Merge "Increase size limit for pulled AStatsEvent" into rvc-dev
diff --git a/adb/Android.bp b/adb/Android.bp
index f8e5b38..dee48bf 100644
--- a/adb/Android.bp
+++ b/adb/Android.bp
@@ -25,7 +25,6 @@
"-Wthread-safety",
"-Wvla",
"-DADB_HOST=1", // overridden by adbd_defaults
- "-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults
"-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",
],
cpp_std: "experimental",
@@ -81,16 +80,6 @@
defaults: ["adb_defaults"],
cflags: ["-UADB_HOST", "-DADB_HOST=0"],
- product_variables: {
- debuggable: {
- cflags: [
- "-UALLOW_ADBD_ROOT",
- "-DALLOW_ADBD_ROOT=1",
- "-DALLOW_ADBD_DISABLE_VERITY",
- "-DALLOW_ADBD_NO_AUTH",
- ],
- },
- },
}
cc_defaults {
@@ -605,16 +594,14 @@
],
}
},
-
- required: [
- "libadbd_auth",
- "libadbd_fs",
- ],
}
phony {
- name: "adbd_system_binaries",
+ // Interface between adbd in a module and the system.
+ name: "adbd_system_api",
required: [
+ "libadbd_auth",
+ "libadbd_fs",
"abb",
"reboot",
"set-verity-state",
@@ -622,8 +609,10 @@
}
phony {
- name: "adbd_system_binaries_recovery",
+ name: "adbd_system_api_recovery",
required: [
+ "libadbd_auth",
+ "libadbd_fs",
"reboot.recovery",
],
}
diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index 9e02e89..658e244 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -62,23 +62,7 @@
#if defined(__ANDROID__)
static const char* root_seclabel = nullptr;
-static inline bool is_device_unlocked() {
- return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
-}
-
-static bool should_drop_capabilities_bounding_set() {
- if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
- if (__android_log_is_debuggable()) {
- return false;
- }
- }
- return true;
-}
-
static bool should_drop_privileges() {
- // "adb root" not allowed, always drop privileges.
- if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
-
// The properties that affect `adb root` and `adb unroot` are ro.secure and
// ro.debuggable. In this context the names don't make the expected behavior
// particularly obvious.
@@ -132,7 +116,7 @@
// Don't listen on a port (default 5037) if running in secure mode.
// Don't run as root if running in secure mode.
if (should_drop_privileges()) {
- const bool should_drop_caps = should_drop_capabilities_bounding_set();
+ const bool should_drop_caps = !__android_log_is_debuggable();
if (should_drop_caps) {
minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
@@ -224,15 +208,10 @@
// descriptor will always be open.
adbd_cloexec_auth_socket();
-#if defined(__ANDROID_RECOVERY__)
- if (is_device_unlocked() || __android_log_is_debuggable()) {
- auth_required = false;
- }
-#elif defined(ALLOW_ADBD_NO_AUTH)
- // If ro.adb.secure is unset, default to no authentication required.
- auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
-#elif defined(__ANDROID__)
- if (is_device_unlocked()) { // allows no authentication when the device is unlocked.
+#if defined(__ANDROID__)
+ // If we're on userdebug/eng or the device is unlocked, permit no-authentication.
+ bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
+ if (__android_log_is_debuggable() || device_unlocked) {
auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
}
#endif
diff --git a/adb/tools/check_ms_os_desc.cpp b/adb/tools/check_ms_os_desc.cpp
index 8743ff7..8e85809 100644
--- a/adb/tools/check_ms_os_desc.cpp
+++ b/adb/tools/check_ms_os_desc.cpp
@@ -131,8 +131,6 @@
errx(1, "failed to retrieve MS OS v1 compat descriptor: %s", libusb_error_name(rc));
}
- memcpy(&hdr, data.data(), data.size());
-
struct __attribute__((packed)) ms_os_desc_v1_function {
uint8_t bFirstInterfaceNumber;
uint8_t reserved1;
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
index b8385d3..1dcc9e4 100644
--- a/fs_mgr/fs_mgr.cpp
+++ b/fs_mgr/fs_mgr.cpp
@@ -1120,8 +1120,28 @@
}
android::dm::DmTable table;
- if (!table.AddTarget(std::make_unique<android::dm::DmTargetBow>(
- 0, size, entry->blk_device))) {
+ auto bowTarget =
+ std::make_unique<android::dm::DmTargetBow>(0, size, entry->blk_device);
+
+ // dm-bow uses the first block as a log record, and relocates the real first block
+ // elsewhere. For metadata encrypted devices, dm-bow sits below dm-default-key, and
+ // for post Android Q devices dm-default-key uses a block size of 4096 always.
+ // So if dm-bow's block size, which by default is the block size of the underlying
+ // hardware, is less than dm-default-key's, blocks will get broken up and I/O will
+ // fail as it won't be data_unit_size aligned.
+ // However, since it is possible there is an already shipping non
+ // metadata-encrypted device with smaller blocks, we must not change this for
+ // devices shipped with Q or earlier unless they explicitly selected dm-default-key
+ // v2
+ constexpr unsigned int pre_gki_level = __ANDROID_API_Q__;
+ unsigned int options_format_version = android::base::GetUintProperty<unsigned int>(
+ "ro.crypto.dm_default_key.options_format.version",
+ (android::fscrypt::GetFirstApiLevel() <= pre_gki_level ? 1 : 2));
+ if (options_format_version > 1) {
+ bowTarget->SetBlockSize(4096);
+ }
+
+ if (!table.AddTarget(std::move(bowTarget))) {
LERROR << "Failed to add bow target";
return false;
}
@@ -1757,6 +1777,11 @@
// wrapper to __mount() and expects a fully prepared fstab_rec,
// unlike fs_mgr_do_mount which does more things with avb / verity etc.
int fs_mgr_do_mount_one(const FstabEntry& entry, const std::string& mount_point) {
+ // First check the filesystem if requested.
+ if (entry.fs_mgr_flags.wait && !WaitForFile(entry.blk_device, 20s)) {
+ LERROR << "Skipping mounting '" << entry.blk_device << "'";
+ }
+
// Run fsck if needed
prepare_fs_for_mount(entry.blk_device, entry);
diff --git a/fs_mgr/libdm/dm_target.cpp b/fs_mgr/libdm/dm_target.cpp
index a594198..250cb82 100644
--- a/fs_mgr/libdm/dm_target.cpp
+++ b/fs_mgr/libdm/dm_target.cpp
@@ -120,6 +120,11 @@
return keyid_ + " " + block_device_;
}
+std::string DmTargetBow::GetParameterString() const {
+ if (!block_size_) return target_string_;
+ return target_string_ + " 1 block_size:" + std::to_string(block_size_);
+}
+
std::string DmTargetSnapshot::name() const {
if (mode_ == SnapshotStorageMode::Merge) {
return "snapshot-merge";
diff --git a/fs_mgr/libdm/include/libdm/dm_target.h b/fs_mgr/libdm/include/libdm/dm_target.h
index 57096ce..f986cfe 100644
--- a/fs_mgr/libdm/include/libdm/dm_target.h
+++ b/fs_mgr/libdm/include/libdm/dm_target.h
@@ -175,11 +175,14 @@
DmTargetBow(uint64_t start, uint64_t length, const std::string& target_string)
: DmTarget(start, length), target_string_(target_string) {}
+ void SetBlockSize(uint32_t block_size) { block_size_ = block_size; }
+
std::string name() const override { return "bow"; }
- std::string GetParameterString() const override { return target_string_; }
+ std::string GetParameterString() const override;
private:
std::string target_string_;
+ uint32_t block_size_ = 0;
};
enum class SnapshotStorageMode {
diff --git a/init/README.md b/init/README.md
index 0dd1490..6f2c01f 100644
--- a/init/README.md
+++ b/init/README.md
@@ -623,8 +623,11 @@
`stop <service>`
> Stop a service from running if it is currently running.
-`swapon_all <fstab>`
+`swapon_all [ <fstab> ]`
> Calls fs\_mgr\_swapon\_all on the given fstab file.
+ If the fstab parameter is not specified, fstab.${ro.boot.fstab_suffix},
+ fstab.${ro.hardware} or fstab.${ro.hardware.platform} will be scanned for
+ under /odm/etc, /vendor/etc, or / at runtime, in that order.
`symlink <target> <path>`
> Create a symbolic link at _path_ with the value _target_
@@ -639,6 +642,12 @@
`umount <path>`
> Unmount the filesystem mounted at that path.
+`umount_all [ <fstab> ]`
+> Calls fs\_mgr\_umount\_all on the given fstab file.
+ If the fstab parameter is not specified, fstab.${ro.boot.fstab_suffix},
+ fstab.${ro.hardware} or fstab.${ro.hardware.platform} will be scanned for
+ under /odm/etc, /vendor/etc, or / at runtime, in that order.
+
`verity_update_state <mount-point>`
> Internal implementation detail used to update dm-verity state and
set the partition._mount-point_.verified properties used by adb remount
diff --git a/init/builtins.cpp b/init/builtins.cpp
index e918e12..0ac66f2 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -708,10 +708,20 @@
return {};
}
+/* swapon_all [ <fstab> ] */
static Result<void> do_swapon_all(const BuiltinArguments& args) {
+ auto swapon_all = ParseSwaponAll(args.args);
+ if (!swapon_all.ok()) return swapon_all.error();
+
Fstab fstab;
- if (!ReadFstabFromFile(args[1], &fstab)) {
- return Error() << "Could not read fstab '" << args[1] << "'";
+ if (swapon_all->empty()) {
+ if (!ReadDefaultFstab(&fstab)) {
+ return Error() << "Could not read default fstab";
+ }
+ } else {
+ if (!ReadFstabFromFile(*swapon_all, &fstab)) {
+ return Error() << "Could not read fstab '" << *swapon_all << "'";
+ }
}
if (!fs_mgr_swapon_all(fstab)) {
@@ -1371,7 +1381,7 @@
{"setrlimit", {3, 3, {false, do_setrlimit}}},
{"start", {1, 1, {false, do_start}}},
{"stop", {1, 1, {false, do_stop}}},
- {"swapon_all", {1, 1, {false, do_swapon_all}}},
+ {"swapon_all", {0, 1, {false, do_swapon_all}}},
{"enter_default_mount_ns", {0, 0, {false, do_enter_default_mount_ns}}},
{"symlink", {2, 2, {true, do_symlink}}},
{"sysclktz", {1, 1, {false, do_sysclktz}}},
diff --git a/init/check_builtins.cpp b/init/check_builtins.cpp
index 450c079..481fa31 100644
--- a/init/check_builtins.cpp
+++ b/init/check_builtins.cpp
@@ -202,6 +202,14 @@
return {};
}
+Result<void> check_swapon_all(const BuiltinArguments& args) {
+ auto options = ParseSwaponAll(args.args);
+ if (!options.ok()) {
+ return options.error();
+ }
+ return {};
+}
+
Result<void> check_sysclktz(const BuiltinArguments& args) {
ReturnIfAnyArgsEmpty();
diff --git a/init/check_builtins.h b/init/check_builtins.h
index 725a6fd..dc1b752 100644
--- a/init/check_builtins.h
+++ b/init/check_builtins.h
@@ -37,6 +37,7 @@
Result<void> check_restorecon_recursive(const BuiltinArguments& args);
Result<void> check_setprop(const BuiltinArguments& args);
Result<void> check_setrlimit(const BuiltinArguments& args);
+Result<void> check_swapon_all(const BuiltinArguments& args);
Result<void> check_sysclktz(const BuiltinArguments& args);
Result<void> check_umount_all(const BuiltinArguments& args);
Result<void> check_wait(const BuiltinArguments& args);
diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp
index 1a608f6..0215576 100644
--- a/init/first_stage_init.cpp
+++ b/init/first_stage_init.cpp
@@ -24,6 +24,7 @@
#include <sys/stat.h>
#include <sys/sysmacros.h>
#include <sys/types.h>
+#include <sys/utsname.h>
#include <unistd.h>
#include <filesystem>
@@ -99,6 +100,77 @@
} // namespace
+std::string GetModuleLoadList(bool recovery, const std::string& dir_path) {
+ auto module_load_file = "modules.load";
+ if (recovery) {
+ struct stat fileStat;
+ std::string recovery_load_path = dir_path + "/modules.load.recovery";
+ if (!stat(recovery_load_path.c_str(), &fileStat)) {
+ module_load_file = "modules.load.recovery";
+ }
+ }
+
+ return module_load_file;
+}
+
+#define MODULE_BASE_DIR "/lib/modules"
+bool LoadKernelModules(bool recovery, bool want_console) {
+ struct utsname uts;
+ if (uname(&uts)) {
+ LOG(FATAL) << "Failed to get kernel version.";
+ }
+ int major, minor;
+ if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) {
+ LOG(FATAL) << "Failed to parse kernel version " << uts.release;
+ }
+
+ std::unique_ptr<DIR, decltype(&closedir)> base_dir(opendir(MODULE_BASE_DIR), closedir);
+ if (!base_dir) {
+ LOG(INFO) << "Unable to open /lib/modules, skipping module loading.";
+ return true;
+ }
+ dirent* entry;
+ std::vector<std::string> module_dirs;
+ while ((entry = readdir(base_dir.get()))) {
+ if (entry->d_type != DT_DIR) {
+ continue;
+ }
+ int dir_major, dir_minor;
+ if (sscanf(entry->d_name, "%d.%d", &dir_major, &dir_minor) != 2 || dir_major != major ||
+ dir_minor != minor) {
+ continue;
+ }
+ module_dirs.emplace_back(entry->d_name);
+ }
+
+ // Sort the directories so they are iterated over during module loading
+ // in a consistent order. Alphabetical sorting is fine here because the
+ // kernel version at the beginning of the directory name must match the
+ // current kernel version, so the sort only applies to a label that
+ // follows the kernel version, for example /lib/modules/5.4 vs.
+ // /lib/modules/5.4-gki.
+ std::sort(module_dirs.begin(), module_dirs.end());
+
+ for (const auto& module_dir : module_dirs) {
+ std::string dir_path = MODULE_BASE_DIR "/";
+ dir_path.append(module_dir);
+ Modprobe m({dir_path}, GetModuleLoadList(recovery, dir_path));
+ bool retval = m.LoadListedModules(!want_console);
+ int modules_loaded = m.GetModuleCount();
+ if (modules_loaded > 0) {
+ return retval;
+ }
+ }
+
+ Modprobe m({MODULE_BASE_DIR}, GetModuleLoadList(recovery, MODULE_BASE_DIR));
+ bool retval = m.LoadListedModules(!want_console);
+ int modules_loaded = m.GetModuleCount();
+ if (modules_loaded > 0) {
+ return retval;
+ }
+ return true;
+}
+
int FirstStageMain(int argc, char** argv) {
if (REBOOT_BOOTLOADER_ON_PANIC) {
InstallRebootSignalHandlers();
@@ -190,18 +262,9 @@
old_root_dir.reset();
}
- std::string module_load_file = "modules.load";
- if (IsRecoveryMode() && !ForceNormalBoot(cmdline)) {
- struct stat fileStat;
- std::string recovery_load_path = "/lib/modules/modules.load.recovery";
- if (!stat(recovery_load_path.c_str(), &fileStat)) {
- module_load_file = "modules.load.recovery";
- }
- }
-
- Modprobe m({"/lib/modules"}, module_load_file);
auto want_console = ALLOW_FIRST_STAGE_CONSOLE ? FirstStageConsole(cmdline) : 0;
- if (!m.LoadListedModules(!want_console)) {
+
+ if (!LoadKernelModules(IsRecoveryMode() && !ForceNormalBoot(cmdline), want_console)) {
if (want_console != FirstStageConsoleParam::DISABLED) {
LOG(ERROR) << "Failed to load kernel modules, starting console";
} else {
diff --git a/init/util.cpp b/init/util.cpp
index 90ac50c..255434a 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -652,11 +652,22 @@
return std::pair(flag, paths);
}
+Result<std::string> ParseSwaponAll(const std::vector<std::string>& args) {
+ if (args.size() <= 1) {
+ if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
+ return Error() << "swapon_all requires at least 1 argument";
+ }
+ return {};
+ }
+ return args[1];
+}
+
Result<std::string> ParseUmountAll(const std::vector<std::string>& args) {
- if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
- if (args.size() <= 1) {
+ if (args.size() <= 1) {
+ if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
return Error() << "umount_all requires at least 1 argument";
}
+ return {};
}
return args[1];
}
diff --git a/init/util.h b/init/util.h
index a7f813b..3cdc9f4 100644
--- a/init/util.h
+++ b/init/util.h
@@ -92,6 +92,8 @@
Result<std::pair<int, std::vector<std::string>>> ParseRestorecon(
const std::vector<std::string>& args);
+Result<std::string> ParseSwaponAll(const std::vector<std::string>& args);
+
Result<std::string> ParseUmountAll(const std::vector<std::string>& args);
void SetStdioToDevNull(char** argv);
diff --git a/libkeyutils/keyutils.cpp b/libkeyutils/keyutils.cpp
index 8f63f70..1c5acc9 100644
--- a/libkeyutils/keyutils.cpp
+++ b/libkeyutils/keyutils.cpp
@@ -32,17 +32,7 @@
#include <sys/syscall.h>
#include <unistd.h>
-// Deliberately not exposed. Callers should use the typed APIs instead.
