s0
-android.frameworks.cameraservice.service::ICameraService u:object_r:fwk_camera_hwservice:s0
-android.frameworks.displayservice::IDisplayService u:object_r:fwk_display_hwservice:s0
-android.frameworks.schedulerservice::ISchedulingPolicyService u:object_r:fwk_scheduler_hwservice:s0
-android.frameworks.sensorservice::ISensorManager u:object_r:fwk_sensor_hwservice:s0
-android.frameworks.stats::IStats u:object_r:fwk_stats_hwservice:s0
-android.hardware.atrace::IAtraceDevice u:object_r:hal_atrace_hwservice:s0
-android.hardware.audio.effect::IEffectsFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.audio::IDevicesFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.authsecret::IAuthSecret u:object_r:hal_authsecret_hwservice:s0
-android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0
-android.hardware.automotive.can::ICanController u:object_r:hal_can_controller_hwservice:s0
-android.hardware.automotive.can::ICanBus u:object_r:hal_can_bus_hwservice:s0
-android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0
-android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0
-android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0
-android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
-android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0
-android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0
-android.hardware.bluetooth.audio::IBluetoothAudioProvidersFactory u:object_r:hal_audio_hwservice:s0
-android.hardware.boot::IBootControl u:object_r:hal_bootctl_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadio u:object_r:hal_broadcastradio_hwservice:s0
-android.hardware.broadcastradio::IBroadcastRadioFactory u:object_r:hal_broadcastradio_hwservice:s0
-android.hardware.camera.provider::ICameraProvider u:object_r:hal_camera_hwservice:s0
-android.hardware.configstore::ISurfaceFlingerConfigs u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
-android.hardware.confirmationui::IConfirmationUI u:object_r:hal_confirmationui_hwservice:s0
-android.hardware.contexthub::IContexthub u:object_r:hal_contexthub_hwservice:s0
-android.hardware.cas::IMediaCasService u:object_r:hal_cas_hwservice:s0
-android.hardware.drm::ICryptoFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.drm::IDrmFactory u:object_r:hal_drm_hwservice:s0
-android.hardware.dumpstate::IDumpstateDevice u:object_r:hal_dumpstate_hwservice:s0
-android.hardware.gatekeeper::IGatekeeper u:object_r:hal_gatekeeper_hwservice:s0
-android.hardware.gnss::IGnss u:object_r:hal_gnss_hwservice:s0
-android.hardware.graphics.allocator::IAllocator u:object_r:hal_graphics_allocator_hwservice:s0
-android.hardware.graphics.composer::IComposer u:object_r:hal_graphics_composer_hwservice:s0
-android.hardware.graphics.mapper::IMapper u:object_r:hal_graphics_mapper_hwservice:s0
-android.hardware.health::IHealth u:object_r:hal_health_hwservice:s0
-android.hardware.health.storage::IStorage u:object_r:hal_health_storage_hwservice:s0
-android.hardware.input.classifier::IInputClassifier u:object_r:hal_input_classifier_hwservice:s0
-android.hardware.ir::IConsumerIr u:object_r:hal_ir_hwservice:s0
-android.hardware.keymaster::IKeymasterDevice u:object_r:hal_keymaster_hwservice:s0
-android.hardware.tests.lazy::ILazy u:object_r:hal_lazy_test_hwservice:s0
-android.hardware.light::ILight u:object_r:hal_light_hwservice:s0
-android.hardware.lowpan::ILowpanDevice u:object_r:hal_lowpan_hwservice:s0
-android.hardware.media.omx::IOmx u:object_r:hal_omx_hwservice:s0
-android.hardware.media.omx::IOmxStore u:object_r:hal_omx_hwservice:s0
-android.hardware.media.c2::IComponentStore u:object_r:hal_codec2_hwservice:s0
-android.hardware.memtrack::IMemtrack u:object_r:hal_memtrack_hwservice:s0
-android.hardware.neuralnetworks::IDevice u:object_r:hal_neuralnetworks_hwservice:s0
-android.hardware.nfc::INfc u:object_r:hal_nfc_hwservice:s0
-android.hardware.oemlock::IOemLock u:object_r:hal_oemlock_hwservice:s0
-android.hardware.power::IPower u:object_r:hal_power_hwservice:s0
-android.hardware.power.stats::IPowerStats u:object_r:hal_power_stats_hwservice:s0
-android.hardware.radio.config::IRadioConfig u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio.deprecated::IOemHook u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::IRadio u:object_r:hal_telephony_hwservice:s0
-android.hardware.radio::ISap u:object_r:hal_telephony_hwservice:s0
-android.hardware.renderscript::IDevice u:object_r:hal_renderscript_hwservice:s0
-android.hardware.secure_element::ISecureElement u:object_r:hal_secure_element_hwservice:s0
-android.hardware.sensors::ISensors u:object_r:hal_sensors_hwservice:s0
-android.hardware.soundtrigger::ISoundTriggerHw u:object_r:hal_audio_hwservice:s0
-android.hardware.tetheroffload.config::IOffloadConfig u:object_r:hal_tetheroffload_hwservice:s0
-android.hardware.tetheroffload.control::IOffloadControl u:object_r:hal_tetheroffload_hwservice:s0
-android.hardware.thermal::IThermal u:object_r:hal_thermal_hwservice:s0
-android.hardware.tv.cec::IHdmiCec u:object_r:hal_tv_cec_hwservice:s0
-android.hardware.tv.input::ITvInput u:object_r:hal_tv_input_hwservice:s0
-android.hardware.tv.tuner::ITuner u:object_r:hal_tv_tuner_hwservice:s0
