diff --git a/init/init.cpp b/init/init.cpp index 17498da6d..5b0b0ddee 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -315,8 +315,7 @@ Parser CreateApexConfigParser(ActionManager& action_manager, ServiceList& servic if (apex_info_list.has_value()) { std::vector subcontext_apexes; for (const auto& info : apex_info_list->getApexInfo()) { - if (info.hasPreinstalledModulePath() && - subcontext->PathMatchesSubcontext(info.getPreinstalledModulePath())) { + if (subcontext->PartitionMatchesSubcontext(info.getPartition())) { subcontext_apexes.push_back(info.getModuleName()); } } diff --git a/init/subcontext.cpp b/init/subcontext.cpp index 6a095fb7b..3fe448fe3 100644 --- a/init/subcontext.cpp +++ b/init/subcontext.cpp @@ -263,6 +263,10 @@ bool Subcontext::PathMatchesSubcontext(const std::string& path) const { return false; } +bool Subcontext::PartitionMatchesSubcontext(const std::string& partition) const { + return std::find(partitions_.begin(), partitions_.end(), partition) != partitions_.end(); +} + void Subcontext::SetApexList(std::vector&& apex_list) { apex_list_ = std::move(apex_list); } @@ -352,12 +356,13 @@ void InitializeSubcontext() { } if (SelinuxGetVendorAndroidVersion() >= __ANDROID_API_P__) { - subcontext.reset( - new Subcontext(std::vector{"/vendor", "/odm"}, kVendorContext)); + subcontext.reset(new Subcontext(std::vector{"/vendor", "/odm"}, + std::vector{"VENDOR", "ODM"}, kVendorContext)); } } + void InitializeHostSubcontext(std::vector vendor_prefixes) { - subcontext.reset(new Subcontext(vendor_prefixes, kVendorContext, /*host=*/true)); + subcontext.reset(new Subcontext(vendor_prefixes, {}, kVendorContext, /*host=*/true)); } Subcontext* GetSubcontext() { diff --git a/init/subcontext.h b/init/subcontext.h index 93ebacea2..23c4a241c 100644 --- a/init/subcontext.h +++ b/init/subcontext.h @@ -36,8 +36,10 @@ static constexpr const char kTestContext[] = "test-test-test"; class Subcontext { public: - Subcontext(std::vector path_prefixes, std::string_view context, bool host = false) + Subcontext(std::vector path_prefixes, std::vector partitions, + std::string_view context, bool host = false) : path_prefixes_(std::move(path_prefixes)), + partitions_(std::move(partitions)), context_(context.begin(), context.end()), pid_(0) { if (!host) { @@ -49,6 +51,7 @@ class Subcontext { Result> ExpandArgs(const std::vector& args); void Restart(); bool PathMatchesSubcontext(const std::string& path) const; + bool PartitionMatchesSubcontext(const std::string& partition) const; void SetApexList(std::vector&& apex_list); const std::string& context() const { return context_; } @@ -59,6 +62,7 @@ class Subcontext { Result TransmitMessage(const SubcontextCommand& subcontext_command); std::vector path_prefixes_; + std::vector partitions_; std::vector apex_list_; std::string context_; pid_t pid_; diff --git a/init/subcontext_benchmark.cpp b/init/subcontext_benchmark.cpp index ccef2f36a..172ee3173 100644 --- a/init/subcontext_benchmark.cpp +++ b/init/subcontext_benchmark.cpp @@ -33,7 +33,7 @@ static void BenchmarkSuccess(benchmark::State& state) { return; } - auto subcontext = Subcontext({"path"}, context); + auto subcontext = Subcontext({"path"}, {"partition"}, context); free(context); while (state.KeepRunning()) { diff --git a/init/subcontext_test.cpp b/init/subcontext_test.cpp index da1f45550..85a2f2a94 100644 --- a/init/subcontext_test.cpp +++ b/init/subcontext_test.cpp @@ -41,7 +41,7 @@ namespace init { template void RunTest(F&& test_function) { - auto subcontext = Subcontext({"dummy_path"}, kTestContext); + auto subcontext = Subcontext({"dummy_path"}, {"dummy_partition"}, kTestContext); ASSERT_NE(0, subcontext.pid()); test_function(subcontext); @@ -177,6 +177,19 @@ TEST(subcontext, ExpandArgsFailure) { }); } +TEST(subcontext, PartitionMatchesSubcontext) { + RunTest([](auto& subcontext) { + static auto& existent_partition = "dummy_partition"; + static auto& non_existent_partition = "not_dummy_partition"; + + auto existent_result = subcontext.PartitionMatchesSubcontext(existent_partition); + auto non_existent_result = subcontext.PartitionMatchesSubcontext(non_existent_partition); + + ASSERT_TRUE(existent_result); + ASSERT_FALSE(non_existent_result); + }); +} + BuiltinFunctionMap BuildTestFunctionMap() { // For CheckDifferentPid auto do_return_pids_as_error = [](const BuiltinArguments& args) -> Result { diff --git a/trusty/utils/rpmb_dev/Android.bp b/trusty/utils/rpmb_dev/Android.bp index 13f151d2e..ef23cc50f 100644 --- a/trusty/utils/rpmb_dev/Android.bp +++ b/trusty/utils/rpmb_dev/Android.bp @@ -49,3 +49,12 @@ cc_binary { "rpmb_dev.system.rc", ], } + +cc_binary { + name: "rpmb_dev.wv.system", + defaults: ["rpmb_dev.cc_defaults"], + system_ext_specific: true, + init_rc: [ + "rpmb_dev.wv.system.rc", + ], +} diff --git a/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc b/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc new file mode 100644 index 000000000..3e7f8b44f --- /dev/null +++ b/trusty/utils/rpmb_dev/rpmb_dev.wv.system.rc @@ -0,0 +1,62 @@ +service storageproxyd_wv_system /system_ext/bin/storageproxyd.system \ + -d ${storageproxyd_wv_system.trusty_ipc_dev:-/dev/trusty-ipc-dev0} \ + -r /dev/socket/rpmb_mock_wv_system \ + -p /data/secure_storage_wv_system \ + -t sock + disabled + class hal + user system + group system + +service rpmb_mock_init_wv_system /system_ext/bin/rpmb_dev.wv.system \ + --dev /mnt/secure_storage_rpmb_wv_system/persist/RPMB_DATA --init --size 2048 + disabled + user system + group system + oneshot + +service rpmb_mock_wv_system /system_ext/bin/rpmb_dev.wv.system \ + --dev /mnt/secure_storage_rpmb_wv_system/persist/RPMB_DATA \ + --sock rpmb_mock_wv_system + disabled + user system + group system + socket rpmb_mock_wv_system stream 660 system system + +# storageproxyd +on boot && \ + property:trusty.widevine_vm.nonsecure_vm_ready=1 && \ + property:storageproxyd_wv_system.trusty_ipc_dev=* + wait /dev/socket/rpmb_mock_wv_system + enable storageproxyd_wv_system + + +# RPMB Mock +on early-boot && \ + property:ro.hardware.security.trusty.widevine_vm.system=1 && \ + property:trusty.widevine_vm.vm_cid=* && \ + property:ro.boot.vendor.apex.com.android.services.widevine=\ +com.android.services.widevine.cf_guest_trusty_nonsecure + # Create a persistent location for the RPMB data + # (work around lack of RPMb block device on CF). + # file contexts secure_storage_rpmb_system_file + # (only used on Cuttlefish as this is non secure) + mkdir /metadata/secure_storage_rpmb_wv_system 0770 system system + mkdir /mnt/secure_storage_rpmb_wv_system 0770 system system + symlink /metadata/secure_storage_rpmb_wv_system \ + /mnt/secure_storage_rpmb_wv_system/persist + # Create a system persist directory in /metadata + # (work around lack of dedicated system persist partition). + # file contexts secure_storage_persist_system_file + mkdir /metadata/secure_storage_persist_wv_system 0770 system system + mkdir /mnt/secure_storage_persist_wv_system 0770 system system + symlink /metadata/secure_storage_persist_wv_system \ + /mnt/secure_storage_persist_wv_system/persist + # file contexts secure_storage_system_file + mkdir /data/secure_storage_wv_system 0770 root system + symlink /mnt/secure_storage_persist_wv_system/persist \ + /data/secure_storage_wv_system/persist + chown root system /data/secure_storage_wv_system/persist + setprop storageproxyd_wv_system.trusty_ipc_dev VSOCK:${trusty.widevine_vm.vm_cid}:1 + exec_start rpmb_mock_init_wv_system + start rpmb_mock_wv_system