-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ8epjwAKCRDorT+BmrEO
eGPtAJ4xkVvM0OmK/dZBwdVVDMjKroC/zACaAsDXpFeOe6kT2WhEkvc6MqpfuNQ=
=5OoV
-----END PGP SIGNATURE-----
gpgsig -----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAADMAAAALc3NoLWVkMjU1MTkAAAAgPpdpjxPACTIhnlvYz0GM4BR7FJ
+rYv3jMbfxNKD3JvcAAAADZ2l0AAAAAAAAAAZzaGE1MTIAAABTAAAAC3NzaC1lZDI1NTE5
AAAAQCn8sR4oKubEOLtjfwngAI9k+KVB6e2XzmS6vwsN1oRV3O7k4oSXLnNH+sHPQXQ6lX
4cqrmxPKTONclXrV4Ggw8=
-----END SSH SIGNATURE-----
Merge tag 'android-15.0.0_r20' into staging/lineage-22.2_merge-android-15.0.0_r20
Android 15.0.0 Release 20 (BP1A.250305.019)
# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ8epjwAKCRDorT+BmrEO
# eGPtAJ4xkVvM0OmK/dZBwdVVDMjKroC/zACaAsDXpFeOe6kT2WhEkvc6MqpfuNQ=
# =5OoV
# -----END PGP SIGNATURE-----
# gpg: Signature made Wed Mar 5 03:31:59 2025 EET
# gpg: using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [ultimate]
* tag 'android-15.0.0_r20': (183 commits)
Revert "Define ueventd.rc.recovery"
Define ueventd.rc.recovery
Define init_second_stage.recovery
Define reboot.recovery and watchdogd.recovery
debuggerd: Use libprocessgroup to unfreeze
Define toolbox.recovery
Replace partition-specific toybox make module with soong modules
Start aconfigd socket defined in configinfra mainline module
Update trusty to use secretkeeper hal V1
ashmem: Ensure all memfds have non-executable permissions by default
libsnapshot: Cleanup temp metadata during rollback
libprocessgroup: Remove ramdisk_available from libcgrouprc
libprocessgroup: Remove vendor_ramdisk_available from libcgrouprc
libprocessgroup: Remove recovery_available from libcgrouprc
gatekeeperd_service_fuzzer: Add signal() to handle SIGPIPE
libutils OWNERS for shayba@
Deprecate cc_binary aconfigd and the controlling flag
libprefetch: rename property name
Update comments to point to the new location of event.logtags.
Fix the dm-verity Merkle tree caches to not expire so quickly
...
Conflicts:
init/devices.cpp
Change-Id: I16f4b8b40b74074b087b2fc719cf4a322ccd76cf
-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
=uE+H
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQJLBAABCgA1FiEEHrBYPudH862glXQBzJUERRm+ZmkFAmdYsU0XHG1rYmVzdGFz
QGxpbmVhZ2Vvcy5vcmcACgkQzJUERRm+ZmlzEhAAkyT+qSieZv1roFs6MW0sBnjP
60eSCsj/eVetsK91ExBdm+NPHmpFG1XUcwxxiWzlPweIYA+eaECdoP9qngwxH/fy
7m6lxzVx2C9JbSCRWuBmyFWfsm7l+cjDoO8a5QnummBNobhV6/z680+CPzhsXXp5
wQ8cRYLlZEwSMGlgW5KufhbEQISZK1rxWGcx7C0MwoAZybm0V7bcv9ot9XWVZdBI
0uvpZEAYuLqMTTOxd1HNZBKA+cMmWLE+0ALfydGqdHxTkpDXY17Ek4/R3H7KTcy0
mhp6rLQHMKn/atDUsYGvDp/wGs+PWHl9QPXprwj9g9XBNRaAcw/ANi+I/Gc17Qsc
X/5DeC0ycGBljhjnl7ZoXAPwLyN+tYZi+ekwBs0E4+uQCLG5AMSLGZHGHcZafXB1
s0pR1u85BxC/7CoVB22J5utjsLdJT0G8bIgfyrKVVIA9iIe9zO/rsMN+9kffrQ9W
xPohc1XyVrsQ2b6xk/PyqbAI5mk7+IKKhxhX+Vv2Fczp2OCPuefa1aS1lIv4bZBL
rRPlVyodLWsEqxGNhiCo5Hh24uufJGuBTL2w6Rn5/UkqUkvUQZbsRNTg7WQIfcWh
sNvuNNxpgsilXFJC0/aoLE557MjCWq4eolPLnyrz3yR3jPcAa269bMuiMXKsVeEd
PvjxgQawPY8QkE2woe0=
=R9aC
-----END PGP SIGNATURE-----
Merge tag 'android-15.0.0_r6' into staging/lineage-22.0_merge-android-15.0.0_r6
Android 15.0.0 Release 6 (AP4A.241205.013)
# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
# eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
# =uE+H
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Dec 6 00:44:03 2024 EET
# gpg: using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2481 signatures in the past
# 3 years. Encrypted 4 messages in the past 2 years.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381 0964 E8AD 3F81 9AB1 0E78
# By Akilesh Kailash (13) and others
# Via Automerger Merge Worker (317) and others
* tag 'android-15.0.0_r6': (158 commits)
trusty: storage: proxy: FS_READY property setting on vendor only
Fix the trigger name for loading bpf programs.
