-----BEGIN PGP SIGNATURE-----
iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
=uE+H
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQJLBAABCgA1FiEEHrBYPudH862glXQBzJUERRm+ZmkFAmdYsU0XHG1rYmVzdGFz
QGxpbmVhZ2Vvcy5vcmcACgkQzJUERRm+ZmlzEhAAkyT+qSieZv1roFs6MW0sBnjP
60eSCsj/eVetsK91ExBdm+NPHmpFG1XUcwxxiWzlPweIYA+eaECdoP9qngwxH/fy
7m6lxzVx2C9JbSCRWuBmyFWfsm7l+cjDoO8a5QnummBNobhV6/z680+CPzhsXXp5
wQ8cRYLlZEwSMGlgW5KufhbEQISZK1rxWGcx7C0MwoAZybm0V7bcv9ot9XWVZdBI
0uvpZEAYuLqMTTOxd1HNZBKA+cMmWLE+0ALfydGqdHxTkpDXY17Ek4/R3H7KTcy0
mhp6rLQHMKn/atDUsYGvDp/wGs+PWHl9QPXprwj9g9XBNRaAcw/ANi+I/Gc17Qsc
X/5DeC0ycGBljhjnl7ZoXAPwLyN+tYZi+ekwBs0E4+uQCLG5AMSLGZHGHcZafXB1
s0pR1u85BxC/7CoVB22J5utjsLdJT0G8bIgfyrKVVIA9iIe9zO/rsMN+9kffrQ9W
xPohc1XyVrsQ2b6xk/PyqbAI5mk7+IKKhxhX+Vv2Fczp2OCPuefa1aS1lIv4bZBL
rRPlVyodLWsEqxGNhiCo5Hh24uufJGuBTL2w6Rn5/UkqUkvUQZbsRNTg7WQIfcWh
sNvuNNxpgsilXFJC0/aoLE557MjCWq4eolPLnyrz3yR3jPcAa269bMuiMXKsVeEd
PvjxgQawPY8QkE2woe0=
=R9aC
-----END PGP SIGNATURE-----
Merge tag 'android-15.0.0_r6' into staging/lineage-22.0_merge-android-15.0.0_r6
Android 15.0.0 Release 6 (AP4A.241205.013)
# -----BEGIN PGP SIGNATURE-----
#
# iF0EABECAB0WIQRDQNE1cO+UXoOBCWTorT+BmrEOeAUCZ1IsswAKCRDorT+BmrEO
# eHLxAJ9VFRJgjolHUwxeYIHRrAxp7WFw0wCeIiUvtF763IeQx6Ri6gz3/i1V9mY=
# =uE+H
# -----END PGP SIGNATURE-----
# gpg: Signature made Fri Dec 6 00:44:03 2024 EET
# gpg: using DSA key 4340D13570EF945E83810964E8AD3F819AB10E78
# gpg: Good signature from "The Android Open Source Project <initial-contribution@android.com>" [marginal]
# gpg: initial-contribution@android.com: Verified 2481 signatures in the past
# 3 years. Encrypted 4 messages in the past 2 years.
# gpg: WARNING: This key is not certified with sufficiently trusted signatures!
# gpg: It is not certain that the signature belongs to the owner.
# Primary key fingerprint: 4340 D135 70EF 945E 8381 0964 E8AD 3F81 9AB1 0E78
# By Akilesh Kailash (13) and others
# Via Automerger Merge Worker (317) and others
* tag 'android-15.0.0_r6': (158 commits)
trusty: storage: proxy: FS_READY property setting on vendor only
Fix the trigger name for loading bpf programs.
start netd earlier
Replace base::RandInt with std::uniform_int_distribution
trusty: keymint: rename trusty_ipc_dev property
Move the `dist` target of `mke2fs` to `build/core/tasks`
Remove define of SA_EXPOSE_TAGBITS.
Add input event profile to mitigate input latency of input threads
Remove usage of base/string/* in libfs_avb
Add getFdStateDebug to access Looper's callbacks
libsnapshot: CHECK -> CHECK_EQ
Mount /mnt/vm earlier
Define linker.config.json as a filegroup
Remove usage of base/logging.h in libfs_avb
debuggerd: recognize jumps to non-executable memory.
Support vendor partition in non-debuggable pVMs
Remind the reader that they'll need to modify CTS too.
Rename system/core/rootdir/Android.mk to create_root_structure.mk
trusty: keymint/gatekeeper: Pass device name from init scripts
Remove unused variable.
...
Conflicts:
fs_mgr/libsnapshot/include/libsnapshot/snapshot.h
fs_mgr/libsnapshot/snapshot.cpp
init/Android.bp
init/fuzzer/Android.bp
Change-Id: I29c07b3ac76940cb2b82726e98d2beb643b3e6e4
Allow optional vendor-specific initializations
within init. This can be used for runtime
initialization setup that init rc scripts do
not support.
