Merge "mini-keyctl: support printing security label"
diff --git a/adb/client/adb_client.cpp b/adb/client/adb_client.cpp
index 4cf3a74..9fa827d 100644
--- a/adb/client/adb_client.cpp
+++ b/adb/client/adb_client.cpp
@@ -31,10 +31,12 @@
#include <condition_variable>
#include <mutex>
+#include <optional>
#include <string>
#include <thread>
#include <vector>
+#include <android-base/file.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/thread_annotations.h>
@@ -214,15 +216,26 @@
return adb_connect(nullptr, service, error);
}
-int adb_connect(TransportId* transport, std::string_view service, std::string* error) {
- // first query the adb server's version
+#if defined(__linux__)
+std::optional<std::string> adb_get_server_executable_path() {
+ int port;
+ std::string error;
+ if (!parse_tcp_socket_spec(__adb_server_socket_spec, nullptr, &port, nullptr, &error)) {
+ LOG(FATAL) << "failed to parse server socket spec: " << error;
+ }
+
+ return adb_get_android_dir_path() + OS_PATH_SEPARATOR + "adb." + std::to_string(port);
+}
+#endif
+
+static bool __adb_check_server_version(std::string* error) {
unique_fd fd(_adb_connect("host:version", nullptr, error));
- LOG(DEBUG) << "adb_connect: service: " << service;
- if (fd == -2 && !is_local_socket_spec(__adb_server_socket_spec)) {
+ bool local = is_local_socket_spec(__adb_server_socket_spec);
+ if (fd == -2 && !local) {
fprintf(stderr, "* cannot start server on remote host\n");
// error is the original network connection error
- return fd;
+ return false;
} else if (fd == -2) {
fprintf(stderr, "* daemon not running; starting now at %s\n", __adb_server_socket_spec);
start_server:
@@ -232,7 +245,7 @@
// return a generic error string about the overall adb_connect()
// that the caller requested.
*error = "cannot connect to daemon";
- return -1;
+ return false;
} else {
fprintf(stderr, "* daemon started successfully\n");
}
@@ -254,18 +267,39 @@
if (sscanf(&version_string[0], "%04x", &version) != 1) {
*error = android::base::StringPrintf("cannot parse version string: %s",
version_string.c_str());
- return -1;
+ return false;
}
} else {
// If fd is -1 check for "unknown host service" which would
// indicate a version of adb that does not support the
// version command, in which case we should fall-through to kill it.
if (*error != "unknown host service") {
- return fd;
+ return false;
}
}
if (version != ADB_SERVER_VERSION) {
+#if defined(__linux__)
+ if (version > ADB_SERVER_VERSION && local) {
+ // Try to re-exec the existing adb server's binary.
+ constexpr const char* adb_reexeced = "adb (re-execed)";
+ if (strcmp(adb_reexeced, *__adb_argv) != 0) {
+ __adb_argv[0] = adb_reexeced;
+ std::optional<std::string> server_path_path = adb_get_server_executable_path();
+ std::string server_path;
+ if (server_path_path &&
+ android::base::ReadFileToString(*server_path_path, &server_path)) {
+ if (execve(server_path.c_str(), const_cast<char**>(__adb_argv),
+ const_cast<char**>(__adb_envp)) == -1) {
+ LOG(ERROR) << "failed to exec newer version at " << server_path;
+ }
+
+ // Fall-through to restarting the server.
+ }
+ }
+ }
+#endif
+
fprintf(stderr, "adb server version (%d) doesn't match this client (%d); killing...\n",
version, ADB_SERVER_VERSION);
adb_kill_server();
@@ -273,12 +307,36 @@
}
}
+ return true;
+}
+
+bool adb_check_server_version(std::string* error) {
+ // Only check the version once per process, since this isn't atomic anyway.
+ static std::once_flag once;
+ static bool result;
+ static std::string* err;
+ std::call_once(once, []() {
+ err = new std::string();
+ result = __adb_check_server_version(err);
+ });
+ *error = *err;
+ return result;
+}
+
+int adb_connect(TransportId* transport, std::string_view service, std::string* error) {
+ LOG(DEBUG) << "adb_connect: service: " << service;
+
+ // Query the adb server's version.
+ if (!adb_check_server_version(error)) {
+ return -1;
+ }
+
// if the command is start-server, we are done.
if (service == "host:start-server") {
return 0;
}
- fd.reset(_adb_connect(service, transport, error));
+ unique_fd fd(_adb_connect(service, transport, error));
if (fd == -1) {
D("_adb_connect error: %s", error->c_str());
} else if(fd == -2) {
diff --git a/adb/client/adb_client.h b/adb/client/adb_client.h
index 0a73787..8d32c93 100644
--- a/adb/client/adb_client.h
+++ b/adb/client/adb_client.h
@@ -20,8 +20,14 @@
#include "sysdeps.h"
#include "transport.h"
+#include <optional>
#include <string>
+// Explicitly check the adb server version.
+// All of the commands below do this implicitly.
+// Only the first invocation of this function will check the server version.
+bool adb_check_server_version(std::string* _Nonnull error);
+
// Connect to adb, connect to the named service, and return a valid fd for
// interacting with that service upon success or a negative number on failure.
int adb_connect(std::string_view service, std::string* _Nonnull error);
@@ -65,3 +71,13 @@
// Get the feature set of the current preferred transport.
bool adb_get_feature_set(FeatureSet* _Nonnull feature_set, std::string* _Nonnull error);
+
+#if defined(__linux__)
+// Get the path of a file containing the path to the server executable, if the socket spec set via
+// adb_set_socket_spec is a local one.
+std::optional<std::string> adb_get_server_executable_path();
+#endif
+
+// Globally acccesible argv/envp, for the purpose of re-execing adb.
+extern const char* _Nullable * _Nullable __adb_argv;
+extern const char* _Nullable * _Nullable __adb_envp;
diff --git a/adb/client/commandline.cpp b/adb/client/commandline.cpp
index 3d5d9db..43a3e5e 100644
--- a/adb/client/commandline.cpp
+++ b/adb/client/commandline.cpp
@@ -295,7 +295,10 @@
callback->OnStderr(buffer_ptr, length);
break;
case ShellProtocol::kIdExit:
- exit_code = protocol->data()[0];
+ // data() returns a char* which doesn't have defined signedness.
+ // Cast to uint8_t to prevent 255 from being sign extended to INT_MIN,
+ // which doesn't get truncated on Windows.
+ exit_code = static_cast<uint8_t>(protocol->data()[0]);
continue;
default:
continue;
@@ -1303,9 +1306,9 @@
}
}
-static int adb_connect_command(const std::string& command) {
+static int adb_connect_command(const std::string& command, TransportId* transport = nullptr) {
std::string error;
- unique_fd fd(adb_connect(command, &error));
+ unique_fd fd(adb_connect(transport, command, &error));
if (fd < 0) {
fprintf(stderr, "error: %s\n", error.c_str());
return 1;
@@ -1394,9 +1397,9 @@
TransportId transport_id = 0;
while (argc > 0) {
- if (!strcmp(argv[0],"server")) {
+ if (!strcmp(argv[0], "server")) {
is_server = true;
- } else if (!strcmp(argv[0],"nodaemon")) {
+ } else if (!strcmp(argv[0], "nodaemon")) {
no_daemon = true;
} else if (!strcmp(argv[0], "fork-server")) {
/* this is a special flag used only when the ADB client launches the ADB Server */
@@ -1433,11 +1436,11 @@
if (*id != '\0') {
error_exit("invalid transport id");
}
- } else if (!strcmp(argv[0],"-d")) {
+ } else if (!strcmp(argv[0], "-d")) {
transport_type = kTransportUsb;
- } else if (!strcmp(argv[0],"-e")) {
+ } else if (!strcmp(argv[0], "-e")) {
transport_type = kTransportLocal;
- } else if (!strcmp(argv[0],"-a")) {
+ } else if (!strcmp(argv[0], "-a")) {
gListenAll = 1;
} else if (!strncmp(argv[0], "-H", 2)) {
if (argv[0][2] == '\0') {
@@ -1569,6 +1572,10 @@
}
std::string query = android::base::StringPrintf("host:%s%s", argv[0], listopt);
+ std::string error;
+ if (!adb_check_server_version(&error)) {
+ error_exit("failed to check server version: %s", error.c_str());
+ }
printf("List of devices attached\n");
return adb_query_command(query);
}
diff --git a/adb/client/main.cpp b/adb/client/main.cpp
index 2ee81a9..0c5c28f 100644
--- a/adb/client/main.cpp
+++ b/adb/client/main.cpp
@@ -32,12 +32,16 @@
#include "adb.h"
#include "adb_auth.h"
+#include "adb_client.h"
#include "adb_listeners.h"
#include "adb_utils.h"
#include "commandline.h"
#include "sysdeps/chrono.h"
#include "transport.h"
+const char** __adb_argv;
+const char** __adb_envp;
+
static void setup_daemon_logging() {
const std::string log_file_path(GetLogFilePath());
int fd = unix_open(log_file_path, O_WRONLY | O_CREAT | O_APPEND, 0640);
@@ -191,13 +195,29 @@
notify_thread.detach();
}
+#if defined(__linux__)
+ // Write our location to .android/adb.$PORT, so that older clients can exec us.
+ std::string path;
+ if (!android::base::Readlink("/proc/self/exe", &path)) {
+ PLOG(ERROR) << "failed to readlink /proc/self/exe";
+ }
+
+ std::optional<std::string> server_executable_path = adb_get_server_executable_path();
+ if (server_executable_path) {
+ if (!android::base::WriteStringToFile(path, *server_executable_path)) {
+ PLOG(ERROR) << "failed to write server path to " << path;
+ }
+ }
+#endif
+
D("Event loop starting");
fdevent_loop();
-
return 0;
}
-int main(int argc, char** argv) {
+int main(int argc, char* argv[], char* envp[]) {
+ __adb_argv = const_cast<const char**>(argv);
+ __adb_envp = const_cast<const char**>(envp);
adb_trace_init(argv);
return adb_commandline(argc - 1, const_cast<const char**>(argv + 1));
}
diff --git a/adb/socket_spec.h b/adb/socket_spec.h
index 687d751..7cc2fac 100644
--- a/adb/socket_spec.h
+++ b/adb/socket_spec.h
@@ -29,6 +29,5 @@
std::string* error);
int socket_spec_listen(std::string_view spec, std::string* error, int* resolved_tcp_port = nullptr);
-// Exposed for testing.
bool parse_tcp_socket_spec(std::string_view spec, std::string* hostname, int* port,
std::string* serial, std::string* error);
diff --git a/init/Android.bp b/init/Android.bp
index 9aeb837..8a0bb55 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -110,6 +110,7 @@
"init.cpp",
"keychords.cpp",
"modalias_handler.cpp",
+ "mount_handler.cpp",
"mount_namespace.cpp",
"parser.cpp",
"persistent_properties.cpp",
diff --git a/init/README.md b/init/README.md
index f0e5d55..b2039b4 100644
--- a/init/README.md
+++ b/init/README.md
@@ -660,12 +660,19 @@
Properties
----------
-Init provides information about the services that it is responsible
-for via the below properties.
+Init provides state information with the following properties.
`init.svc.<name>`
> State of a named service ("stopped", "stopping", "running", "restarting")
+`dev.mnt.blk.<mount_point>`
+> Block device base name associated with a *mount_point*.
+ The *mount_point* has / replaced by . and if referencing the root mount point
+ "/", it will use "/root", specifically `dev.mnt.blk.root`.
+ Meant for references to `/sys/device/block/${dev.mnt.blk.<mount_point>}/` and
+ `/sys/fs/ext4/${dev.mnt.blk.<mount_point>}/` to tune the block device
+ characteristics in a device agnostic manner.
