diff options
| -rw-r--r-- | fs_mgr/fs_mgr_fstab.cpp | 33 | ||||
| -rw-r--r-- | init/ueventd_parser.cpp | 4 | ||||
| -rw-r--r-- | init/ueventd_parser_test.cpp | 13 | ||||
| -rw-r--r-- | libcutils/Android.bp | 3 | ||||
| -rw-r--r-- | libstats/pull_rust/Android.bp | 4 | ||||
| -rw-r--r-- | rootdir/init.rc | 41 |
6 files changed, 56 insertions, 42 deletions
diff --git a/fs_mgr/fs_mgr_fstab.cpp b/fs_mgr/fs_mgr_fstab.cpp index 950fc9676..ad48dd105 100644 --- a/fs_mgr/fs_mgr_fstab.cpp +++ b/fs_mgr/fs_mgr_fstab.cpp @@ -17,6 +17,7 @@ #include <ctype.h> #include <dirent.h> #include <errno.h> +#include <fnmatch.h> #include <stdio.h> #include <stdlib.h> #include <string.h> @@ -779,21 +780,31 @@ bool SkipMountingPartitions(Fstab* fstab, bool verbose) { return true; } - for (const auto& skip_mount_point : Split(skip_config, "\n")) { - if (skip_mount_point.empty()) { + std::vector<std::string> skip_mount_patterns; + for (const auto& line : Split(skip_config, "\n")) { + if (line.empty() || StartsWith(line, "#")) { continue; } - auto it = std::remove_if(fstab->begin(), fstab->end(), - [&skip_mount_point](const auto& entry) { - return entry.mount_point == skip_mount_point; - }); - if (it == fstab->end()) continue; - fstab->erase(it, fstab->end()); - if (verbose) { - LINFO << "Skip mounting partition: " << skip_mount_point; - } + skip_mount_patterns.push_back(line); } + // Returns false if mount_point matches any of the skip mount patterns, so that the FstabEntry + // would be partitioned to the second group. + auto glob_pattern_mismatch = [&skip_mount_patterns](const FstabEntry& entry) -> bool { + for (const auto& pattern : skip_mount_patterns) { + if (!fnmatch(pattern.c_str(), entry.mount_point.c_str(), 0 /* flags */)) { + return false; + } + } + return true; + }; + auto remove_from = std::stable_partition(fstab->begin(), fstab->end(), glob_pattern_mismatch); + if (verbose) { + for (auto it = remove_from; it != fstab->end(); ++it) { + LINFO << "Skip mounting mountpoint: " << it->mount_point; + } + } + fstab->erase(remove_from, fstab->end()); return true; } #endif diff --git a/init/ueventd_parser.cpp b/init/ueventd_parser.cpp index cab988bb3..2221228d1 100644 --- a/init/ueventd_parser.cpp +++ b/init/ueventd_parser.cpp @@ -106,10 +106,10 @@ Result<void> ParseExternalFirmwareHandlerLine( } if (std::find_if(external_firmware_handlers->begin(), external_firmware_handlers->end(), - [&args](const auto& other) { return other.devpath == args[2]; }) != + [&args](const auto& other) { return other.devpath == args[1]; }) != external_firmware_handlers->end()) { return Error() << "found a previous external_firmware_handler with the same devpath, '" - << args[2] << "'"; + << args[1] << "'"; } passwd* pwd = getpwnam(args[2].c_str()); diff --git a/init/ueventd_parser_test.cpp b/init/ueventd_parser_test.cpp index b604c53fc..4e63ba577 100644 --- a/init/ueventd_parser_test.cpp +++ b/init/ueventd_parser_test.cpp @@ -45,6 +45,13 @@ void TestSysfsPermissions(const SysfsPermissions& expected, const SysfsPermissio EXPECT_EQ(expected.attribute_, test.attribute_); } +void TestExternalFirmwareHandler(const ExternalFirmwareHandler& expected, + const ExternalFirmwareHandler& test) { + EXPECT_EQ(expected.devpath, test.devpath) << expected.devpath; + EXPECT_EQ(expected.uid, test.uid) << expected.uid; + EXPECT_EQ(expected.handler_path, test.handler_path) << expected.handler_path; +} + template <typename T, typename F> void TestVector(const T& expected, const T& test, F function) { ASSERT_EQ(expected.size(), test.size()); @@ -67,6 +74,8 @@ void TestUeventdFile(const std::string& content, const UeventdConfiguration& exp TestVector(expected.sysfs_permissions, result.sysfs_permissions, TestSysfsPermissions); TestVector(expected.dev_permissions, result.dev_permissions, TestPermissions); EXPECT_EQ(expected.firmware_directories, result.firmware_directories); + TestVector(expected.external_firmware_handlers, result.external_firmware_handlers, + TestExternalFirmwareHandler); } TEST(ueventd_parser, EmptyFile) { @@ -144,7 +153,7 @@ TEST(ueventd_parser, ExternalFirmwareHandlers) { auto ueventd_file = R"( external_firmware_handler devpath root handler_path external_firmware_handler /devices/path/firmware/something001.bin system /vendor/bin/firmware_handler.sh -external_firmware_handler /devices/path/firmware/something001.bin radio "/vendor/bin/firmware_handler.sh --has --arguments" +external_firmware_handler /devices/path/firmware/something002.bin radio "/vendor/bin/firmware_handler.sh --has --arguments" )"; auto external_firmware_handlers = std::vector<ExternalFirmwareHandler>{ @@ -159,7 +168,7 @@ external_firmware_handler /devices/path/firmware/something001.bin radio "/vendor "/vendor/bin/firmware_handler.sh", }, { - "/devices/path/firmware/something001.bin", + "/devices/path/firmware/something002.bin", AID_RADIO, "/vendor/bin/firmware_handler.sh --has --arguments", }, diff --git a/libcutils/Android.bp b/libcutils/Android.bp index a99cae266..0f3763c50 100644 --- a/libcutils/Android.bp +++ b/libcutils/Android.bp @@ -363,9 +363,8 @@ rust_bindgen { local_include_dirs: ["include"], bindgen_flags: [ "--whitelist-function", "multiuser_get_app_id", - "--whitelist-function", "multiuser_get_uid", "--whitelist-function", "multiuser_get_user_id", - "--whitelist-var", "AID_KEYSTORE", + "--whitelist-function", "multiuser_get_uid", "--whitelist-var", "AID_USER_OFFSET", ], } diff --git a/libstats/pull_rust/Android.bp b/libstats/pull_rust/Android.bp index 3660199f4..354c7b349 100644 --- a/libstats/pull_rust/Android.bp +++ b/libstats/pull_rust/Android.bp @@ -14,6 +14,10 @@ // limitations under the License. // +package { + default_applicable_licenses: ["Android-Apache-2.0"], +} + rust_bindgen { name: "libstatspull_bindgen", wrapper_src: "statslog.h", diff --git a/rootdir/init.rc b/rootdir/init.rc index e3b1c4c9e..9a30ead3f 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -471,6 +471,9 @@ on init chmod 0664 /sys/module/lowmemorykiller/parameters/minfree start lmkd + # Set an initial boot level - start at 10 in case we need to add earlier ones. + setprop keystore.boot_level 10 + # Start essential services. start servicemanager start hwservicemanager @@ -627,6 +630,8 @@ on late-fs write /sys/kernel/tracing/instances/bootreceiver/events/error_report/error_report_end/enable 1 on post-fs-data + # Boot level 30 - at this point daemons like apexd and odsign run + setprop keystore.boot_level 30 mark_post_data @@ -647,9 +652,6 @@ on post-fs-data mkdir /data/bootchart 0755 shell shell encryption=Require bootchart start - # Avoid predictable entropy pool. Carry over entropy from previous boot. - copy /data/system/entropy.dat /dev/urandom - mkdir /data/vendor 0771 root root encryption=Require mkdir /data/vendor_ce 0771 root root encryption=None mkdir /data/vendor_de 0771 root root encryption=None @@ -665,23 +667,6 @@ on post-fs-data # Make sure that apexd is started in the default namespace enter_default_mount_ns - # set up keystore directory structure first so that we can end early boot - # and start apexd - mkdir /data/misc 01771 system misc encryption=Require - mkdir /data/misc/keystore 0700 keystore keystore - - # Boot level 30 - # odsign signing keys have MAX_BOOT_LEVEL=30 - # This is currently the earliest boot level, but we start at 30 - # to leave room for earlier levels. - setprop keystore.boot_level 30 - - # Now that /data is mounted and we have created /data/misc/keystore, - # we can tell keystore to stop allowing use of early-boot keys, - # and access its database for the first time to support creation and - # use of MAX_BOOT_LEVEL keys. - exec - system system -- /system/bin/vdc keymaster earlyBootEnded - # /data/apex is now available. Start apexd to scan and activate APEXes. mkdir /data/apex 0755 root system encryption=None mkdir /data/apex/active 0755 root system @@ -693,7 +678,11 @@ on post-fs-data mkdir /data/apex/ota_reserved 0700 root system encryption=Require start apexd - # create rest of basic filesystem structure + # Avoid predictable entropy pool. Carry over entropy from previous boot. + copy /data/system/entropy.dat /dev/urandom + + # create basic filesystem structure + mkdir /data/misc 01771 system misc encryption=Require mkdir /data/misc/recovery 0770 system log copy /data/misc/recovery/ro.build.fingerprint /data/misc/recovery/ro.build.fingerprint.1 chmod 0440 /data/misc/recovery/ro.build.fingerprint.1 @@ -717,6 +706,7 @@ on post-fs-data mkdir /data/misc/nfc 0770 nfc nfc mkdir /data/misc/nfc/logs 0770 nfc nfc mkdir /data/misc/credstore 0700 credstore credstore + mkdir /data/misc/keystore 0700 keystore keystore mkdir /data/misc/gatekeeper 0700 system system mkdir /data/misc/keychain 0771 system system mkdir /data/misc/net 0750 root shell @@ -924,13 +914,14 @@ on post-fs-data # odsign to be done with the key wait_for_prop odsign.key.done 1 + # After apexes are mounted, tell keymaster early boot has ended, so it will + # stop allowing use of early-boot keys + exec - system system -- /system/bin/vdc keymaster earlyBootEnded + # Lock the fs-verity keyring, so no more keys can be added exec -- /system/bin/fsverity_init --lock - # Bump the boot level to 1000000000; this prevents further on-device signing. - # This is a special value that shuts down the thread which listens for - # further updates. - setprop keystore.boot_level 1000000000 + setprop keystore.boot_level 40 # Allow apexd to snapshot and restore device encrypted apex data in the case # of a rollback. This should be done immediately after DE_user data keys |