-android.hardware.usb::IUsb u:object_r:hal_usb_hwservice:s0
-android.hardware.usb.gadget::IUsbGadget u:object_r:hal_usb_gadget_hwservice:s0
-android.hardware.vibrator::IVibrator u:object_r:hal_vibrator_hwservice:s0
-android.hardware.vr::IVr u:object_r:hal_vr_hwservice:s0
-android.hardware.weaver::IWeaver u:object_r:hal_weaver_hwservice:s0
-android.hardware.wifi::IWifi u:object_r:hal_wifi_hwservice:s0
-android.hardware.wifi.hostapd::IHostapd u:object_r:hal_wifi_hostapd_hwservice:s0
-android.hardware.wifi.supplicant::ISupplicant u:object_r:hal_wifi_supplicant_hwservice:s0
android.hidl.allocator::IAllocator u:object_r:hidl_allocator_hwservice:s0
android.hidl.base::IBase u:object_r:hidl_base_hwservice:s0
android.hidl.manager::IServiceManager u:object_r:hidl_manager_hwservice:s0
android.hidl.memory::IMapper u:object_r:hidl_memory_hwservice:s0
android.hidl.token::ITokenManager u:object_r:hidl_token_hwservice:s0
-android.system.net.netd::INetd u:object_r:system_net_netd_hwservice:s0
-android.system.suspend::ISystemSuspend u:object_r:system_suspend_hwservice:s0
-android.system.wifi.keystore::IKeystore u:object_r:system_wifi_keystore_hwservice:s0
* u:object_r:default_android_hwservice:s0
diff --git a/microdroid/sepolicy/system/private/keystore2_key_contexts b/microdroid/sepolicy/system/private/keystore2_key_contexts
index 4e7c260..02cdd5e 100644
--- a/microdroid/sepolicy/system/private/keystore2_key_contexts
+++ b/microdroid/sepolicy/system/private/keystore2_key_contexts
@@ -4,27 +4,6 @@
# <namespace> <label>
#
# <namespace> must be an integer in the interval [0 ... 2^31)
-# su_key is a keystore_key namespace for the su domain intended for native tests.
-0 u:object_r:su_key:s0
-
-# shell_key is a keystore_key namespace for the shell domain intended for native tests.
-1 u:object_r:shell_key:s0
-
-# vold_key is a keystore2_key namespace for vold. It allows using raw Keymint blobs.
-100 u:object_r:vold_key:s0
-
-# odsign_key is a keystore2_key namespace for the on-device signing daemon.
-101 u:object_r:odsign_key:s0
-
-# wifi_key is a keystore2_key namespace for the WI-FI subsystem. It replaces the WIFI_UID
-# namespace in keystore.
-102 u:object_r:wifi_key:s0
-
-# locksettings_key is a keystore2_key namespace for the LockSettingsService.
-103 u:object_r:locksettings_key:s0
-
-# resume_on_reboot_key is a keystore2_key namespace intended for resume on reboot.
-120 u:object_r:resume_on_reboot_key:s0
# vm_payload_key is a keystore2_key namespace intended for microdroid VM payloads.
# TODO(b/191843770): sort out a longer term policy
diff --git a/microdroid/sepolicy/system/private/microdroid_manager.te b/microdroid/sepolicy/system/private/microdroid_manager.te
index fba3e71..81a6839 100644
--- a/microdroid/sepolicy/system/private/microdroid_manager.te
+++ b/microdroid/sepolicy/system/private/microdroid_manager.te
@@ -22,10 +22,7 @@
allow microdroid_manager {shell_exec toolbox_exec}:file rx_file_perms;
# Let microdroid_manager kernel-log.
-# TODO(b/189805435) when ready this should be kmsg_device rather than kmsg_debug_device
-userdebug_or_eng(`
- allow microdroid_manager kmsg_debug_device:chr_file write;
-')
+allow microdroid_manager kmsg_device:chr_file w_file_perms;
# Let microdroid_manager read a config file from /mnt/apk (fusefs)
# TODO(b/188400186) remove the below two rules
diff --git a/microdroid/sepolicy/system/private/port_contexts b/microdroid/sepolicy/system/private/port_contexts
index b473c0c..2f40b38 100644
--- a/microdroid/sepolicy/system/private/port_contexts
+++ b/microdroid/sepolicy/system/private/port_contexts
@@ -1,3 +1 @@
-# portcon statements go here, e.g.
-# portcon tcp 80 u:object_r:http_port:s0
-
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/sepolicy/system/private/property_contexts b/microdroid/sepolicy/system/private/property_contexts
index 1483f6f..c2a3a62 100644
--- a/microdroid/sepolicy/system/private/property_contexts
+++ b/microdroid/sepolicy/system/private/property_contexts
@@ -25,9 +25,6 @@
ctl.console u:object_r:ctl_console_prop:s0
ctl. u:object_r:ctl_default_prop:s0
-dev.mnt.blk.root u:object_r:system_prop:s0 exact string
-dev.mnt.blk.vendor u:object_r:system_prop:s0 exact string
-
sys.init.perf_lsm_hooks u:object_r:init_perf_lsm_hooks_prop:s0 exact bool
service.adb.root u:object_r:shell_prop:s0 exact bool
diff --git a/microdroid/sepolicy/system/private/seapp_contexts b/microdroid/sepolicy/system/private/seapp_contexts
index b8e42ea..2f40b38 100644
--- a/microdroid/sepolicy/system/private/seapp_contexts
+++ b/microdroid/sepolicy/system/private/seapp_contexts
@@ -1,178 +1 @@
-# The entries in this file define how security contexts for apps are determined.
-# Each entry lists input selectors, used to match the app, and outputs which are
-# used to determine the security contexts for matching apps.
-#
-# Input selectors:
-# isSystemServer (boolean)
-# isEphemeralApp (boolean)
-# isOwner (boolean)
-# user (string)
-# seinfo (string)
-# name (string)
-# path (string)
-# isPrivApp (boolean)
-# minTargetSdkVersion (unsigned integer)
-# fromRunAs (boolean)
-#
-# All specified input selectors in an entry must match (i.e. logical AND).