start netd earlier
Replace base::RandInt with std::uniform_int_distribution
trusty: keymint: rename trusty_ipc_dev property
Move the `dist` target of `mke2fs` to `build/core/tasks`
Remove define of SA_EXPOSE_TAGBITS.
Add input event profile to mitigate input latency of input threads
Remove usage of base/string/* in libfs_avb
Add getFdStateDebug to access Looper's callbacks
libsnapshot: CHECK -> CHECK_EQ
Mount /mnt/vm earlier
Define linker.config.json as a filegroup
Remove usage of base/logging.h in libfs_avb
debuggerd: recognize jumps to non-executable memory.
Support vendor partition in non-debuggable pVMs
Remind the reader that they'll need to modify CTS too.
Rename system/core/rootdir/Android.mk to create_root_structure.mk
trusty: keymint/gatekeeper: Pass device name from init scripts
Remove unused variable.
...
Conflicts:
fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
fs_mgr/libsnapshot/snapshot.cpp
init/Android.bp
init/fuzzer/Android.bp
Change-Id: I29c07b3ac76940cb2b82726e98d2beb643b3e6e4
By removing `recovery_available` property from "init_second_stage"
and defining a dedicated recovery-specific module for
"init_second_stage". `recovery_available` property should be used
to allow the reverse dependencies recovery modules to depend on
the module, not to install the module to the recovery partition.
Test: m soong_generated_recovery_filesystem_test
Bug: 381888358
Change-Id: Ie9b93b8453bc1e40f7a28e57f498313d3bc4cedb
Instead of hard-coding the text path everywhere, this uses a library to
get the genfs labels version.
As genfs labels affect SELinux, this also adds logs to help debug
issues.
Bug: 378805380
Test: boot and check log
Change-Id: I843c97cbeb0c211c67e0172458a4f0d236cf1f06
Revert submission 3212512
Reason for revert: Droidmonitor created revert due to b/372273614. Will be verifying through ABTD before submission.
Reverted changes: /q/submissionid:3212512
Change-Id: I37568516e973cb940f1229d52f94b8dc801da2ab
The cgroup.rc file was introduced in 192aee782 ("libprocessgroup: Add
support for task profiles") back with the initial support for task
profiles. It was intended to optimize performance associated with cgroup
operations. However over time, supporting this file led to making
libprocessgroup code more complicated (such as the cgrouprc LLNDK
interface), and the file ended up getting mmaped into nearly every
process on Android even though only a handful of them actually use it.
Replacing this file with reading and parsing of cgroup information on
demand allows us to simplify and shrink libprocessgroup, and eliminates
thousands of unused mappings without negatively affecting boot time or
other performance metrics.
Bug: 349105928
Test: Verified with memcg v2 and MaxActivationDepth 1 on Cuttlefish, Raven, and Mokey
Change-Id: Ic3f01fdf7fda89a56ab80657e1cf4573156273e6
This modifies first-stage init to check for /metadata/tradeinmode/wipe
as soon as /metadata is mounted. If the file exists, we issue a request
to the bootloader to reboot to recovery and wipe /data. Since this also
wipes /metadata, the wipe indicator will be removed too.
In case some kind of failure happens in recovery, this also implements a
quick-and-dirty counter mechanism to fallback to the recovery menu.