+
Boot timing
-----------
diff --git a/init/init.cpp b/init/init.cpp
index 7182fda..a5f4549 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -57,6 +57,7 @@
#include "first_stage_mount.h"
#include "import_parser.h"
#include "keychords.h"
+#include "mount_handler.h"
#include "mount_namespace.h"
#include "property_service.h"
#include "reboot.h"
@@ -686,6 +687,7 @@
fs_mgr_vendor_overlay_mount_all();
export_oem_lock_status();
StartPropertyService(&epoll);
+ MountHandler mount_handler(&epoll);
set_usb_controller();
const BuiltinFunctionMap function_map;
diff --git a/init/mount_handler.cpp b/init/mount_handler.cpp
new file mode 100644
index 0000000..12dfc6d
--- /dev/null
+++ b/init/mount_handler.cpp
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "mount_handler.h"
+
+#include <ctype.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/epoll.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+#include <algorithm>
+#include <string>
+#include <utility>
+
+#include <android-base/file.h>
+#include <android-base/logging.h>
+#include <android-base/properties.h>
+#include <android-base/strings.h>
+#include <fs_mgr.h>
+#include <fstab/fstab.h>
+
+#include "epoll.h"
+#include "property_service.h"
+
+namespace android {
+namespace init {
+
+namespace {
+
+MountHandlerEntry ParseMount(const std::string& line) {
+ auto fields = android::base::Split(line, " ");
+ while (fields.size() < 3) fields.emplace_back("");
+ if (fields[0] == "/dev/root") {
+ if (android::fs_mgr::Fstab fstab; android::fs_mgr::ReadDefaultFstab(&fstab)) {
+ if (auto entry = GetEntryForMountPoint(&fstab, "/")) {
+ fields[0] = entry->blk_device;
+ }
+ }
+ }
+ if (android::base::StartsWith(fields[0], "/dev/")) {
+ if (std::string link; android::base::Readlink(fields[0], &link)) {
+ fields[0] = link;
+ }
+ }
+ return MountHandlerEntry(fields[0], fields[1], fields[2]);
+}
+
+void SetMountProperty(const MountHandlerEntry& entry, bool add) {
+ static constexpr char devblock[] = "/dev/block/";
+ if (!android::base::StartsWith(entry.blk_device, devblock)) return;
+ std::string value;
+ if (add) {
+ value = entry.blk_device.substr(strlen(devblock));
+ if (android::base::StartsWith(value, "sd")) {
+ // All sd partitions inherit their queue characteristics
+ // from the whole device reference. Strip partition number.
+ auto it = std::find_if(value.begin(), value.end(), [](char c) { return isdigit(c); });
+ if (it != value.end()) value.erase(it, value.end());
+ }
+ auto queue = "/sys/block/" + value + "/queue";
+ struct stat sb;
+ if (stat(queue.c_str(), &sb) || !S_ISDIR(sb.st_mode)) value = "";
+ if (stat(entry.mount_point.c_str(), &sb) || !S_ISDIR(sb.st_mode)) value = "";
+ // Skip the noise associated with APEX until there is a need
+ if (android::base::StartsWith(value, "loop")) value = "";
+ }
+ std::string property =
+ "dev.mnt.blk" + ((entry.mount_point == "/") ? "/root" : entry.mount_point);
+ std::replace(property.begin(), property.end(), '/', '.');
+ if (value.empty() && android::base::GetProperty(property, "").empty()) return;
+ property_set(property, value);
+}
+
+} // namespace
+
+MountHandlerEntry::MountHandlerEntry(const std::string& blk_device, const std::string& mount_point,
+ const std::string& fs_type)
+ : blk_device(blk_device), mount_point(mount_point), fs_type(fs_type) {}
+
+bool MountHandlerEntry::operator<(const MountHandlerEntry& r) const {
+ if (blk_device < r.blk_device) return true;
+ if (blk_device > r.blk_device) return false;
+ if (mount_point < r.mount_point) return true;
+ if (mount_point > r.mount_point) return false;
+ return fs_type < r.fs_type;
+}
+
+MountHandler::MountHandler(Epoll* epoll) : epoll_(epoll), fp_(fopen("/proc/mounts", "re"), fclose) {
+ if (!fp_) PLOG(FATAL) << "Could not open /proc/mounts";
+ auto result = epoll->RegisterHandler(
+ fileno(fp_.get()), [this]() { this->MountHandlerFunction(); }, EPOLLERR | EPOLLPRI);
+ if (!result) LOG(FATAL) << result.error();
+}
+
+MountHandler::~MountHandler() {
+ if (fp_) epoll_->UnregisterHandler(fileno(fp_.get())).IgnoreError();
+}
+
+void MountHandler::MountHandlerFunction() {
+ rewind(fp_.get());
+ char* buf = nullptr;
+ size_t len = 0;
+ auto untouched = mounts_;
+ while (getline(&buf, &len, fp_.get()) != -1) {
+ auto entry = ParseMount(std::string(buf, len));
+ auto match = untouched.find(entry);
+ if (match == untouched.end()) {
+ SetMountProperty(entry, true);
+ mounts_.emplace(std::move(entry));
+ } else {
+ untouched.erase(match);
+ }
+ }
+ free(buf);
+ for (auto entry : untouched) {
+ auto match = mounts_.find(entry);
+ if (match == mounts_.end()) continue;
+ mounts_.erase(match);
+ SetMountProperty(entry, false);
+ }
+}
+
+} // namespace init
+} // namespace android
diff --git a/init/mount_handler.h b/init/mount_handler.h
new file mode 100644
index 0000000..e524a74
--- /dev/null
+++ b/init/mount_handler.h
@@ -0,0 +1,59 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <stdio.h>
+
+#include <memory>
+#include <set>
+#include <string>
+
+#include "epoll.h"
+
+namespace android {
+namespace init {
+
+struct MountHandlerEntry {
+ MountHandlerEntry(const std::string& blk_device, const std::string& mount_point,
+ const std::string& fs_type);
+
+ bool operator<(const MountHandlerEntry& r) const;
+
+ const std::string blk_device;
+ const std::string mount_point;
+ const std::string fs_type;
+};
+
+class MountHandler {
+ public:
+ explicit MountHandler(Epoll* epoll);
+ MountHandler(const MountHandler&) = delete;
+ MountHandler(MountHandler&&) = delete;
+ MountHandler& operator=(const MountHandler&) = delete;
+ MountHandler& operator=(MountHandler&&) = delete;
+ ~MountHandler();
+
+ private:
+ void MountHandlerFunction();
+
+ Epoll* epoll_;
+ std::unique_ptr<FILE, decltype(&fclose)> fp_;
+ std::set<MountHandlerEntry> mounts_;
+};
+
+} // namespace init
+} // namespace android
diff --git a/rootdir/etc/ld.config.legacy.txt b/rootdir/etc/ld.config.legacy.txt
index d4d5c28..d282cfa 100644
--- a/rootdir/etc/ld.config.legacy.txt
+++ b/rootdir/etc/ld.config.legacy.txt
@@ -94,7 +94,21 @@
namespace.media.permitted.paths = /apex/com.android.media/${LIB}/extractors
namespace.media.links = default
-namespace.media.link.default.allow_all_shared_libs = true
+namespace.media.link.default.shared_libs = libandroid.so
+namespace.media.link.default.shared_libs += libbinder_ndk.so
+namespace.media.link.default.shared_libs += libc.so
+namespace.media.link.default.shared_libs += libdl.so
+namespace.media.link.default.shared_libs += liblog.so
+namespace.media.link.default.shared_libs += libmediametrics.so
+namespace.media.link.default.shared_libs += libmediandk.so
+namespace.media.link.default.shared_libs += libm.so
+namespace.media.link.default.shared_libs += libvndksupport.so
+
+namespace.media.link.default.shared_libs += libclang_rt.asan-aarch64-android.so
+namespace.media.link.default.shared_libs += libclang_rt.asan-arm-android.so
+namespace.media.link.default.shared_libs += libclang_rt.asan-i686-android.so
+namespace.media.link.default.shared_libs += libclang_rt.asan-x86_64-android.so
+namespace.media.link.default.shared_libs += libclang_rt.hwasan-aarch64-android.so
###############################################################################
# "conscrypt" APEX namespace
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 4c52596..0e96163 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -418,6 +418,13 @@
mkdir /data/bootchart 0755 shell shell
bootchart start
+ # Load fsverity keys. This needs to happen before apexd, as post-install of
+ # APEXes may rely on keys.
+ exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
+ exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
+ # Prevent future key links to fsverity keyring
+ exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
+
# Make sure that apexd is started in the default namespace
enter_default_mount_ns
@@ -585,12 +592,6 @@
# Set SELinux security contexts on upgrade or policy update.
restorecon --recursive --skip-ce /data
- # load fsverity keys
- exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
- exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
- # Prevent future key links to fsverity keyring
- exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
-
# Check any timezone data in /data is newer than the copy in the runtime module, delete if not.
exec - system system -- /system/bin/tzdatacheck /apex/com.android.runtime/etc/tz /data/misc/zoneinfo