-# An unspecified string or boolean selector with no default will match any
-# value.
-# A user, name, or path string selector that ends in * will perform a prefix
-# match.
-# String matching is case-insensitive.
-# See external/selinux/libselinux/src/android/android_platform.c,
-# seapp_context_lookup().
-#
-# isSystemServer=true only matches the system server.
-# An unspecified isSystemServer defaults to false.
-# isEphemeralApp=true will match apps marked by PackageManager as Ephemeral
-# isOwner=true will only match for the owner/primary user.
-# user=_app will match any regular app process.
-# user=_isolated will match any isolated service process.
-# Other values of user are matched against the name associated with the process
-# UID.
-# seinfo= matches aginst the seinfo tag for the app, determined from
-# mac_permissions.xml files.
-# The ':' character is reserved and may not be used in seinfo.
-# name= matches against the package name of the app.
-# path= matches against the directory path when labeling app directories.
-# isPrivApp=true will only match for applications preinstalled in
-# /system/priv-app.
-# minTargetSdkVersion will match applications with a targetSdkVersion
-# greater than or equal to the specified value. If unspecified,
-# it has a default value of 0.
-# fromRunAs=true means the process being labeled is started by run-as. Default
-# is false.
-#
-# Precedence: entries are compared using the following rules, in the order shown
-# (see external/selinux/libselinux/src/android/android_platform.c,
-# seapp_context_cmp()).
-# (1) isSystemServer=true before isSystemServer=false.
-# (2) Specified isEphemeralApp= before unspecified isEphemeralApp=
-# boolean.
-# (3) Specified isOwner= before unspecified isOwner= boolean.
-# (4) Specified user= string before unspecified user= string;
-# more specific user= string before less specific user= string.
-# (5) Specified seinfo= string before unspecified seinfo= string.
-# (6) Specified name= string before unspecified name= string;
-# more specific name= string before less specific name= string.
-# (7) Specified path= string before unspecified path= string.
-# more specific name= string before less specific name= string.
-# (8) Specified isPrivApp= before unspecified isPrivApp= boolean.
-# (9) Higher value of minTargetSdkVersion= before lower value of
-# minTargetSdkVersion= integer. Note that minTargetSdkVersion=
-# defaults to 0 if unspecified.
-# (10) fromRunAs=true before fromRunAs=false.
-# (A fixed selector is more specific than a prefix, i.e. ending in *, and a
-# longer prefix is more specific than a shorter prefix.)
-# Apps are checked against entries in precedence order until the first match,
-# regardless of their order in this file.
-#
-# Duplicate entries, i.e. with identical input selectors, are not allowed.
-#
-# Outputs:
-# domain (string)
-# type (string)
-# levelFrom (string; one of none, all, app, or user)
-# level (string)
-#
-# domain= determines the label to be used for the app process; entries
-# without domain= are ignored for this purpose.
-# type= specifies the label to be used for the app data directory; entries
-# without type= are ignored for this purpose. The label specified must
-# have the app_data_file_type attribute.
-# levelFrom and level are used to determine the level (sensitivity + categories)
-# for MLS/MCS.
-# levelFrom=none omits the level.
-# levelFrom=app determines the level from the process UID.
-# levelFrom=user determines the level from the user ID.
-# levelFrom=all determines the level from both UID and user ID.
-#
-# levelFrom=user is only supported for _app or _isolated UIDs.
-# levelFrom=app or levelFrom=all is only supported for _app UIDs.
-# level may be used to specify a fixed level for any UID.
-#
-# For backwards compatibility levelFromUid=true is equivalent to levelFrom=app
-# and levelFromUid=false is equivalent to levelFrom=none.
-#
-#
-# Neverallow Assertions
-# Additional compile time assertion checks for the rules in this file can be
-# added as well. The assertion
-# rules are lines beginning with the keyword neverallow. Full support for PCRE
-# regular expressions exists on all input and output selectors. Neverallow
-# rules are never output to the built seapp_contexts file. Like all keywords,
-# neverallows are case-insensitive. A neverallow is asserted when all key value
-# inputs are matched on a key value rule line.
-#
-
-# only the system server can be in system_server domain
-neverallow isSystemServer=false domain=system_server
-neverallow isSystemServer="" domain=system_server
-
-# system domains should never be assigned outside of system uid
-neverallow user=((?!system).)* domain=system_app
-neverallow user=((?!system).)* type=system_app_data_file
-
-# any non priv-app with a non-known uid with a specified name should have a specified
-# seinfo
-neverallow user=_app isPrivApp=false name=.* seinfo=""
-neverallow user=_app isPrivApp=false name=.* seinfo=default
-
-# neverallow shared relro to any other domain
-# and neverallow any other uid into shared_relro
-neverallow user=shared_relro domain=((?!shared_relro).)*
-neverallow user=((?!shared_relro).)* domain=shared_relro
-
-# neverallow non-isolated uids into isolated_app domain
-# and vice versa
-neverallow user=_isolated domain=((?!isolated_app).)*
-neverallow user=((?!_isolated).)* domain=isolated_app
-
-# uid shell should always be in shell domain, however non-shell
-# uid's can be in shell domain
-neverallow user=shell domain=((?!shell).)*
-
-# only the package named com.android.shell can run in the shell domain
-neverallow domain=shell name=((?!com\.android\.shell).)*
-neverallow user=shell name=((?!com\.android\.shell).)*
-
-# Ephemeral Apps must run in the ephemeral_app domain
-neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
-
-isSystemServer=true domain=system_server_startup
-
-user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
-user=system seinfo=platform domain=system_app type=system_app_data_file
-user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
-user=nfc seinfo=platform domain=nfc type=nfc_data_file
-user=secure_element seinfo=platform domain=secure_element levelFrom=all
-user=radio seinfo=platform domain=radio type=radio_data_file
-user=shared_relro domain=shared_relro levelFrom=all
-user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
-user=webview_zygote seinfo=webview_zygote domain=webview_zygote
-user=_isolated domain=isolated_app levelFrom=user
-user=_app seinfo=app_zygote domain=app_zygote levelFrom=user
-user=_app seinfo=media domain=mediaprovider type=app_data_file levelFrom=user
-user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-user=_app isEphemeralApp=true domain=ephemeral_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=31 isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app seinfo=media isPrivApp=true name=com.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.providers.media.module domain=mediaprovider_app type=privapp_data_file levelFrom=all
-user=_app seinfo=platform isPrivApp=true name=com.android.permissioncontroller domain=permissioncontroller_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.android.vzwomatrigger domain=vzwomatrigger_app type=privapp_data_file levelFrom=all
-user=_app isPrivApp=true name=com.google.android.gms domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gms.* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gms:* domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app isPrivApp=true name=com.google.android.gsf domain=gmscore_app type=privapp_data_file levelFrom=user
-user=_app minTargetSdkVersion=30 domain=untrusted_app type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=29 domain=untrusted_app_29 type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=28 domain=untrusted_app_27 type=app_data_file levelFrom=all
-user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file levelFrom=user
-user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
-user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
-user=_app fromRunAs=true domain=runas_app levelFrom=user
+# This file can't be empty, but is unused on microdroid
diff --git a/microdroid/sepolicy/system/private/service_contexts b/microdroid/sepolicy/system/private/service_contexts
index b410b18..965b688 100644
--- a/microdroid/sepolicy/system/private/service_contexts
+++ b/microdroid/sepolicy/system/private/service_contexts
@@ -1,37 +1,10 @@
-android.hardware.authsecret.IAuthSecret/default u:object_r:hal_authsecret_service:s0
-android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:hal_audiocontrol_service:s0
-android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
-android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
-android.hardware.gnss.IGnss/default u:object_r:hal_gnss_service:s0
-android.hardware.health.storage.IStorage/default u:object_r:hal_health_storage_service:s0
-android.hardware.identity.IIdentityCredentialStore/default u:object_r:hal_identity_service:s0
-android.hardware.light.ILights/default u:object_r:hal_light_service:s0
-android.hardware.memtrack.IMemtrack/default u:object_r:hal_memtrack_service:s0
-android.hardware.oemlock.IOemLock/default u:object_r:hal_oemlock_service:s0
-android.hardware.power.IPower/default u:object_r:hal_power_service:s0
-android.hardware.power.stats.IPowerStats/default u:object_r:hal_power_stats_service:s0
-android.hardware.rebootescrow.IRebootEscrow/default u:object_r:hal_rebootescrow_service:s0
android.hardware.security.keymint.IKeyMintDevice/default u:object_r:hal_keymint_service:s0
android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
android.hardware.security.secureclock.ISecureClock/default u:object_r:hal_secureclock_service:s0
android.hardware.security.sharedsecret.ISharedSecret/default u:object_r:hal_sharedsecret_service:s0
-android.hardware.soundtrigger3.ISoundTriggerHw/default u:object_r:hal_audio_service:s0
-android.hardware.vibrator.IVibrator/default u:object_r:hal_vibrator_service:s0
-android.hardware.vibrator.IVibratorManager/default u:object_r:hal_vibrator_service:s0
-android.hardware.weaver.IWeaver/default u:object_r:hal_weaver_service:s0
-android.frameworks.stats.IStats/default u:object_r:fwk_stats_service:s0
android.system.keystore2.IKeystoreService/default u:object_r:keystore_service:s0
-accessibility u:object_r:accessibility_service:s0
-account u:object_r:account_service:s0
-activity u:object_r:activity_service:s0
-activity_task u:object_r:activity_task_service:s0
adb u:object_r:adb_service:s0
-aidl_lazy_test_1 u:object_r:aidl_lazy_test_service:s0
-aidl_lazy_test_2 u:object_r:aidl_lazy_test_service:s0
-alarm u:object_r:alarm_service:s0
-android.os.UpdateEngineService u:object_r:update_engine_service:s0
-android.os.UpdateEngineStableService u:object_r:update_engine_stable_service:s0
android.security.apc u:object_r:apc_service:s0
android.security.authorization u:object_r:authorization_service:s0
android.security.compat u:object_r:keystore_compat_hal_service:s0
@@ -40,270 +13,5 @@
android.security.maintenance u:object_r:keystore_maintenance_service:s0
android.security.remoteprovisioning u:object_r:remoteprovisioning_service:s0
android.security.vpnprofilestore u:object_r:vpnprofilestore_service:s0
-android.service.gatekeeper.IGateKeeperService u:object_r:gatekeeper_service:s0
-app_binding u:object_r:app_binding_service:s0
-app_hibernation u:object_r:app_hibernation_service:s0
-app_integrity u:object_r:app_integrity_service:s0
-app_prediction u:object_r:app_prediction_service:s0
-app_search u:object_r:app_search_service:s0
apexservice u:object_r:apex_service:s0
-blob_store u:object_r:blob_store_service:s0
-gsiservice u:object_r:gsi_service:s0
-appops u:object_r:appops_service:s0
-appwidget u:object_r:appwidget_service:s0
-artd u:object_r:artd_service:s0
-assetatlas u:object_r:assetatlas_service:s0
-attention u:object_r:attention_service:s0
-audio u:object_r:audio_service:s0
-auth u:object_r:auth_service:s0
-autofill u:object_r:autofill_service:s0
-backup u:object_r:backup_service:s0
-batteryproperties u:object_r:batteryproperties_service:s0
-batterystats u:object_r:batterystats_service:s0
-battery u:object_r:battery_service:s0
-binder_calls_stats u:object_r:binder_calls_stats_service:s0
-biometric u:object_r:biometric_service:s0
-bluetooth_manager u:object_r:bluetooth_manager_service:s0
-bluetooth u:object_r:bluetooth_service:s0
-broadcastradio u:object_r:broadcastradio_service:s0
-bugreport u:object_r:bugreport_service:s0
-cacheinfo u:object_r:cacheinfo_service:s0
-carrier_config u:object_r:radio_service:s0
-clipboard u:object_r:clipboard_service:s0
-com.android.net.IProxyService u:object_r:IProxyService_service:s0
-android.system.virtualizationservice u:object_r:virtualization_service:s0
-companiondevice u:object_r:companion_device_service:s0
-platform_compat u:object_r:platform_compat_service:s0
-platform_compat_native u:object_r:platform_compat_service:s0
-connectivity u:object_r:connectivity_service:s0
-connmetrics u:object_r:connmetrics_service:s0
-consumer_ir u:object_r:consumer_ir_service:s0
-content u:object_r:content_service:s0
-content_capture u:object_r:content_capture_service:s0
-content_suggestions u:object_r:content_suggestions_service:s0
-contexthub u:object_r:contexthub_service:s0
-country_detector u:object_r:country_detector_service:s0
-coverage u:object_r:coverage_service:s0
-cpuinfo u:object_r:cpuinfo_service:s0
-crossprofileapps u:object_r:crossprofileapps_service:s0
-dataloader_manager u:object_r:dataloader_manager_service:s0
-dbinfo u:object_r:dbinfo_service:s0
-device_config u:object_r:device_config_service:s0
-device_policy u:object_r:device_policy_service:s0
-device_identifiers u:object_r:device_identifiers_service:s0
-deviceidle u:object_r:deviceidle_service:s0
-device_state u:object_r:device_state_service:s0
-devicestoragemonitor u:object_r:devicestoragemonitor_service:s0
-diskstats u:object_r:diskstats_service:s0
-display u:object_r:display_service:s0
-dnsresolver u:object_r:dnsresolver_service:s0
-domain_verification u:object_r:domain_verification_service:s0
-color_display u:object_r:color_display_service:s0
-netd_listener u:object_r:netd_listener_service:s0
-network_watchlist u:object_r:network_watchlist_service:s0
-DockObserver u:object_r:DockObserver_service:s0
-dreams u:object_r:dreams_service:s0
-drm.drmManager u:object_r:drmserver_service:s0
-dropbox u:object_r:dropbox_service:s0
-dumpstate u:object_r:dumpstate_service:s0
-dynamic_system u:object_r:dynamic_system_service:s0
-econtroller u:object_r:radio_service:s0
-emergency_affordance u:object_r:emergency_affordance_service:s0
-euicc_card_controller u:object_r:radio_service:s0
-external_vibrator_service u:object_r:external_vibrator_service:s0
-lowpan u:object_r:lowpan_service:s0
-ethernet u:object_r:ethernet_service:s0
-face u:object_r:face_service:s0
-file_integrity u:object_r:file_integrity_service:s0
-fingerprint u:object_r:fingerprint_service:s0
-font u:object_r:font_service:s0
-android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
-game u:object_r:game_service:s0
-gfxinfo u:object_r:gfxinfo_service:s0
-graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
-hardware u:object_r:hardware_service:s0
-hardware_properties u:object_r:hardware_properties_service:s0
-hdmi_control u:object_r:hdmi_control_service:s0
-ions u:object_r:radio_service:s0
-idmap u:object_r:idmap_service:s0
-incident u:object_r:incident_service:s0
-incidentcompanion u:object_r:incidentcompanion_service:s0
-inputflinger u:object_r:inputflinger_service:s0
-input_method u:object_r:input_method_service:s0
-input u:object_r:input_service:s0
-installd u:object_r:installd_service:s0
-iorapd u:object_r:iorapd_service:s0
-iphonesubinfo_msim u:object_r:radio_service:s0
-iphonesubinfo2 u:object_r:radio_service:s0
-iphonesubinfo u:object_r:radio_service:s0
-ims u:object_r:radio_service:s0
-imms u:object_r:imms_service:s0
-incremental u:object_r:incremental_service:s0
-ipsec u:object_r:ipsec_service:s0
-ircsmessage u:object_r:radio_service:s0
-iris u:object_r:iris_service:s0
-isms_msim u:object_r:radio_service:s0
-isms2 u:object_r:radio_service:s0
-isms u:object_r:radio_service:s0
-isub u:object_r:radio_service:s0
-jobscheduler u:object_r:jobscheduler_service:s0
-launcherapps u:object_r:launcherapps_service:s0
-legacy_permission u:object_r:legacy_permission_service:s0
-lights u:object_r:light_service:s0
-location u:object_r:location_service:s0
-location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
-lock_settings u:object_r:lock_settings_service:s0
-looper_stats u:object_r:looper_stats_service:s0
-lpdump_service u:object_r:lpdump_service:s0
-media.aaudio u:object_r:audioserver_service:s0
-media.audio_flinger u:object_r:audioserver_service:s0
-media.audio_policy u:object_r:audioserver_service:s0
-media.camera u:object_r:cameraserver_service:s0
-media.camera.proxy u:object_r:cameraproxy_service:s0
-media.log u:object_r:audioserver_service:s0
-media.player u:object_r:mediaserver_service:s0
-media.metrics u:object_r:mediametrics_service:s0
-media.extractor u:object_r:mediaextractor_service:s0
-media.transcoding u:object_r:mediatranscoding_service:s0
-media.resource_manager u:object_r:mediaserver_service:s0
-media.resource_observer u:object_r:mediaserver_service:s0
-media.sound_trigger_hw u:object_r:audioserver_service:s0
-media.drm u:object_r:mediadrmserver_service:s0
-media.tuner u:object_r:mediatuner_service:s0
-media_communication u:object_r:media_communication_service:s0
-media_metrics u:object_r:media_metrics_service:s0
-media_projection u:object_r:media_projection_service:s0
-media_resource_monitor u:object_r:media_session_service:s0
-media_router u:object_r:media_router_service:s0
-media_session u:object_r:media_session_service:s0
-meminfo u:object_r:meminfo_service:s0
-memtrack.proxy u:object_r:memtrackproxy_service:s0
-midi u:object_r:midi_service:s0
-mount u:object_r:mount_service:s0
-music_recognition u:object_r:music_recognition_service:s0
-netd u:object_r:netd_service:s0
-netpolicy u:object_r:netpolicy_service:s0
-netstats u:object_r:netstats_service:s0
-network_stack u:object_r:network_stack_service:s0
-network_management u:object_r:network_management_service:s0
-network_score u:object_r:network_score_service:s0
-network_time_update_service u:object_r:network_time_update_service:s0
-nfc u:object_r:nfc_service:s0
-notification u:object_r:notification_service:s0
-oem_lock u:object_r:oem_lock_service:s0
-otadexopt u:object_r:otadexopt_service:s0
-overlay u:object_r:overlay_service:s0
-pac_proxy u:object_r:pac_proxy_service:s0
-package u:object_r:package_service:s0
-package_native u:object_r:package_native_service:s0
-people u:object_r:people_service:s0
-performance_hint u:object_r:hint_service:s0
-permission u:object_r:permission_service:s0
-permissionmgr u:object_r:permissionmgr_service:s0
-permission_checker u:object_r:permission_checker_service:s0
-persistent_data_block u:object_r:persistent_data_block_service:s0
-phone_msim u:object_r:radio_service:s0
-phone1 u:object_r:radio_service:s0
-phone2 u:object_r:radio_service:s0
-phone u:object_r:radio_service:s0
-pinner u:object_r:pinner_service:s0
-power_stats u:object_r:power_stats_service:s0
-power u:object_r:power_service:s0
-print u:object_r:print_service:s0
-processinfo u:object_r:processinfo_service:s0
-procstats u:object_r:procstats_service:s0
-profcollectd u:object_r:profcollectd_service:s0
-radio.phonesubinfo u:object_r:radio_service:s0
-radio.phone u:object_r:radio_service:s0
-radio.sms u:object_r:radio_service:s0
-rcs u:object_r:radio_service:s0
-reboot_readiness u:object_r:reboot_readiness_service:s0
-recovery u:object_r:recovery_service:s0
-resolver u:object_r:resolver_service:s0
-restrictions u:object_r:restrictions_service:s0
-role u:object_r:role_service:s0
-rollback u:object_r:rollback_service:s0
-rttmanager u:object_r:rttmanager_service:s0
-runtime u:object_r:runtime_service:s0
-samplingprofiler u:object_r:samplingprofiler_service:s0
-scheduling_policy u:object_r:scheduling_policy_service:s0
-search u:object_r:search_service:s0
-search_ui u:object_r:search_ui_service:s0
-secure_element u:object_r:secure_element_service:s0
-sec_key_att_app_id_provider u:object_r:sec_key_att_app_id_provider_service:s0
-sensorservice u:object_r:sensorservice_service:s0
-sensor_privacy u:object_r:sensor_privacy_service:s0
-serial u:object_r:serial_service:s0
-servicediscovery u:object_r:servicediscovery_service:s0
-manager u:object_r:service_manager_service:s0
-settings u:object_r:settings_service:s0
-shortcut u:object_r:shortcut_service:s0
-simphonebook_msim u:object_r:radio_service:s0
-simphonebook2 u:object_r:radio_service:s0
-simphonebook u:object_r:radio_service:s0
-sip u:object_r:radio_service:s0
-slice u:object_r:slice_service:s0
-smartspace u:object_r:smartspace_service:s0
-speech_recognition u:object_r:speech_recognition_service:s0
-stats u:object_r:stats_service:s0
-statscompanion u:object_r:statscompanion_service:s0
-statsmanager u:object_r:statsmanager_service:s0
-soundtrigger u:object_r:voiceinteraction_service:s0