Bug: 307713521
Test: touch /metadata/tradeinmode/wipe && adb reboot
Change-Id: I2d05903cadcdadf9c05f6736454db790a9e6b5bb
Allow optional vendor-specific initializations
within init. This can be used for runtime
initialization setup that init rc scripts do
not support.
Change-Id: I7623a0d59b18f9ec8e3623958e2f7ccd72b877bf
This is a follow-up on I37380c19232f2c497bdf492a83cdc16616f0ae8d.
Bug: 338160898
Bug: 345110999
Test: Microdroid boots even with BOARD_USES_RECOVERY_AS_BOOT
Change-Id: I41c1e40aeaffd5499fb6bd25e80b5be83470bc6b
The `select` syntax rewrite makes it more concise and easier to
understand.
Bug: 347605145
Test: m init_vendor
Change-Id: I866bbe9360fdbdf69cac3c6a24bbe37306227755
`init_first_stage` is a dependency of `init_vendor` only when
`BOARD_USES_RECOVERY_AS_BOOT` is false.
Since `BOARD_USES_RECOVERY_AS_BOOT` is already defined in
`build/make/core/android_soong_config_vars.mk` within a
soong_namespace, we can use the `soong_config_module_type` to easily
convert this to Android.bp.
Bug: 347600829
Test: m init_vendor
Change-Id: I1ddcd5fb62983b01e51452c9b7367750e03e7f48
For visibility.
We could make this only for new API levels, but it isn't
currently exposed at build time, and visibility is good
on upgrades.
Bug: 340953047
Test: build, on device passing and failing requirements
Change-Id: I3a0ea47560c65114bc1b8685954d1fb7687cb8df
So far, we have used `instalable: false` to avoid collision with the
other modules that are installed to the same path. A typical example was
<foo> and <foo>.microdroid. The latter is a modified version of the
former for the inclusion of the microdroid image. They however both have
the same instalation path (ex: system/bin) and stem (ex: foo) so that we
can reference them using the same path regardless of whether we are in
Android or microdroid.
However, the use of `installable: false` for the purpose is actually
incorrect, because `installable: false` also means, obviously, "this
module shouldn't be installed". The only reason this incorrect way has
worked is simply because packaging modules (ex: android_filesystem)
didn't respect the property when gathering the modules.
As packaging modules are now fixed to respect `installable: false`, we
need a correct way of avoiding the collision. `no_full_install: true` is
it.
If a module has this property set to true, it is never installed to the
full instal path like out/target/product/<partition>/... It can be
installed only via packaging modules.
Bug: 338160898
Test: m
Change-Id: I37380c19232f2c497bdf492a83cdc16616f0ae8d
when introducing instrumentation for MTE stack history buffer, we cannot
use stack MTE in early init
Bug: 309446520
Change-Id: I0921ae4ffe03ed971697f8daff4215c9b3772e35
init_second_stage_defaults provides properties that are common to both
Android's init and Microdroid's init. Before this CL, it included
target.product.required and target.recovery.required properties. The
required dependencies were Android-specific; the dependencies included
Android-only init.rc. Microdroid has its own init.rc (microdroid_init_rc
module).
This was problematic but so far it didn't cause an issue because those
Android-only dependencies were not installed to Microdroid due to a bug
in the build system.
As we fix the build system bug, the Android-only dependencies started
get installed to Microdroid, effectively overriding the Microdroid-only
init.rc file. This made Microdroid fail to boot.
Fixing this issue by moving the Android-only dependencies out of the
defaults module and putting them on the Android's init.
In addition to that, this CL removes the recovery variant for the
Microdroid's init because it's not used.
Bug: N/A
Test: run AVF tests
Change-Id: I09748f1123125cac74ce54fd5c360c9a3ba2f996
The main reason for running restorecon of /microdroid_resources during
the setup_selinux stage is to avoid granting init some weird permissions
like `allow init tmpfs:file relabelfrom;`.
Instead we add such permissions to kernel domain in which setup_selinux
runs. This feels better since kernel domain already has similar
permissions like `allow kernel rootfs:file relabelfrom;`.
Bug: 287593065
Test: run microdroid vm with vendor partition
Change-Id: I82ef5499392e90f53655f7582e887d0b6cb3a5f0
system image which is declared in Android.bp should include the module.
