microdroid: remove sdkext APEX

com.android.sdkext is to decide the extension SDK level of the device and set system properties so that apps can query it. In microdroid we don't support it yet. So remove it from the mandatory system APEX list. Bug: 193118107 Test: MicrodroidHostTestCases Change-Id: I1e913b0826d78f06439ec37889e390ef97c4623a
2021-07-09 13:47:10 +09:00 · 2021-07-09 13:47:10 +09:00 · 1a72c6fadf
parent f3506bd611
commit 1a72c6fadf
6 changed files with 2 additions and 46 deletions
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@ -29,7 +29,6 @@ on early-init
    exec - root system -- /system/bin/apexd --vm

    perform_apex_config
-    exec_start derive_sdk

    exec - root system -- /system/bin/apkdmverity /dev/block/by-name/microdroid-apk /dev/block/by-name/microdroid-apk-idsig microdroid-apk
    mkdir /mnt/apk 0755 system system
--- a/microdroid/sepolicy/system/private/derive_classpath.te
+++ b/microdroid/sepolicy/system/private/derive_classpath.te
@ -1,25 +0,0 @@
-
-# Domain for derive_classpath
-type derive_classpath, domain, coredomain;
-type derive_classpath_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(derive_classpath)
-
-# Read /apex
-allow derive_classpath apex_mnt_dir:dir r_dir_perms;
-
-# Create /data/system/environ/classpath file
-allow derive_classpath environ_system_data_file:dir rw_dir_perms;
-allow derive_classpath environ_system_data_file:file create_file_perms;
-
-# b/183079517 fails on gphone targets otherwise
-allow derive_classpath unlabeled:dir search;
-
-# Allow derive_classpath to write the classpath into ota dexopt
-# - Read the ota's apex dir
-allow derive_classpath postinstall_apex_mnt_dir:dir r_dir_perms;
-# - Report the BCP to the ota's dexopt
-allow derive_classpath postinstall_dexopt:dir search;
-allow derive_classpath postinstall_dexopt:fd use;
-allow derive_classpath postinstall_dexopt:file read;
-allow derive_classpath postinstall_dexopt:lnk_file read;
-allow derive_classpath postinstall_dexopt_tmpfs:file rw_file_perms;
--- a/microdroid/sepolicy/system/private/derive_sdk.te
+++ b/microdroid/sepolicy/system/private/derive_sdk.te
@ -1,12 +0,0 @@
-
-# Domain for derive_sdk
-type derive_sdk, domain, coredomain;
-type derive_sdk_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(derive_sdk)
-
-# Read /apex
-allow derive_sdk apex_mnt_dir:dir r_dir_perms;
-
-# Prop rules: writable by derive_sdk, readable by bootclasspath (apps)
-set_prop(derive_sdk, module_sdkextensions_prop)
-neverallow { domain -init -derive_sdk } module_sdkextensions_prop:property_service set;
--- a/microdroid/sepolicy/system/private/postinstall_dexopt.te
+++ b/microdroid/sepolicy/system/private/postinstall_dexopt.te
@ -16,10 +16,6 @@ domain_auto_trans(postinstall_dexopt, dex2oat_exec, dex2oat)
 #   with the `postinstall_file` type by update_engine.
 domain_auto_trans(postinstall_dexopt, postinstall_file, dex2oat)

-# Run derive_classpath to get the current BCP.
-domain_auto_trans(postinstall_dexopt, derive_classpath_exec, derive_classpath)
-# Allow postinstall_dexopt to make a tempfile for derive_classpath to write into
-tmpfs_domain(postinstall_dexopt);
 allow postinstall_dexopt postinstall_dexopt_tmpfs:file open;

 allow postinstall_dexopt self:global_capability_class_set { chown dac_override dac_read_search fowner fsetid setgid setuid };
--- a/microdroid/sepolicy/system/private/property_contexts
+++ b/microdroid/sepolicy/system/private/property_contexts
@ -32,7 +32,6 @@ service.adb.root u:object_r:shell_prop:s0 exact bool
 ro.logd.kernel u:object_r:logd_prop:s0 exact bool

 ro.boottime.adbd                      u:object_r:boottime_prop:s0 exact int
-ro.boottime.derive_sdk                u:object_r:boottime_prop:s0 exact int
 ro.boottime.hwservicemanager          u:object_r:boottime_prop:s0 exact int
 ro.boottime.init                      u:object_r:boottime_prop:s0 exact int
 ro.boottime.init.cold_boot_wait       u:object_r:boottime_prop:s0 exact int
@ -59,7 +58,6 @@ ro.cold_boot_done u:object_r:cold_boot_done_prop:s0 exact bool

 sys.usb.controller u:object_r:usb_control_prop:s0 exact string

-init.svc.derive_sdk                u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.hwservicemanager          u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.keystore2                 u:object_r:init_service_status_private_prop:s0 exact string
 init.svc.logd                      u:object_r:init_service_status_private_prop:s0 exact string
--- a/virtualizationservice/src/aidl.rs
+++ b/virtualizationservice/src/aidl.rs
@ -59,8 +59,8 @@ const DEBUG_ALLOWED_UIDS: [u32; 2] = [0, 2000];

 /// The list of APEXes which microdroid requires.
 /// TODO(b/192200378) move this to microdroid.json?
-const MICRODROID_REQUIRED_APEXES: [&str; 4] =
-    ["com.android.adbd", "com.android.i18n", "com.android.os.statsd", "com.android.sdkext"];
+const MICRODROID_REQUIRED_APEXES: [&str; 3] =
+    ["com.android.adbd", "com.android.i18n", "com.android.os.statsd"];

 /// Implementation of `IVirtualizationService`, the entry point of the AIDL service.
 #[derive(Debug, Default)]