microdroid: Run apk mount utils from MM
For now, the command for apkdmverity and zipfuse is hard-coded in the
init script file. To support passing extra APKs, microdroid_manager
needs to parse the vm config, and then manually run apkdmverity and
zipfuse with appropriate parameters.
Bug: 205224817
Test: atest MicrodroidHostTestCases ComposHostTestCases
Change-Id: I482b548b2a414f3b5136cea199d551cc88402caf
diff --git a/microdroid/system/private/apkdmverity.te b/microdroid/system/private/apkdmverity.te
index 0c0ef41..c3f718b 100644
--- a/microdroid/system/private/apkdmverity.te
+++ b/microdroid/system/private/apkdmverity.te
@@ -3,9 +3,6 @@
type apkdmverity, domain, coredomain;
type apkdmverity_exec, exec_type, file_type, system_file_type;
-# allow domain transition from init
-init_daemon_domain(apkdmverity)
-
# apkdmverity is using bootstrap bionic
allow apkdmverity system_bootstrap_lib_file:dir r_dir_perms;
allow apkdmverity system_bootstrap_lib_file:file { execute read open getattr map };
@@ -34,3 +31,13 @@
LOOP_SET_FD
LOOP_SET_DIRECT_IO
};
+
+# allow apkdmverity to log to the kernel
+allow apkdmverity kmsg_device:chr_file w_file_perms;
+
+# apkdmverity is forked from microdroid_manager
+# TODO(inseob): remove this
+allow apkdmverity microdroid_manager:fd use;
+
+# Only microdroid_manager can run apkdmverity
+neverallow { domain -microdroid_manager } apkdmverity:process { transition dyntransition };
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 3aa14ca..38fabcd 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te
@@ -18,6 +18,10 @@
domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
domain_auto_trans(microdroid_manager, compos_exec, compos)
+# Allow microdroid_manager to start apk verity binaries
+domain_auto_trans(microdroid_manager, apkdmverity_exec, apkdmverity)
+domain_auto_trans(microdroid_manager, zipfuse_exec, zipfuse)
+
# Let microdroid_manager kernel-log.
allow microdroid_manager kmsg_device:chr_file w_file_perms;
diff --git a/microdroid/system/private/microdroid_payload.te b/microdroid/system/private/microdroid_payload.te
index 0b0d201..7c50db7 100644
--- a/microdroid/system/private/microdroid_payload.te
+++ b/microdroid/system/private/microdroid_payload.te
@@ -27,8 +27,8 @@
# Write to /dev/kmsg.
allow microdroid_payload kmsg_device:chr_file rw_file_perms;
-# Only microdroid_payload can be run by microdroid_manager
-neverallow microdroid_manager { domain -crash_dump -microdroid_payload }:process transition;
+# Only microdroid_payload and apk verity binaries can be run by microdroid_manager
+neverallow microdroid_manager { domain -crash_dump -microdroid_payload -apkdmverity -zipfuse }:process transition;
# Allow microdroid_payload to open binder servers via vsock.
allow microdroid_payload self:vsock_socket { create_socket_perms listen accept };
diff --git a/microdroid/system/private/zipfuse.te b/microdroid/system/private/zipfuse.te
index 351e89e..04cdadf 100644
--- a/microdroid/system/private/zipfuse.te
+++ b/microdroid/system/private/zipfuse.te
@@ -6,9 +6,6 @@
type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;
-# allow domain transition from init
-init_daemon_domain(zipfuse)
-
# zipfuse is using bootstrap bionic
allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };
@@ -36,3 +33,13 @@
# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;
+
+# allow zipfuse to log to the kernel
+allow zipfuse kmsg_device:chr_file w_file_perms;
+
+# zipfuse is forked from microdroid_manager
+# TODO(inseob): remove this
+allow zipfuse microdroid_manager:fd use;
+
+# Only microdroid_manager can run zipfuse
+neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };