Compare commits
10 commits
0d071119a0
...
afee2eb6bf
| Author | SHA1 | Date | |
|---|---|---|---|
|
afee2eb6bf | ||
|
d306178c83 | ||
|
cbc854979e | ||
|
37bf4cfa91 | ||
|
141ca75530 | ||
|
782929f388 | ||
|
7f7b6aab72 | ||
|
|
1aea24d503 | ||
|
2e24debf3c | ||
|
367e295c4b |
4 changed files with 64 additions and 8 deletions
|
|
@ -123,6 +123,7 @@ libinit_cc_defaults {
|
|||
"-DREBOOT_BOOTLOADER_ON_PANIC=0",
|
||||
"-DSHUTDOWN_ZERO_TIMEOUT=0",
|
||||
"-DWORLD_WRITABLE_KMSG=0",
|
||||
"-DSPOOF_SAFETYNET=1",
|
||||
"-Wall",
|
||||
"-Werror",
|
||||
"-Wextra",
|
||||
|
|
@ -150,6 +151,8 @@ libinit_cc_defaults {
|
|||
cppflags: [
|
||||
"-USHUTDOWN_ZERO_TIMEOUT",
|
||||
"-DSHUTDOWN_ZERO_TIMEOUT=1",
|
||||
"-USPOOF_SAFETYNET",
|
||||
"-DSPOOF_SAFETYNET=0",
|
||||
],
|
||||
},
|
||||
uml: {
|
||||
|
|
@ -421,6 +424,7 @@ init_first_stage_cc_defaults {
|
|||
"-DSHUTDOWN_ZERO_TIMEOUT=0",
|
||||
"-DLOG_UEVENTS=0",
|
||||
"-DSEPOLICY_VERSION=30", // TODO(jiyong): externalize the version number
|
||||
"-DSPOOF_SAFETYNET=1",
|
||||
],
|
||||
|
||||
product_variables: {
|
||||
|
|
@ -450,6 +454,8 @@ init_first_stage_cc_defaults {
|
|||
cflags: [
|
||||
"-USHUTDOWN_ZERO_TIMEOUT",
|
||||
"-DSHUTDOWN_ZERO_TIMEOUT=1",
|
||||
"-USPOOF_SAFETYNET",
|
||||
"-DSPOOF_SAFETYNET=0",
|
||||
],
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -132,6 +132,8 @@ struct PropertyAuditData {
|
|||
const char* name;
|
||||
};
|
||||
|
||||
static bool weaken_prop_override_security = false;
|
||||
|
||||
static int PropertyAuditCallback(void* data, security_class_t /*cls*/, char* buf, size_t len) {
|
||||
auto* d = reinterpret_cast<PropertyAuditData*>(data);
|
||||
|
||||
|
|
@ -406,8 +408,8 @@ static std::optional<uint32_t> PropertySet(const std::string& name, const std::s
|
|||
} else {
|
||||
prop_info* pi = (prop_info*)__system_property_find(name.c_str());
|
||||
if (pi != nullptr) {
|
||||
// ro.* properties are actually "write-once".
|
||||
if (StartsWith(name, "ro.")) {
|
||||
// ro.* properties are actually "write-once", unless the system decides to
|
||||
if (StartsWith(name, "ro.") && !weaken_prop_override_security) {
|
||||
*error = "Read-only property was already set";
|
||||
return {PROP_ERROR_READ_ONLY_PROPERTY};
|
||||
}
|
||||
|
|
@ -1242,6 +1244,9 @@ void PropertyLoadBootDefaults() {
|
|||
}
|
||||
}
|
||||
|
||||
// Weaken property override security during execution of the vendor init extension
|
||||
weaken_prop_override_security = true;
|
||||
|
||||
// Update with vendor-specific property runtime overrides
|
||||
vendor_load_properties();
|
||||
|
||||
|
|
@ -1252,6 +1257,9 @@ void PropertyLoadBootDefaults() {
|
|||
property_initialize_ro_cpu_abilist();
|
||||
property_initialize_ro_vendor_api_level();
|
||||
|
||||
// Restore the normal property override security after init extension is executed
|
||||
weaken_prop_override_security = false;
|
||||
|
||||
update_sys_usb_config();
|
||||
}
|
||||
|
||||
|
|
@ -1410,6 +1418,36 @@ static void ProcessBootconfig() {
|
|||
});
|
||||
}
|
||||
|
||||
static void SetSafetyNetProps() {
|
||||
InitPropertySet("ro.boot.flash.locked", "1");
|
||||
InitPropertySet("ro.boot.vbmeta.device_state", "locked");
|
||||
InitPropertySet("ro.boot.verifiedbootstate", "green");
|
||||
InitPropertySet("ro.boot.veritymode", "enforcing");
|
||||
InitPropertySet("ro.boot.warranty_bit", "0");
|
||||
InitPropertySet("ro.warranty_bit", "0");
|
||||
InitPropertySet("ro.debuggable", "0");
|
||||
InitPropertySet("ro.force.debuggable", "0");
|
||||
InitPropertySet("ro.adb.secure", "1");
|
||||
InitPropertySet("ro.secure", "1");
|
||||
InitPropertySet("ro.bootimage.build.type", "user");
|
||||
InitPropertySet("ro.build.type", "user");
|
||||
InitPropertySet("ro.build.keys", "release-keys");
|
||||
InitPropertySet("ro.build.tags", "release-keys");
|
||||
InitPropertySet("ro.system.build.tags", "release-keys");
|
||||
InitPropertySet("ro.product.build.type", "user");
|
||||
InitPropertySet("ro.odm.build.type", "user");
|
||||
InitPropertySet("ro.system.build.type", "user");
|
||||
InitPropertySet("ro.system_ext.build.type", "user");
|
||||
InitPropertySet("ro.vendor.build.type", "user");
|
||||
InitPropertySet("ro.vendor_dlkm.build.type", "user");
|
||||
InitPropertySet("ro.vendor.boot.warranty_bit", "0");
|
||||
InitPropertySet("ro.vendor.warranty_bit", "0");
|
||||
InitPropertySet("vendor.boot.vbmeta.device_state", "locked");
|
||||
InitPropertySet("vendor.boot.verifiedbootstate", "green");
|
||||
InitPropertySet("oplusboot.verifiedbootstate", "green");
|
||||
InitPropertySet("sys.oem_unlock_allowed", "0");
|
||||
}
|
||||
|
||||
void PropertyInit() {
|
||||
selinux_callback cb;
|
||||
cb.func_audit = PropertyAuditCallback;
|
||||
|
|
@ -1424,6 +1462,16 @@ void PropertyInit() {
|
|||
LOG(FATAL) << "Failed to load serialized property info file";
|
||||
}
|
||||
|
||||
// Report a valid verified boot chain to make Google SafetyNet integrity
|
||||
// checks pass. This needs to be done before parsing the kernel cmdline as
|
||||
// these properties are read-only and will be set to invalid values with
|
||||
// androidboot cmdline arguments.
|
||||
if (SPOOF_SAFETYNET) {
|
||||
if (!IsRecoveryMode()) {
|
||||
SetSafetyNetProps();
|
||||
}
|
||||
}
|
||||
|
||||
// If arguments are passed both on the command line and in DT,
|
||||
// properties set in DT always have priority over the command-line ones.
|
||||
ProcessKernelDt();
|
||||
|
|
|
|||
|
|
@ -37,7 +37,7 @@
|
|||
namespace android {
|
||||
namespace init {
|
||||
|
||||
static std::string init_fatal_reboot_target = "bootloader";
|
||||
static std::string init_fatal_reboot_target = "recovery";
|
||||
static bool init_fatal_panic = false;
|
||||
|
||||
// this needs to read the /proc/* files directly because it is called before
|
||||
|
|
|
|||
|
|
@ -1143,14 +1143,12 @@ on zygote-start
|
|||
wait_for_prop odsign.verification.done 1
|
||||
# A/B update verifier that marks a successful boot.
|
||||
exec_start update_verifier
|
||||
start statsd
|
||||
start zygote
|
||||
start zygote_secondary
|
||||
|
||||
# Tweak background writeout
|
||||
on boot && property:ro.config.low_ram=true
|
||||
# Tweak background writeout
|
||||
write /proc/sys/vm/dirty_expire_centisecs 200
|
||||
write /proc/sys/vm/dirty_background_ratio 5
|
||||
|
||||
on boot && property:suspend.disable_sync_on_suspend=true
|
||||
write /sys/power/sync_on_suspend 0
|
||||
|
|
@ -1169,6 +1167,8 @@ on boot
|
|||
# parameters to match how it is managing things.
|
||||
write /proc/sys/vm/overcommit_memory 1
|
||||
write /proc/sys/vm/min_free_order_shift 4
|
||||
write /proc/sys/vm/dirty_background_bytes 52428800
|
||||
write /proc/sys/vm/dirty_bytes 209715200
|
||||
|
||||
# System server manages zram writeback
|
||||
chown root system /sys/block/zram0/idle
|
||||
|
|
@ -1190,10 +1190,12 @@ on boot
|
|||
# to avoid power consumption when system becomes mostly idle. Be careful
|
||||
# to make it too large, since it may bring userdata loss, if they
|
||||
# are not aware of using fsync()/sync() to prepare sudden power-cut.
|
||||
write /dev/sys/fs/by-name/userdata/cp_interval 200
|
||||
write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 50
|
||||
write /dev/sys/fs/by-name/userdata/cp_interval 6000
|
||||
write /dev/sys/fs/by-name/userdata/gc_urgent_sleep_time 200
|
||||
write /dev/sys/fs/by-name/userdata/iostat_period_ms 1000
|
||||
write /dev/sys/fs/by-name/userdata/iostat_enable 0
|
||||
write /proc/sys/vm/dirty_expire_centisecs 3000
|
||||
write /proc/sys/vm/dirty_background_ratio 10
|
||||
|
||||
# set readahead multiplier for POSIX_FADV_SEQUENTIAL files
|
||||
write /dev/sys/fs/by-name/userdata/seq_file_ra_mul 128
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue