From 7c6b2705e9b65ecbf2bca3880f40b2fb603476c6 Mon Sep 17 00:00:00 2001 From: Nikita Ioffe Date: Fri, 30 Sep 2022 18:40:05 +0100 Subject: [PATCH] Explicitly specify capabilities of root services in microdroid This is a semi-automatic change to simply specify the capabilities that these services have according to the sepolicy. List of capabilities for each service was obtained by running: `sesearch --allow -c capability,capability2 /tmp/microdroid-policy` The policy specifies that all processes have CAP_AUDIT_CONTROL, but it doesn't seem to be actually required, so it's omitted from the service definitions. Also switch tombstone_transmit to run as system user. Test: presubmit Test: atest --test-mapping packages/modules/Virtualization:avf-presubmit Test: run demo app and verify capabilities of microdroid_launcher Test: atest com.android.microdroid.test.MicrodroidTestCase#testTombstonesAreGeneratedUponCrash Bug: 243633980 Bug: 249796710 Change-Id: I19b0cefb07fc7480b3f9dc05cb708a899489fe65 --- microdroid/init.rc | 4 +++- microdroid_manager/microdroid_manager.rc | 2 ++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/microdroid/init.rc b/microdroid/init.rc index 47002c94..8b2bbdb5 100644 --- a/microdroid/init.rc +++ b/microdroid/init.rc @@ -177,7 +177,7 @@ on post-fs-data mkdir /data/local/tmp 0771 shell shell service tombstone_transmit /system/bin/tombstone_transmit.microdroid -cid 2 -port 2000 -remove_tombstones_after_transmitting - user root + user system group system shutdown critical @@ -186,12 +186,14 @@ service apexd-vm /system/bin/apexd --vm group system oneshot disabled + capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER SYS_ADMIN service ueventd /system/bin/ueventd class core critical seclabel u:r:ueventd:s0 shutdown critical + capabilities CHOWN DAC_OVERRIDE DAC_READ_SEARCH FOWNER FSETID MKNOD NET_ADMIN SETGID SETUID SYS_MODULE SYS_RAWIO service console /system/bin/sh class core diff --git a/microdroid_manager/microdroid_manager.rc b/microdroid_manager/microdroid_manager.rc index 60d8ab75..74a219d1 100644 --- a/microdroid_manager/microdroid_manager.rc +++ b/microdroid_manager/microdroid_manager.rc @@ -4,3 +4,5 @@ service microdroid_manager /system/bin/microdroid_manager setenv RUST_LOG info # TODO(jooyung) remove this when microdroid_manager becomes a daemon oneshot + # SYS_BOOT is required to exec kexecload from microdroid_manager + capabilities AUDIT_CONTROL SYS_ADMIN SYS_BOOT