Change-Id: I7623a0d59b18f9ec8e3623958e2f7ccd72b877bf
This is a follow-up on I37380c19232f2c497bdf492a83cdc16616f0ae8d.
Bug: 338160898
Bug: 345110999
Test: Microdroid boots even with BOARD_USES_RECOVERY_AS_BOOT
Change-Id: I41c1e40aeaffd5499fb6bd25e80b5be83470bc6b
The `select` syntax rewrite makes it more concise and easier to
understand.
Bug: 347605145
Test: m init_vendor
Change-Id: I866bbe9360fdbdf69cac3c6a24bbe37306227755
`init_first_stage` is a dependency of `init_vendor` only when
`BOARD_USES_RECOVERY_AS_BOOT` is false.
Since `BOARD_USES_RECOVERY_AS_BOOT` is already defined in
`build/make/core/android_soong_config_vars.mk` within a
soong_namespace, we can use the `soong_config_module_type` to easily
convert this to Android.bp.
Bug: 347600829
Test: m init_vendor
Change-Id: I1ddcd5fb62983b01e51452c9b7367750e03e7f48
For visibility.
We could make this only for new API levels, but it isn't
currently exposed at build time, and visibility is good
on upgrades.
Bug: 340953047
Test: build, on device passing and failing requirements
Change-Id: I3a0ea47560c65114bc1b8685954d1fb7687cb8df
So far, we have used `instalable: false` to avoid collision with the
other modules that are installed to the same path. A typical example was
<foo> and <foo>.microdroid. The latter is a modified version of the
former for the inclusion of the microdroid image. They however both have
the same instalation path (ex: system/bin) and stem (ex: foo) so that we
can reference them using the same path regardless of whether we are in
Android or microdroid.
However, the use of `installable: false` for the purpose is actually
incorrect, because `installable: false` also means, obviously, "this
module shouldn't be installed". The only reason this incorrect way has
worked is simply because packaging modules (ex: android_filesystem)
didn't respect the property when gathering the modules.
As packaging modules are now fixed to respect `installable: false`, we
need a correct way of avoiding the collision. `no_full_install: true` is
it.
If a module has this property set to true, it is never installed to the
full instal path like out/target/product/<partition>/... It can be
installed only via packaging modules.
Bug: 338160898
Test: m
Change-Id: I37380c19232f2c497bdf492a83cdc16616f0ae8d
when introducing instrumentation for MTE stack history buffer, we cannot
use stack MTE in early init
Bug: 309446520
Change-Id: I0921ae4ffe03ed971697f8daff4215c9b3772e35
init_second_stage_defaults provides properties that are common to both
Android's init and Microdroid's init. Before this CL, it included
target.product.required and target.recovery.required properties. The
required dependencies were Android-specific; the dependencies included
Android-only init.rc. Microdroid has its own init.rc (microdroid_init_rc
module).
This was problematic but so far it didn't cause an issue because those
Android-only dependencies were not installed to Microdroid due to a bug
in the build system.
As we fix the build system bug, the Android-only dependencies started
get installed to Microdroid, effectively overriding the Microdroid-only
init.rc file. This made Microdroid fail to boot.
Fixing this issue by moving the Android-only dependencies out of the
defaults module and putting them on the Android's init.
In addition to that, this CL removes the recovery variant for the
Microdroid's init because it's not used.
Bug: N/A
Test: run AVF tests
Change-Id: I09748f1123125cac74ce54fd5c360c9a3ba2f996
The main reason for running restorecon of /microdroid_resources during
the setup_selinux stage is to avoid granting init some weird permissions
like `allow init tmpfs:file relabelfrom;`.
Instead we add such permissions to kernel domain in which setup_selinux
runs. This feels better since kernel domain already has similar
permissions like `allow kernel rootfs:file relabelfrom;`.
Bug: 287593065
Test: run microdroid vm with vendor partition
Change-Id: I82ef5499392e90f53655f7582e887d0b6cb3a5f0
system image which is declared in Android.bp should include the module.
Bug: 321000103
Test: m nothing
Change-Id: I6e9d8fa4c1051211ff9ff80c7dfa4a8ee5cbd732
The derivation happens in the derive_microdroid_vendor_dice_node binary
which first_stage_init forks and execvs.
Since the derivation requires talking to the dice driver, its
initialisation is also moved to the first stage init.
The derivation happens before the microdroid vendor partition is
verified & mounted. This should be safe because the first_stage_init
will fail the boot if the verification of the microdroid vendor
partition fails.
Bug: 287593065
Test: run microdroid with and without vendor partition
Test: atest MicrodroidTests
Change-Id: I0d83772eb98a56c315617e66ec64bd03639cfde6
This will be used to store the new dice chain generated during
first_stage_init phase in case Microdroid VM is launched with
microdroid vendor partition.
Bug: 287593065
Test: atest MicrodroidTests
Test: start Microdroid VM & check microdroid_resources exists
Change-Id: I40677376bfed14d813ad51c78db6109b2d76d1d1
It's used only by host_init_verifier. This is to remove the unnecessary
dependency from clients of init_host_defaults.
Bug: 326509378
Test: mmma system/core/init
Change-Id: I983fbfe616f0bcb87940c934e19f614d3bf51030
This requires a bit of refactoring: moving things around.
libinit_host is used by host_apex_verifier which needs check_builtins as
well.
Bug: 325565247
Test: atest host-apex-verifier
Test: m out/target/product/vsoc_x86_64/host_init_verifier_output.txt
Change-Id: Ifed54dd2149afbab2bf63f7e42c410c2354895fc
The test is not eligible for CTS. Reasons:
1. The init behavior does not directly affect app compat. App interact
with init only for the property service and that part is covered by
the Bionic test already.
2. This test doesn't run against the init binary installed on the
device. libinit where most of the init functionalities are
implemented is statically linked to this test binary. In other words,
this test is closer to a unit test for init.
3. This test is not compatible with Trunk stable where test and DUT are
built in different branches. The test depends on several (private)
libraries like libbase and libutils. Since the interfaces of the
libraries may have changed in the main branch, the test binary built
from the old test-dev branch may break.
This change does not remove the test. The test will still run as a unit
test during pre/post submit.
I didn't drop the `Cts` prefix from the name, because that requires
broader changes.
Bug: 320800872
Test: N/A
Change-Id: I1402c08b79b57ad6daa7948fe37f14fbbe36f1d6
Remove temporary 'vendor_api_level_of' function from init and replace
the function with the same in libvendorsupport.
Bug: 312403948
Test: getprop ro.vendor.api_level
Change-Id: I095353e602397220571e131431e7cbd1b8511fa6
Merged-In: I095353e602397220571e131431e7cbd1b8511fa6
The android-4.14-stable and later kernels support the
FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY ioctls. This
has superseded the old way of adding fscrypt keys to the kernel, which
was to use the add_key() syscall to add keys to the "session" keyring.
On kernels that support the ioctls, Android doesn't use the obsolete
way. Since upgrading even just to Android 14 requires at minimum a
android-4.14-stable kernel (according to
https://source.android.com/docs/core/architecture/kernel/android-common#compatibility-matrix),
there is no need to support the obsolete way anymore.
Therefore, this commit removes the code from init that created a keyring
named "fscrypt" in the session keyring. It also removes the code that
created the session keyring itself, since the only reason that Android
even created a session keyring was just to hold the "fscrypt" keyring.
Flag: N/A for the following reasons:
- Removing obsolete code, which is fairly safe
- Very early code, so runtime flag cannot be used
- Even a build-time flag cannot be used, since init needs
recovery_available, which aconfig libraries do not support
Bug: 311736104
Test: Build and boot Cuttlefish
Change-Id: Id9a184c68cf16d5c4b1d889444cf637c95a91413
init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)
Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.
Bug: 293695109
Test: Presubmit
Merged-In: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
The APEX sepolicy feature has unfinished support for verifying the
sepolicy file using fsverity with a builtin signature. However, this
was never finished and doesn't really make sense, since the
already-implemented scheme that uses a full-file hash combined with a
userspace signature check is better suited to the problem. Therefore,
remove this unfinished code.
Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: I3403a3303bcea32c7340642b843cd1541fe1fd2f
We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.
In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.
Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
These variants will compile with -DMICRODROID flag, which will allow us
to exclude init features that are not needed for Microdroid, and
introduce features that only work in Microdroid.
Bug: 287206497
Test: build com.android.virt APEX
Change-Id: Ib9af0cfcdf06c70fc39e6e6ac8ef07bb69982969
No longer installed on device, so we need to include
it as a static lib. This library was actually specified
as a dependency on vts_ibase_test in two places, so this
is the second CL doing the same thing but in another
project.
Fixes: 270497432
Test: readelf -d $ANDROID_BUILD_TOP/out/target/product/vsoc_x86_64/data/nativetest/vts_ibase_test/vts_ibase_test
no longer shows libhidl-gen-utils
Change-Id: Icf427085e3978906e82231c8faacb7bdbcbf4569
From the unique_fd.h header file: "unique_fd's operator int is
dangerous, but we have way too much code that depends on it, so make
this opt-in at first."
From the Google C++ style guide: "Do not define implicit conversions."
See also go/cstyle#Implicit_Conversions.
Hence this CL that disables unique_fd::operator int().
Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Sort the compiler flags alphabetically before adding a new macro
definition.
Change-Id: If919333302817406a890c9622396ec96920adf29
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for introducing a second interprocess communication channel by
introducing the class InterprocessFifo. Stop using std::unique_ptr<> for
holding the pipe file descriptors. Handle EOF consistently.
Bug: 213617178
Change-Id: Ic0cf18d3d8ea61b8ee17e64de8a9df2736e26728
Signed-off-by: Bart Van Assche <bvanassche@google.com>