Bug: 321000103
Test: m nothing
Change-Id: I6e9d8fa4c1051211ff9ff80c7dfa4a8ee5cbd732
The derivation happens in the derive_microdroid_vendor_dice_node binary
which first_stage_init forks and execvs.
Since the derivation requires talking to the dice driver, its
initialisation is also moved to the first stage init.
The derivation happens before the microdroid vendor partition is
verified & mounted. This should be safe because the first_stage_init
will fail the boot if the verification of the microdroid vendor
partition fails.
Bug: 287593065
Test: run microdroid with and without vendor partition
Test: atest MicrodroidTests
Change-Id: I0d83772eb98a56c315617e66ec64bd03639cfde6
This will be used to store the new dice chain generated during
first_stage_init phase in case Microdroid VM is launched with
microdroid vendor partition.
Bug: 287593065
Test: atest MicrodroidTests
Test: start Microdroid VM & check microdroid_resources exists
Change-Id: I40677376bfed14d813ad51c78db6109b2d76d1d1
It's used only by host_init_verifier. This is to remove the unnecessary
dependency from clients of init_host_defaults.
Bug: 326509378
Test: mmma system/core/init
Change-Id: I983fbfe616f0bcb87940c934e19f614d3bf51030
This requires a bit of refactoring: moving things around.
libinit_host is used by host_apex_verifier which needs check_builtins as
well.
Bug: 325565247
Test: atest host-apex-verifier
Test: m out/target/product/vsoc_x86_64/host_init_verifier_output.txt
Change-Id: Ifed54dd2149afbab2bf63f7e42c410c2354895fc
The test is not eligible for CTS. Reasons:
1. The init behavior does not directly affect app compat. App interact
with init only for the property service and that part is covered by
the Bionic test already.
2. This test doesn't run against the init binary installed on the
device. libinit where most of the init functionalities are
implemented is statically linked to this test binary. In other words,
this test is closer to a unit test for init.
3. This test is not compatible with Trunk stable where test and DUT are
built in different branches. The test depends on several (private)
libraries like libbase and libutils. Since the interfaces of the
libraries may have changed in the main branch, the test binary built
from the old test-dev branch may break.
This change does not remove the test. The test will still run as a unit
test during pre/post submit.
I didn't drop the `Cts` prefix from the name, because that requires
broader changes.
Bug: 320800872
Test: N/A
Change-Id: I1402c08b79b57ad6daa7948fe37f14fbbe36f1d6
Remove temporary 'vendor_api_level_of' function from init and replace
the function with the same in libvendorsupport.
Bug: 312403948
Test: getprop ro.vendor.api_level
Change-Id: I095353e602397220571e131431e7cbd1b8511fa6
Merged-In: I095353e602397220571e131431e7cbd1b8511fa6
The android-4.14-stable and later kernels support the
FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY ioctls. This
has superseded the old way of adding fscrypt keys to the kernel, which
was to use the add_key() syscall to add keys to the "session" keyring.
On kernels that support the ioctls, Android doesn't use the obsolete
way. Since upgrading even just to Android 14 requires at minimum a
android-4.14-stable kernel (according to
https://source.android.com/docs/core/architecture/kernel/android-common#compatibility-matrix),
there is no need to support the obsolete way anymore.
Therefore, this commit removes the code from init that created a keyring
named "fscrypt" in the session keyring. It also removes the code that
created the session keyring itself, since the only reason that Android
even created a session keyring was just to hold the "fscrypt" keyring.
Flag: N/A for the following reasons:
- Removing obsolete code, which is fairly safe
- Very early code, so runtime flag cannot be used
- Even a build-time flag cannot be used, since init needs
recovery_available, which aconfig libraries do not support
Bug: 311736104
Test: Build and boot Cuttlefish
Change-Id: Id9a184c68cf16d5c4b1d889444cf637c95a91413
init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)
Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.
Bug: 293695109
Test: Presubmit
Merged-In: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
The APEX sepolicy feature has unfinished support for verifying the
sepolicy file using fsverity with a builtin signature. However, this
was never finished and doesn't really make sense, since the
already-implemented scheme that uses a full-file hash combined with a
userspace signature check is better suited to the problem. Therefore,
remove this unfinished code.
Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: I3403a3303bcea32c7340642b843cd1541fe1fd2f
We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.
In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.
Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
