init: enable 'user root' check at build time

For visibility. We could make this only for new API levels, but it isn't currently exposed at build time, and visibility is good on upgrades. Bug: 340953047 Test: build, on device passing and failing requirements Change-Id: I3a0ea47560c65114bc1b8685954d1fb7687cb8df
2024-05-20 22:31:11 +00:00 · 2024-05-20 22:31:11 +00:00 · 81a1b3ec23
commit 81a1b3ec23
parent cdd4cb7db8
3 changed files with 25 additions and 1 deletions
--- a/init/Android.bp
+++ b/init/Android.bp
@ -571,6 +571,11 @@ cc_library_static {
    ],
    export_include_dirs: ["test_utils/include"], // for tests
    header_libs: ["bionic_libc_platform_headers"],
+    product_variables: {
+        shipping_api_level: {
+            cflags: ["-DBUILD_SHIPPING_API_LEVEL=%s"],
+        },
+    },
 }

 // Host Verifier
@ -625,6 +630,11 @@ cc_defaults {
            enabled: false,
        },
    },
+    product_variables: {
+        shipping_api_level: {
+            cflags: ["-DBUILD_SHIPPING_API_LEVEL=%s"],
+        },
+    },
 }

 cc_binary {
--- a/init/host_init_stubs.h
+++ b/init/host_init_stubs.h
@ -32,6 +32,7 @@
 #define __ANDROID_API_S__ 31
 #define __ANDROID_API_T__ 33
 #define __ANDROID_API_U__ 34
+#define __ANDROID_API_V__ 35

 // sys/system_properties.h
 #define PROP_VALUE_MAX 92
--- a/init/service_parser.cpp
+++ b/init/service_parser.cpp
@ -52,6 +52,18 @@ using android::base::StartsWith;
 namespace android {
 namespace init {

+#ifdef INIT_FULL_SOURCES
+// on full sources, we have better information on device to
+// make this decision
+constexpr bool kAlwaysErrorUserRoot = false;
+#else
+constexpr uint64_t kBuildShippingApiLevel = BUILD_SHIPPING_API_LEVEL + 0 /* +0 if empty */;
+// on partial sources, the host build, we don't have the specific
+// vendor API level, but we can enforce things based on the
+// shipping API level.
+constexpr bool kAlwaysErrorUserRoot = kBuildShippingApiLevel > __ANDROID_API_V__;
+#endif
+
 Result<void> ServiceParser::ParseCapabilities(std::vector<std::string>&& args) {
    service_->capabilities_ = 0;

@ -680,7 +692,8 @@ Result<void> ServiceParser::EndSection() {
    }

    if (service_->proc_attr_.parsed_uid == std::nullopt) {
-        if (android::base::GetIntProperty("ro.vendor.api_level", 0) > 202404) {
+        if (kAlwaysErrorUserRoot ||
+            android::base::GetIntProperty("ro.vendor.api_level", 0) > 202404) {
            return Error() << "No user specified for service '" << service_->name()
                           << "', so it would have been root.";
        } else {