-soundtrigger_middleware u:object_r:soundtrigger_middleware_service:s0
-statusbar u:object_r:statusbar_service:s0
-storaged u:object_r:storaged_service:s0
-storaged_pri u:object_r:storaged_service:s0
-storagestats u:object_r:storagestats_service:s0
-SurfaceFlinger u:object_r:surfaceflinger_service:s0
-suspend_control u:object_r:system_suspend_control_service:s0
-suspend_control_internal u:object_r:system_suspend_control_internal_service:s0
-system_config u:object_r:system_config_service:s0
-system_server_dumper u:object_r:system_server_dumper_service:s0
-system_update u:object_r:system_update_service:s0
-task u:object_r:task_service:s0
-telecom u:object_r:telecom_service:s0
-telephony.registry u:object_r:registry_service:s0
-telephony_ims u:object_r:radio_service:s0
-testharness u:object_r:testharness_service:s0
-tethering u:object_r:tethering_service:s0
-textclassification u:object_r:textclassification_service:s0
-textservices u:object_r:textservices_service:s0
-texttospeech u:object_r:texttospeech_service:s0
-time_detector u:object_r:timedetector_service:s0
-time_zone_detector u:object_r:timezonedetector_service:s0
-timezone u:object_r:timezone_service:s0
-thermalservice u:object_r:thermal_service:s0
-tracing.proxy u:object_r:tracingproxy_service:s0
-transformer u:object_r:transformer_service:s0
-trust u:object_r:trust_service:s0
-tv_input u:object_r:tv_input_service:s0
-tv_tuner_resource_mgr u:object_r:tv_tuner_resource_mgr_service:s0
-uce u:object_r:uce_service:s0
-uimode u:object_r:uimode_service:s0
-updatelock u:object_r:updatelock_service:s0
-uri_grants u:object_r:uri_grants_service:s0
-usagestats u:object_r:usagestats_service:s0
-usb u:object_r:usb_service:s0
-user u:object_r:user_service:s0
-uwb u:object_r:uwb_service:s0
-vcn_management u:object_r:vcn_management_service:s0
-vibrator u:object_r:vibrator_service:s0
-vibrator_manager u:object_r:vibrator_manager_service:s0
-virtual_touchpad u:object_r:virtual_touchpad_service:s0
-voiceinteraction u:object_r:voiceinteraction_service:s0
-vold u:object_r:vold_service:s0
-vpn_management u:object_r:vpn_management_service:s0
-vr_hwc u:object_r:vr_hwc_service:s0
-vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
-vrmanager u:object_r:vr_manager_service:s0
-wallpaper u:object_r:wallpaper_service:s0
-webviewupdate u:object_r:webviewupdate_service:s0
-wifip2p u:object_r:wifip2p_service:s0
-wifiscanner u:object_r:wifiscanner_service:s0
-wifi u:object_r:wifi_service:s0
-wifinl80211 u:object_r:wifinl80211_service:s0
-wifiaware u:object_r:wifiaware_service:s0
-wifirtt u:object_r:rttmanager_service:s0
-window u:object_r:window_service:s0
* u:object_r:default_android_service:s0
diff --git a/microdroid_manager/Android.bp b/microdroid_manager/Android.bp
index 30f8481..267147f 100644
--- a/microdroid_manager/Android.bp
+++ b/microdroid_manager/Android.bp
@@ -9,15 +9,15 @@
edition: "2018",
prefer_rlib: true,
rustlibs: [
- "libenv_logger",
"libanyhow",
+ "libkernlog",
"libkeystore2_system_property-rust",
"liblog_rust",
- "libmicrodroid_metadata_proto_rust",
+ "libmicrodroid_metadata",
"libmicrodroid_payload_config",
"libprotobuf",
- "libserde_json",
"libserde",
+ "libserde_json",
],
init_rc: ["microdroid_manager.rc"],
}
diff --git a/microdroid_manager/microdroid_manager.rc b/microdroid_manager/microdroid_manager.rc
index 4f194a3..60d8ab7 100644
--- a/microdroid_manager/microdroid_manager.rc
+++ b/microdroid_manager/microdroid_manager.rc
@@ -1,7 +1,6 @@
service microdroid_manager /system/bin/microdroid_manager
disabled
- # TODO(b/189805435) for now redirect stdio to kmsg
- stdio_to_kmsg
+ file /dev/kmsg w
setenv RUST_LOG info
# TODO(jooyung) remove this when microdroid_manager becomes a daemon
- oneshot
\ No newline at end of file
+ oneshot
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 10731c5..9bcfa67 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -29,9 +29,7 @@
const WAIT_TIMEOUT: Duration = Duration::from_secs(10);
fn main() -> Result<()> {
- // TODO(b/189805435) use kernlog
- env_logger::init();
-
+ kernlog::init()?;
info!("started.");
let metadata = metadata::load()?;
diff --git a/microdroid_manager/src/metadata.rs b/microdroid_manager/src/metadata.rs
index 4f7d7af..81d9cc4 100644
--- a/microdroid_manager/src/metadata.rs
+++ b/microdroid_manager/src/metadata.rs
@@ -15,25 +15,14 @@
//! Payload metadata from /dev/block/by-name/metadata
use log::info;
-use microdroid_metadata::metadata::Metadata;
-use protobuf::Message;
+use microdroid_metadata::{read_metadata, Metadata};
use std::fs::File;
use std::io;
-use std::io::Read;
const METADATA_PATH: &str = "/dev/block/by-name/metadata";
/// loads payload metadata from /dev/block/by-name/metadata
pub fn load() -> io::Result<Metadata> {
info!("loading payload metadata...");
-
- let mut f = File::open(METADATA_PATH)?;
- // metadata partition is
- // 4 bytes : size(N) in big endian
- // N bytes : message for Metadata
- let mut buf = [0u8; 4];
- f.read_exact(&mut buf)?;
- let size = i32::from_be_bytes(buf);
-
- Ok(Metadata::parse_from_reader(&mut f.take(size as u64))?)
+ read_metadata(File::open(METADATA_PATH)?)
}
diff --git a/tests/Android.bp b/tests/Android.bp
index be6e653..8cfefcc 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -29,6 +29,7 @@
"vsock_test.cc",
],
local_include_dirs: ["include"],
+ compile_multilib: "64",
data: [
":virt_test_kernel",
":virt_test_initramfs",
diff --git a/tests/vsock_test.cc b/tests/vsock_test.cc
index 923c1ef..931e79d 100644
--- a/tests/vsock_test.cc
+++ b/tests/vsock_test.cc
@@ -14,6 +14,8 @@
* limitations under the License.
*/
+#include <linux/kvm.h>
+#include <sys/ioctl.h>
#include <sys/socket.h>
#include <unistd.h>
@@ -32,6 +34,8 @@
#include "android/system/virtualizationservice/VirtualMachineConfig.h"
#include "virt/VirtualizationTest.h"
+#define KVM_CAP_ARM_PROTECTED_VM 0xffbadab1
+
using namespace android::base;
using namespace android::os;
@@ -54,11 +58,13 @@
[](const char *file) { return access(file, F_OK) == 0; });
}
-TEST_F(VirtualizationTest, TestVsock) {
- if (!isVmSupported()) {
- GTEST_SKIP() << "Device doesn't support VM.";
- }
+/** Returns true if the kernel supports Protected KVM. */
+bool isPkvmSupported() {
+ unique_fd kvm_fd(open("/dev/kvm", O_NONBLOCK | O_CLOEXEC));
+ return kvm_fd != 0 && ioctl(kvm_fd, KVM_CHECK_EXTENSION, KVM_CAP_ARM_PROTECTED_VM) == 1;
+}
+void runTest(sp<IVirtualizationService> virtualization_service, bool protected_vm) {
binder::Status status;
unique_fd server_fd(TEMP_FAILURE_RETRY(socket(AF_VSOCK, SOCK_STREAM, 0)));
@@ -80,10 +86,11 @@
VirtualMachineConfig config;
config.kernel = ParcelFileDescriptor(unique_fd(open(kVmKernelPath, O_RDONLY | O_CLOEXEC)));
config.initrd = ParcelFileDescriptor(unique_fd(open(kVmInitrdPath, O_RDONLY | O_CLOEXEC)));
- config.params = String16(kVmParams);
+ config.params = kVmParams;
+ config.protected_vm = protected_vm;
sp<IVirtualMachine> vm;
- status = mVirtualizationService->startVm(config, std::nullopt, &vm);
+ status = virtualization_service->startVm(config, std::nullopt, &vm);
ASSERT_TRUE(status.isOk()) << "Error starting VM: " << status;
int32_t cid;
@@ -107,4 +114,22 @@
ASSERT_EQ(msg, kTestMessage);
}
+TEST_F(VirtualizationTest, TestVsock) {
+ if (!isVmSupported()) {
+ GTEST_SKIP() << "Device doesn't support KVM.";
+ }
+
+ runTest(mVirtualizationService, false);
+}
+
+TEST_F(VirtualizationTest, TestVsockProtected) {
+ if (!isVmSupported()) {
+ GTEST_SKIP() << "Device doesn't support KVM.";
+ } else if (!isPkvmSupported()) {
+ GTEST_SKIP() << "Skipping as pKVM is not supported on this device.";
+ }
+
+ runTest(mVirtualizationService, true);
+}
+
} // namespace virt
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/Partition.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/Partition.aidl
index 782c239..825c3da 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/Partition.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/Partition.aidl
@@ -18,7 +18,7 @@
/** A partition to be assembled into a composite image. */
parcelable Partition {
/** A label for the partition. */
- String label;
+ @utf8InCpp String label;
/** The backing file descriptor of the partition image. */
ParcelFileDescriptor image;
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
index cb28856..5d59f9d 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineConfig.aidl
@@ -29,7 +29,7 @@
* Parameters to pass to the kernel. As far as the VMM and boot protocol are concerned this is
* just a string, but typically it will contain multiple parameters separated by spaces.
*/
- @nullable String params;
+ @nullable @utf8InCpp String params;
/**
* The bootloader to use. If this is supplied then the kernel and initrd must not be supplied;
diff --git a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineDebugInfo.aidl b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineDebugInfo.aidl
index 18b01ce..d081b8d 100644
--- a/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineDebugInfo.aidl
+++ b/virtualizationservice/aidl/android/system/virtualizationservice/VirtualMachineDebugInfo.aidl
@@ -21,13 +21,13 @@
int cid;
/** Directory of temporary files used by the VM while it is running. */
- String temporaryDirectory;
+ @utf8InCpp String temporaryDirectory;
/** The UID of the process which requested the VM. */
int requesterUid;
/** The SID of the process which requested the VM. */
- String requesterSid;
+ @utf8InCpp String requesterSid;
/**
* The PID of the process which requested the VM. Note that this process may no longer exist and
diff --git a/vm/src/main.rs b/vm/src/main.rs
index 2c93ec4..b79f42a 100644
--- a/vm/src/main.rs
+++ b/vm/src/main.rs
@@ -43,6 +43,10 @@
/// Detach VM from the terminal and run in the background
#[structopt(short, long)]
daemonize: bool,
+
+ /// Path to file for VM log output.
+ #[structopt(short, long)]
+ log: Option<PathBuf>,
},
/// Stop a virtual machine running in the background
Stop {
@@ -73,7 +77,9 @@
.context("Failed to find VirtualizationService")?;
match opt {
- Opt::Run { config, daemonize } => command_run(service, &config, daemonize),
+ Opt::Run { config, daemonize, log } => {
+ command_run(service, &config, daemonize, log.as_deref())
+ }
Opt::Stop { cid } => command_stop(service, cid),
Opt::List => command_list(service),
Opt::CreatePartition { path, size } => command_create_partition(service, &path, size),
diff --git a/vm/src/run.rs b/vm/src/run.rs
index ab4222f..ec95646 100644
--- a/vm/src/run.rs
+++ b/vm/src/run.rs
@@ -36,12 +36,21 @@
service: Strong<dyn IVirtualizationService>,
config_path: &Path,
daemonize: bool,
+ log_path: Option<&Path>,
) -> Result<(), Error> {
let config_file = File::open(config_path).context("Failed to open config file")?;
let config =
VmConfig::load(&config_file).context("Failed to parse config file")?.to_parcelable()?;
- let stdout =
- if daemonize { None } else { Some(ParcelFileDescriptor::new(duplicate_stdout()?)) };
+ let stdout = if let Some(log_path) = log_path {
+ Some(ParcelFileDescriptor::new(
+ File::create(log_path)
+ .with_context(|| format!("Failed to open log file {:?}", log_path))?,
+ ))
+ } else if daemonize {
+ None
+ } else {
+ Some(ParcelFileDescriptor::new(duplicate_stdout()?))
+ };
let vm = service.startVm(&config, stdout.as_ref()).context("Failed to start VM")?;
let cid = vm.getCid().context("Failed to get CID")?;
diff --git a/zipfuse/TEST_MAPPING b/zipfuse/TEST_MAPPING
index 5b313c1..81a8aeb 100644
--- a/zipfuse/TEST_MAPPING
+++ b/zipfuse/TEST_MAPPING
@@ -1,5 +1,5 @@
{
- "postsubmit" : [
+ "presubmit" : [
{
"name" : "ZipFuseTest"
}