pa-fazil
/
android_packages_modules_Virtualization
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge "Add USE_CUSTOM_VIRTUAL_MACHINE permission"

This commit is contained in:
Treehugger Robot 2022-05-05 01:24:44 +00:00 committed by Gerrit Code Review
parent 390f7b7d27 1119d70a19
commit f3c6703501
3 changed files with 54 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
javalib/AndroidManifest.xml
View File

@ -20,6 +20,9 @@
<permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE"
android:protectionLevel="signature|development" />
<permission android:name="android.permission.USE_CUSTOM_VIRTUAL_MACHINE"
android:protectionLevel="signature|development" />
<permission android:name="android.permission.DEBUG_VIRTUAL_MACHINE"
android:protectionLevel="signature" />

39
tests/hostside/java/android/virt/test/MicrodroidTestCase.java
View File

@ -66,6 +66,7 @@ import java.util.regex.Pattern;
public class MicrodroidTestCase extends VirtualizationTestCaseBase {
private static final String APK_NAME = "MicrodroidTestApp.apk";
private static final String PACKAGE_NAME = "com.android.microdroid.test";
private static final String SHELL_PACKAGE_NAME = "com.android.shell";
private static final int MIN_MEM_ARM64 = 145;
private static final int MIN_MEM_X86_64 = 196;
@ -474,6 +475,40 @@ public class MicrodroidTestCase extends VirtualizationTestCaseBase {
shutdownMicrodroid(getDevice(), cid);
}
@Test
public void testCustomVirtualMachinePermission()
throws DeviceNotAvailableException, IOException, JSONException {
CommandRunner android = new CommandRunner(getDevice());
// Pull etc/microdroid.json
File virtApexDir = FileUtil.createTempDir("virt_apex");
File microdroidConfigFile = new File(virtApexDir, "microdroid.json");
assertTrue(getDevice().pullFile(VIRT_APEX + "etc/microdroid.json", microdroidConfigFile));
JSONObject config = new JSONObject(FileUtil.readStringFromFile(microdroidConfigFile));
// USE_CUSTOM_VIRTUAL_MACHINE is enforced only on protected mode
config.put("protected", true);
// Write updated config
final String configPath = TEST_ROOT + "raw_config.json";
getDevice().pushString(config.toString(), configPath);
// temporarily revoke the permission
android.run(
"pm",
"revoke",
SHELL_PACKAGE_NAME,
"android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
final String ret =
android.runForResult(VIRT_APEX + "bin/vm run", configPath).getStderr().trim();
assertTrue(
"The test should fail with a permission error",
ret.contains(
"does not have the android.permission.USE_CUSTOM_VIRTUAL_MACHINE"
+ " permission"));
}
@Before
public void setUp() throws Exception {
testIfDeviceIsCapable(getDevice());
@ -494,5 +529,9 @@ public class MicrodroidTestCase extends VirtualizationTestCaseBase {
"vm.log-" + mTestName.getMethodName());
getDevice().uninstallPackage(PACKAGE_NAME);
// testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
new CommandRunner(getDevice()).tryRun(
"pm", "grant", SHELL_PACKAGE_NAME, "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
}
}

12
virtualizationservice/src/aidl.rs
View File

@ -362,6 +362,13 @@ impl VirtualizationService {
is_protected: &mut bool,
) -> binder::Result<Strong<dyn IVirtualMachine>> {
check_manage_access()?;
if let VirtualMachineConfig::RawConfig(config) = config {
if config.protectedVm {
check_use_custom_virtual_machine()?;
}
}
let state = &mut *self.state.lock().unwrap();
let console_fd = console_fd.map(clone_file).transpose()?;
let log_fd = log_fd.map(clone_file).transpose()?;
@ -729,6 +736,11 @@ fn check_manage_access() -> binder::Result<()> {
check_permission("android.permission.MANAGE_VIRTUAL_MACHINE")
}
/// Check whether the caller of the current Binder method is allowed to create custom VMs
fn check_use_custom_virtual_machine() -> binder::Result<()> {
check_permission("android.permission.USE_CUSTOM_VIRTUAL_MACHINE")
}
/// Check if a partition has selinux labels that are not allowed
fn check_label_for_partition(partition: &Partition) -> Result<()> {
let ctx = getfilecon(partition.image.as_ref().unwrap().as_ref())?;