Revert "Cryptographic security for MAX_BOOT_LEVEL"
Revert submission 1660531-max-boot-level-crypto
Reason for revert: broken test com.android.tests.odsign.OnDeviceSigningHostTest#verifyArtUpgradeSignsFiles on aosp-master on aosp_cf_x86_64_phone-userdebug at 7261517
Reverted Changes:
Ia3b968afc:Set earlyBootEnded before apex starts
Ia69891291:Expose AID_KEYSTORE
I12530cd13:Cryptographic security for MAX_BOOT_LEVEL
Bug: 184635938
Change-Id: Ibf63734a02a2c132142671c0fae5d0177bf46079
Test: forrest run for the broken test
earlyBootEnded signals to keystore2 to read the database for the first
time, and start the MAX_BOOT_LEVEL system. It must therefore run
after /data is mounted and /data/misc/keystore is created, but before
apexd or odsign starts.
Bug: 176450483
Test: cuttlefish: check keystore2 logs to ensure all looks well.
Change-Id: Ia3b968afc38edf95712480e99e545ba88ea309c3
When all threads are terminated, dm-user handler's are removed
from the list. When the last handler is removed, daemon is
shutdown gracefully.
Bug: 183652708
Test: 1: Apply full OTA and verify daemon is terminated; reapply the OTA
to verify daemon is restarted again.
2: vts_libsnapshot_test
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Ibd41223fc0eba884993a533fcc95661f72805db2
In form, inspired by ANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION.
We get occasional bugs about sp double-ownership. When this flag is
enabled, we have:
- you must construct RefBase objects using sp<>::make
- you must construct wp<> objects by converting them to sp<>
- if you want to convert a raw pointer to an sp<> object (this is
possible since the refcount is used internally, and is used commonly
on this*), then you must use 'assertStrongRefExists' semantics which
aborts if there is no strong ref held. That is, if a client uses
std::make_shared and then calls a function which internally used to
call `sp<T>(this)`, you would now call
`sp<T>::assertStrongRefExists(this)`, and the double ownership
problem would become a runtime error.
Bug: 184190315
Test: libutils_test
Change-Id: Ie18d3146420df1808e3733027070ec234dda4e9d
Keystore uses this as the user ID for keys that it creates for its
own use.
Bug: 176450483
Test: keystore2_test
Change-Id: Ia698912917cd209eebcfc007a8badce7a39159d6
ReadFstabFromFile() calls access() to check the existence of DSU
metadata files to determine if device is in DSU running state. This is
error prone because a failed access() can mean non-exsitent file as well
as the caller lacking the permission to path resolute the pathname.
Strengthen ReadFstabFromFile() to check the errno after a failed
access() or open(), if the errno is not ENOENT, then return with error,
as this may be indicating the caller doesn't have sufficient access
rights to call ReadFstabFromFile().
After this change, processes would need these policies to call
ReadFstabFromFile():
allow scontext { metadata_file gsi_metadata_file_type }:dir search;
And these policies to call ReadFstabFromFile() within a DSU system:
allow scontext gsi_public_metadata_file:file r_file_perms;
Bug: 181110285
Test: Presubmit
Change-Id: I1a6a796cb9b7b49af3aa5e7a5e8d99cde25e5857
Minor refactoring and renaming, goal is to make the follow-up patch
easier to read.
Bug: 184132970
Test: Presubmit
Change-Id: I66416161b30ac310934d901cbaf11bc926e2cbf7
When worker threads were created, snapuserd was converted to a
shared_pointer. Earlier, memory was forcefully released
by setting snapuserd to nullptr which worked as it
was a unique pointer. Now, every worker thread holds
a reference. Clear the vector once all the worker
threads are terminated.
Test: Apply OTA and verify memory is released after OTA is applied
Bug: 183652708
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I256d26d98b02ad599aff49b92192226546c59b17
Revert "Merge libdexfile_external into libdexfile."
Revert "libdexfile_external is replaced by libdexfile."
Revert "Rename libdexfile_external_static to libdexfile_static."
Revert "Rename libdexfile_external_static to libdexfile_static."
Revert "Allow dependencies from platform variants to APEX modules."
Revert submission 1658000
Reason for revert: Breaks full-eng build: b/184239856
Reverted Changes:
I4f8ead785:Avoid internal APEX stubs for libsigchain and clea...
I68affdf69:Allow dependencies from platform variants to APEX ...
I54b33784e:Rename libdexfile_external_static to libdexfile_st...
Id68ae9438:libdexfile_external is being replaced by libdexfil...
I12ac84eb4:libdexfile_external is replaced by libdexfile.
If05dbffc8:Rename libdexfile_external_static to libdexfile_st...
Ia011fa3a8:Merge libdexfile_external into libdexfile.
Change-Id: I2448810c9a863cde32b6ed98d9ed0a99cf260d34
Otherwise, these error logs don't end up in bugreports, making it very
difficult to debug.
When using locally, users will have to check logcat instead of stderr.
Bug: 183919392
Bug: 115420908
Test: m
Change-Id: I3b829347971d05968b851e11ce784829d12ef098
Remove the function EnableBlocklist() and add a constructor argument to
enable/disable the use of modules.blocklist. In all cases, the
enabling/disabling of the blocklist happens immediately after creating
the Modprobe object. So this simplies libmodprobe.
Additionally, the use of the blocklist by libmodprobe should be enabled
by default unless explicitly disabled during creation of the Modprobe
object. Currently, only modprobe(8) defaults to not using the blocklist
and includes the argument -b BLOCKLIST for enabling it. That
functionality remains.
This refactor allows us to use the blocklist during first stage init.
However, additional logic is needed to not return an error for the
blocked non-aliased modules during first stage init; otherwise, the
error would result in an init crash leading to a device reboot. So fixup
LoadListedModules() to allow blocking modules without returning an
error.
Bug: 182582036
Test: boot test on pixel 5 with a module in modules.blocklist
Change-Id: I394b5aa98fa98821011982cfe693749010c381f7
