We used to start update_verifier after mounting userdata (post-fs-data),
as part of zygote-start. This leads to issues in practice for security
updates, where an A/B device falls back into the old slot (for any
reason, which unrelates to this change) but failing to boot due to
upgraded key blob. It essentially breaks the fallback capability offered
by A/B OTA.
This CL mitigates the issue by starting update_verifier early, before
mounting userdata. This avoids the device from falling back to the old
slot with an already-upgraded key blob. update_verifier loses the
opportunity of verifying _all_ the updated blocks based on the info
that's stored in userdata. Instead it will only trigger the minimal
read to finish the work of marking a successful boot. This is a
trade-off in P to avoid putting the device in a bad state after
fallback, which will be improved in Q by better handling the fallback
path in vold.
Bug: 131176531
Test: Flash and boot crosshatch. Check the start of update_verifier and
it marks a successful boot.
Change-Id: I3f4c4333ff38772a9a93c9d027d497db11de1d63
downloaded apns-conf.xml will be stored in the folder
/data/misc/apns/ to make sure TelephonyProvider gets
access.
Bug: 79948106
Test: Manual
Change-Id: I4ba0596fa6523c0eb96328dbe46ead02587bd9b8
Merged-In: I4ba0596fa6523c0eb96328dbe46ead02587bd9b8
Changes to init's behavior during early mount:
1. Mounting of tmpfs on /mnt is moved from init stage to early mount.
2. init creates /mnt/vendor used to mount vendor partitions.
3. If a device tree fstab entry for early mount specifies a mount point
under /mnt/vendor e.g. /mnt/vendor/foo, init will create
/mnt/vendor/foo mount point.
Bug: 64905218
Test: change dt fstab entry to mount persist to /mnt/vendor/persist;
mount point is created correctly, and partition is mounted in early
mount. See go/pag/1069774
Test: device boots with /mnt/vendor and previous contents of /mnt present,
and selinux label "mnt_vendor_file" is applied correctly.
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsAppSecurityHostTestCases
-t android.appsecurity.cts.PermissionsHostTest
Change-Id: I3739130739eadf508355c7f2531366fcaed74175
Need a larger tmpfs to stop crashes
Need to run start-zygote after mounting the real data
Test: Cherry-pick ag/3898232. System boots, can set pattern, system
reboots. Wifi works at all points.
Bug: 76452634
Change-Id: Id24241db940d352fd3bcdef594b5358854c6f71d
Split healthd section from init.rc into its own. This allows
healthd.rc to be excluded from the build when healthd is excluded.
Test: builds
Test: exclude healthd from build, healthd.rc is not installed
Bug: 77541952
Change-Id: I1c055f14c5862631f359fd0029289da8f43af063
This change increases the default expiration length of an SA to 1h. The
IPsec API expects that SPIs are allocated indefinitely, but potential
for instability requires that these get cleaned up automatically. As
such, the duration was chosen as a sane, but long timeout value.
Bug: 72316671
Test: Added CTS tests to enforce this behavior
Merged-In: I47aef9cea4a09da253b2ec048a8797af5fa25529
Change-Id: I47aef9cea4a09da253b2ec048a8797af5fa25529
(cherry picked from commit 00308f8554)
This change adds some additional flags to the /config mount. This is to
reduce the number of mounts with unnecessary privileges.
Bug: 73255020
Test: aosp_sailfish still boots
Test: CtsAppSecurityHostTestCases {ExternalStorageHostTest,StorageHostTest}
Change-Id: If3409d917cdf76a67ebfb7c4035a3ae8fee6189f
This change adds some additional flags to /mnt. This is to reduce
the number of mounts with unnecessary flags.
Bug: 73255020
Test: aosp_sailfish still boots
Test: CtsAppSecurityHostTestCases {StorageHostTest,ExternalStorageHostTest}
Test: CtsOsTestCases StorageManagerTest
Test: find /mnt | egrep -v '^/mnt/runtime/(default|read|write)/emulated' | \
xargs ls -lZd # Shows no character devices or executable files
Change-Id: I54739133119d9626ebeb2ef9a1c127f7a90fa098
Since we only want to change the ro flag on / (and leave all other mount
flags alone), this can also be achieved by passing MS_REMOUNT|MS_BIND,
even if the mount is not a bind-mount.
This aims to make running Android within a user namespace easier, since
remounts without the MS_BIND flag are forbidden.
Bug: 73255020
Test: aosp_sailfish still boots
Test: rootfs on / type rootfs (rw,seclabel)
/dev/root on / type ext4 (ro,seclabel,relatime,data=ordered)
Change-Id: I2f89a8badfc467db47304c9355648e8fd8ad1272
This change adds some additional flags to some mounts. This is to reduce
the number of mounts with these flags.
Bug: 73255020
Test: aosp_sailfish still boots
Change-Id: I285e6d7b3dcc19f691a3d6780e7d3a3a5d7cb3de
shipping API version:
For devices shipped before Android P nothing changes, data
is stored under /data/system/users/<user-id>/fpdata/...
Devices shipped from now on will instead store
fingerprint data under /data/vendor_de/<user-id>/fpdata.
Support for /data/vendor_de and /data/vendor_ce has been added to vold.
Bug: 36997597
Change-Id: I83f87e88d1731e515b459a3d6d5bf3104afe6cfe
Test: manually
Traceur app is being split out of shell user. Previously it logged to
shell's bugreports directory. It no longer has access, so it needs a
new, user-friendly file location to store trace data.
Bug:68126425
Test: Traceur can write and shell can read from this directory
Change-Id: I9e344973fd43eb5699f7a848524e20b06458fb77
Mount the eBPF file system under /sys/fs/bpf to allow netd to pin and
retrieve persistent eBPF map object from the file system. It helps the
system to maintain a consistent eBPF data store when netd crashed and
restart. Mount the cgroupv2 module and use the root folder of it to
monitor network statistics through eBPF program attached.
Test: eBPF map object show up under /sys/fs/bpf after netd start.
Bug: 30950746
Change-Id: Ie475112116603798fe75a75c5a84f4bbe5b942ec
Setting up infanstructure for vendor tombstone in dir:
/data/vendor/tombstones
Wifi specific dumps will go into:
/data/vendor/tombstones/wifi
Bug: 70170285
Test: compile, run on device.
Change-Id: Ie16dd8236d9b5df19adb9818b4c62ce01e0d0b10
We already have /etc and /sbin. As the Android world moves towards / being
on the system partition, the circumstances under which a /bin symlink
won't work are reduced. This should already be usable most of the time.
Bug: http://b/63142920
Test: `adb shell /bin/date`
Change-Id: I81c2209ae808ced186d05fbe1d5417ce8dd93ea7
These are directories used by the system so they should be created by
the system.
Test: treehugger
Change-Id: I2a721ef7871c8842fa912497f5ec6988fcec9e58
because it serves health 2.0 HAL. This forces it to restart when
hwservicemanager dies.
Bug: 69069765
Test: kill hwservicemanager, lshal shows backup instance
Change-Id: Ib51caa0e718031a0f8797d8af4c2459b4958a62e
Partners require to access update_engine's logs on the file system with
non-root permission.
Bug: 65568605
Test: directory created with the correct permission on boot
Change-Id: I1c1fb4acb8b0f2e7352ffa9e7d05a864940b5986
