Merge "Add USE_CUSTOM_VIRTUAL_MACHINE permission"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
f3c6703501
|
|
@ -20,6 +20,9 @@
|
||||||
<permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE"
|
<permission android:name="android.permission.MANAGE_VIRTUAL_MACHINE"
|
||||||
android:protectionLevel="signature|development" />
|
android:protectionLevel="signature|development" />
|
||||||
|
|
||||||
|
<permission android:name="android.permission.USE_CUSTOM_VIRTUAL_MACHINE"
|
||||||
|
android:protectionLevel="signature|development" />
|
||||||
|
|
||||||
<permission android:name="android.permission.DEBUG_VIRTUAL_MACHINE"
|
<permission android:name="android.permission.DEBUG_VIRTUAL_MACHINE"
|
||||||
android:protectionLevel="signature" />
|
android:protectionLevel="signature" />
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -66,6 +66,7 @@ import java.util.regex.Pattern;
|
||||||
public class MicrodroidTestCase extends VirtualizationTestCaseBase {
|
public class MicrodroidTestCase extends VirtualizationTestCaseBase {
|
||||||
private static final String APK_NAME = "MicrodroidTestApp.apk";
|
private static final String APK_NAME = "MicrodroidTestApp.apk";
|
||||||
private static final String PACKAGE_NAME = "com.android.microdroid.test";
|
private static final String PACKAGE_NAME = "com.android.microdroid.test";
|
||||||
|
private static final String SHELL_PACKAGE_NAME = "com.android.shell";
|
||||||
|
|
||||||
private static final int MIN_MEM_ARM64 = 145;
|
private static final int MIN_MEM_ARM64 = 145;
|
||||||
private static final int MIN_MEM_X86_64 = 196;
|
private static final int MIN_MEM_X86_64 = 196;
|
||||||
|
|
@ -474,6 +475,40 @@ public class MicrodroidTestCase extends VirtualizationTestCaseBase {
|
||||||
shutdownMicrodroid(getDevice(), cid);
|
shutdownMicrodroid(getDevice(), cid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Test
|
||||||
|
public void testCustomVirtualMachinePermission()
|
||||||
|
throws DeviceNotAvailableException, IOException, JSONException {
|
||||||
|
CommandRunner android = new CommandRunner(getDevice());
|
||||||
|
|
||||||
|
// Pull etc/microdroid.json
|
||||||
|
File virtApexDir = FileUtil.createTempDir("virt_apex");
|
||||||
|
File microdroidConfigFile = new File(virtApexDir, "microdroid.json");
|
||||||
|
assertTrue(getDevice().pullFile(VIRT_APEX + "etc/microdroid.json", microdroidConfigFile));
|
||||||
|
JSONObject config = new JSONObject(FileUtil.readStringFromFile(microdroidConfigFile));
|
||||||
|
|
||||||
|
// USE_CUSTOM_VIRTUAL_MACHINE is enforced only on protected mode
|
||||||
|
config.put("protected", true);
|
||||||
|
|
||||||
|
// Write updated config
|
||||||
|
final String configPath = TEST_ROOT + "raw_config.json";
|
||||||
|
getDevice().pushString(config.toString(), configPath);
|
||||||
|
|
||||||
|
// temporarily revoke the permission
|
||||||
|
android.run(
|
||||||
|
"pm",
|
||||||
|
"revoke",
|
||||||
|
SHELL_PACKAGE_NAME,
|
||||||
|
"android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
|
||||||
|
final String ret =
|
||||||
|
android.runForResult(VIRT_APEX + "bin/vm run", configPath).getStderr().trim();
|
||||||
|
|
||||||
|
assertTrue(
|
||||||
|
"The test should fail with a permission error",
|
||||||
|
ret.contains(
|
||||||
|
"does not have the android.permission.USE_CUSTOM_VIRTUAL_MACHINE"
|
||||||
|
+ " permission"));
|
||||||
|
}
|
||||||
|
|
||||||
@Before
|
@Before
|
||||||
public void setUp() throws Exception {
|
public void setUp() throws Exception {
|
||||||
testIfDeviceIsCapable(getDevice());
|
testIfDeviceIsCapable(getDevice());
|
||||||
|
|
@ -494,5 +529,9 @@ public class MicrodroidTestCase extends VirtualizationTestCaseBase {
|
||||||
"vm.log-" + mTestName.getMethodName());
|
"vm.log-" + mTestName.getMethodName());
|
||||||
|
|
||||||
getDevice().uninstallPackage(PACKAGE_NAME);
|
getDevice().uninstallPackage(PACKAGE_NAME);
|
||||||
|
|
||||||
|
// testCustomVirtualMachinePermission revokes this permission. Grant it again as cleanup
|
||||||
|
new CommandRunner(getDevice()).tryRun(
|
||||||
|
"pm", "grant", SHELL_PACKAGE_NAME, "android.permission.USE_CUSTOM_VIRTUAL_MACHINE");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -362,6 +362,13 @@ impl VirtualizationService {
|
||||||
is_protected: &mut bool,
|
is_protected: &mut bool,
|
||||||
) -> binder::Result<Strong<dyn IVirtualMachine>> {
|
) -> binder::Result<Strong<dyn IVirtualMachine>> {
|
||||||
check_manage_access()?;
|
check_manage_access()?;
|
||||||
|
|
||||||
|
if let VirtualMachineConfig::RawConfig(config) = config {
|
||||||
|
if config.protectedVm {
|
||||||
|
check_use_custom_virtual_machine()?;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
let state = &mut *self.state.lock().unwrap();
|
let state = &mut *self.state.lock().unwrap();
|
||||||
let console_fd = console_fd.map(clone_file).transpose()?;
|
let console_fd = console_fd.map(clone_file).transpose()?;
|
||||||
let log_fd = log_fd.map(clone_file).transpose()?;
|
let log_fd = log_fd.map(clone_file).transpose()?;
|
||||||
|
|
@ -729,6 +736,11 @@ fn check_manage_access() -> binder::Result<()> {
|
||||||
check_permission("android.permission.MANAGE_VIRTUAL_MACHINE")
|
check_permission("android.permission.MANAGE_VIRTUAL_MACHINE")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// Check whether the caller of the current Binder method is allowed to create custom VMs
|
||||||
|
fn check_use_custom_virtual_machine() -> binder::Result<()> {
|
||||||
|
check_permission("android.permission.USE_CUSTOM_VIRTUAL_MACHINE")
|
||||||
|
}
|
||||||
|
|
||||||
/// Check if a partition has selinux labels that are not allowed
|
/// Check if a partition has selinux labels that are not allowed
|
||||||
fn check_label_for_partition(partition: &Partition) -> Result<()> {
|
fn check_label_for_partition(partition: &Partition) -> Result<()> {
|
||||||
let ctx = getfilecon(partition.image.as_ref().unwrap().as_ref())?;
|
let ctx = getfilecon(partition.image.as_ref().unwrap().as_ref())?;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue