ALL_ROOTDIR_SYMLINKS and add them to ALL_DEFAULT_INSTALLED_MODULES,
so they can be included in product SBOMs properly.
Bug: 272358980
Test: CIs and build/soong/tests/sbom_test.sh
Change-Id: I73dfb34156d681786c013912e59a0d0c0c48ecc7
If ro.zygote is zygote64, don't bother running 32-bit test.
Otherwise abilist{32,64} decides what tests to run.
Bug: 291874369
Test: make gsi_arm64-user; Check /system/etc/init/hw
Change-Id: Id10b2242606d6400acc29c3174f713581d6cce2e
To start an early_hal service from a bootstrap vendor apex, init now
reads .rc files from bootstrap apexes as well.
In this change, perform_apex_config command is re-purposed to support
bootstrap mode. Now we have some similarity between two apexd calls:
- for bootstrap apexes (in the bootstrap mount namespace):
exec_start apexd-bootstrap
perform_apex_config --bootstrap
- for normal apexes (in the default mount namespace):
restart apexd
...
wait_for_prop apexd.status activated
perform_apex_config
Note that some tasks in perform_apex_config are not needed in the
bootstrap. For example, we don't need to create apexdata directories
for bootstrap apexes.
Bug: 290148081
Test: VendorApexHostTestCases
Change-Id: I8f683a4dcd7cd9a2466a4b1b417d84c025c37761
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.
The directory is shared between two mount namespaces, hence visible
in the default mount namespace.
Bug: 290148078
Test: VendorApexHostTestCases
Change-Id: I841480e41be8def5a4c6a4aa874c4e21465a71d3
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.
The directory is detached from /apex in the default mount namespace but
still visible in case bootstrap APEXes are needed.
However, there are (mostly, virtual) devices which don't need two mount
namespaces. Those devices don't need to make /bootstrap-apex directory
at all.
Bug: 290148078
Test: atest VendorApexHostTestCases
Test: atest MicrodroidTests
Change-Id: I541cec71d9970b14971d46e01e4808b23590dbed
This folder is used to host bootanim data files.
Bug: 210757252
Test: /data/misc/bootanim is correctly created.
Change-Id: I9c9949316d073ad7ebac503f097c5fee6c0b2a22
VFIO nodes, both the container (`vfio`) node and group (numbered)
nodes, should be located in `/dev/vfio`. This change prevents
ueventd from flattening that structure.
Test: Bind a device to VFIO driver to create a VFIO group
Change-Id: I635e9febe6bb52718df263e735479f361eacad4c
Since Android 14, Android does not use fsverity builtin signatures.
(fsverity remains supported, but signatures are verified in userspace,
or fsverity is used for integrity-only use cases.) Therefore, the only
reason to still run 'fsverity_init --load-verified-keys' at boot time is
to ensure that old files can still be opened, if:
- They were created by Android 13 or earlier, with an fsverity builtin
signature by a key in /{system,product}/etc/security/fsverity/.
- *And*, the kernel still has CONFIG_FS_VERITY_BUILTIN_SIGNATURES=y.
However, it appears that this isn't actually needed anymore. Only two
features could potentially be affected: APK verity and updatable fonts.
APK verity wasn't widely rolled out before being disabled, and updatable
fonts have recovery logic in place for when the files cannot be opened.
And in any case, disabling CONFIG_FS_VERITY_BUILTIN_SIGNATURES in the
kernel is recommended and would avoid any problem.
Bug: 290064770
Test: presubmit
Change-Id: I3376c3f0b4b9bd4ba2fd614259522be0c1daafb6
lpdumpd runs as "system", not "root". Adjust the DAC permissions of
/metadata/ota so it can call SnapshotManager::Dump.
Bug: 291083311
Test: lpdump
Change-Id: I97fd7eb2055cf6d31fd42f1021e2f99edbdb838a
The "update_verifier_nonencrypted" service is being replaced with simply
"update_verifier", so update init.rc accordingly.
Bug: 208476087
Test: presubmit
Change-Id: I58f3fb25167ff7d3679c72e5e9c012f02fa5b516
The three actions for "zygote-start" are identical except for their
property triggers. This seems to have been left over from when Android
supported both File Based Encryption (FBE) and Full Disk Encryption
(FDE), causing there to be four possible encryption states:
- ro.crypto.state=unsupported (No encryption configured)
- ro.crypto.state=encrypted && ro.crypto.type=file (FBE enabled)
- ro.crypto.state=unencrypted (FDE supported but disabled)
- ro.crypto.state=encrypted && ro.crypto.type=block (FDE enabled)
It seems that the reason the zygote-start action was duplicated three
times was to exclude the "FDE enabled" case, which could only be done by
explicitly listing the other three cases.
However, now that FDE is no longer supported, only the first two cases
are possible. Therefore, zygote-start can just be the whole trigger.
Bug: 208476087
Test: presubmit
Change-Id: Icd6e4b0d2fb3f9f20595c0af4e2e35350564da8d
Remove the code that "locked" the .fs-verity keyring at a certain point
in the boot. It probably was thought that this achieved some useful
security property, which is a bit questionable. Regardless, Android no
longer uses fsverity builtin signatures. The only code that is still
being kept around is enough to access existing files on old kernels, and
for this "locking" the keyring is definitely not essential.
Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: Ide5729aeac5772658b2a3f0abe835988b8842b02
Based on experiments, we fount out 128 (128 x global readahead window
size = 16mb) is the optimal multiple to boost up read speeds for the
sequentially accessed files with POSIX_FADV_SEQUENTIAL.
Bug: 195311558
Test: check the /sys/fs/f2fs/<userdata partition>/seq_file_ra_mul value
Change-Id: I7563ad6e47b9ab76ae7fe36978d0e5970a7490e8
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Due to the work done for b/156305599 ("Ensure no process except vold can
create directories like /data/system_ce/0"), the SELinux policy now
enforces that vold is the only process that can write to directories
that contain per-user encrypted subdirectories. This is essential to
prevent bugs where directories that are supposed to be encrypted get
created too early so are not actually encrypted as intended.
However, this only works when SELinux is in enforcing mode. When
SELinux is in permissive mode, only DAC is enforced, and the file modes
allow other processes to write to many of these directories. That
allows system_server to break things once again.
Therefore, remove the write bit from the file modes so that write access
is always denied to processes that don't have CAP_DAC_OVERRIDE. This is
not as strong a restriction as the SELinux policy, which still applies
independently, but it does keep out system_server by itself.
Also remove the sticky bit from /data/misc_ce and /data/misc_de, since
there is no reason for it. (It probably was originally copied from
/data/misc, which might need it. But misc_{ce,de} don't need it.)
Bug: 285239971
Test: Booted Cuttlefish
Change-Id: I1213a4d18c5f851acf213d786400d79d73777ed0
It's necessary to have the right dalvik.vm.* flags in place when they
are validated by odrefresh.
Test: See the other CL in the topic.
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: Ib64790dde97faaa6b62ead2c1c8dd53c97f97f9c
Merging as a separate CL due to a log showing up
related to this on hwasan (is a prebuilt pulling
this in?)
Bug: 276813155
Test: boot cf
Change-Id: I19f7fc51c937d0eb1ee17781fc5d201a0972c4b0
Bionic requires random numbers to init the shadow call stack. Those
numbers are obtained via the syscall getrandom (non-blocking) and will
fallback to /dev/urandom if the former fails.
When loading pKVM modules, we are so early in the boot process that the
only source of entropy for the linux RNG are the architecture random
number generators... which might be available on some platforms. Without
any source of entropy, the only way of generating a random number is to
try to generate some, which is what the bionic fallback expects via
urandom.
As a consequence, add the urandom node to the initramfs.
Bug: 274876849
Merged-In: I111e2db53fabd63d070b8e9ab9c52faebf484ab3
Change-Id: I34a0e3f7c72de7344512366d4a96183b445edc2e
Bionic requires random numbers to init the shadow call stack. Those
numbers are obtained via the syscall getrandom (non-blocking) and will
fallback to /dev/urandom if the former fails.
When loading pKVM modules, we are so early in the boot process that the
only source of entropy for the linux RNG are the architecture random
number generators... which might be available on some platforms. Without
any source of entropy, the only way of generating a random number is to
try to generate some, which is what the bionic fallback expects via
urandom.
As a consequence, add the urandom node to the initramfs.
Bug: 274876849
Change-Id: I164b08f026a238dad9f27a345bdef96717f2aa74