-static long keyctl(int cmd, ...) {
- va_list va;
- va_start(va, cmd);
- unsigned long arg2 = va_arg(va, unsigned long);
- unsigned long arg3 = va_arg(va, unsigned long);
- unsigned long arg4 = va_arg(va, unsigned long);
- unsigned long arg5 = va_arg(va, unsigned long);
- va_end(va);
- return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
-}
+// keyctl(2) is deliberately not exposed. Callers should use the typed APIs instead.
key_serial_t add_key(const char* type, const char* description, const void* payload,
size_t payload_length, key_serial_t ring_id) {
@@ -50,30 +40,30 @@
}
key_serial_t keyctl_get_keyring_ID(key_serial_t id, int create) {
- return keyctl(KEYCTL_GET_KEYRING_ID, id, create);
+ return syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID, id, create);
}
long keyctl_revoke(key_serial_t id) {
- return keyctl(KEYCTL_REVOKE, id);
+ return syscall(__NR_keyctl, KEYCTL_REVOKE, id);
}
long keyctl_search(key_serial_t ring_id, const char* type, const char* description,
key_serial_t dest_ring_id) {
- return keyctl(KEYCTL_SEARCH, ring_id, type, description, dest_ring_id);
+ return syscall(__NR_keyctl, KEYCTL_SEARCH, ring_id, type, description, dest_ring_id);
}
long keyctl_setperm(key_serial_t id, int permissions) {
- return keyctl(KEYCTL_SETPERM, id, permissions);
+ return syscall(__NR_keyctl, KEYCTL_SETPERM, id, permissions);
}
long keyctl_unlink(key_serial_t key, key_serial_t keyring) {
- return keyctl(KEYCTL_UNLINK, key, keyring);
+ return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring);
}
long keyctl_restrict_keyring(key_serial_t keyring, const char* type, const char* restriction) {
- return keyctl(KEYCTL_RESTRICT_KEYRING, keyring, type, restriction);
+ return syscall(__NR_keyctl, KEYCTL_RESTRICT_KEYRING, keyring, type, restriction);
}
long keyctl_get_security(key_serial_t id, char* buffer, size_t buflen) {
- return keyctl(KEYCTL_GET_SECURITY, id, buffer, buflen);
+ return syscall(__NR_keyctl, KEYCTL_GET_SECURITY, id, buffer, buflen);
}
diff --git a/libmodprobe/include/modprobe/modprobe.h b/libmodprobe/include/modprobe/modprobe.h
index 297036e..a7687af 100644
--- a/libmodprobe/include/modprobe/modprobe.h
+++ b/libmodprobe/include/modprobe/modprobe.h
@@ -34,6 +34,8 @@
bool GetAllDependencies(const std::string& module, std::vector<std::string>* pre_dependencies,
std::vector<std::string>* dependencies,
std::vector<std::string>* post_dependencies);
+ void ResetModuleCount() { module_count_ = 0; }
+ int GetModuleCount() { return module_count_; }
void EnableBlacklist(bool enable);
void EnableVerbose(bool enable);
@@ -65,5 +67,6 @@
std::unordered_map<std::string, std::string> module_options_;
std::set<std::string> module_blacklist_;
std::unordered_set<std::string> module_loaded_;
+ int module_count_ = 0;
bool blacklist_enabled = false;
};
diff --git a/libmodprobe/libmodprobe_ext.cpp b/libmodprobe/libmodprobe_ext.cpp
index 99472c1..6589708 100644
--- a/libmodprobe/libmodprobe_ext.cpp
+++ b/libmodprobe/libmodprobe_ext.cpp
@@ -63,6 +63,7 @@
LOG(INFO) << "Loaded kernel module " << path_name;
module_loaded_.emplace(canonical_name);
+ module_count_++;
return true;
}
diff --git a/libmodprobe/libmodprobe_ext_test.cpp b/libmodprobe/libmodprobe_ext_test.cpp
index 057dea3..9ee5ba7 100644
--- a/libmodprobe/libmodprobe_ext_test.cpp
+++ b/libmodprobe/libmodprobe_ext_test.cpp
@@ -56,6 +56,7 @@
}
modules_loaded.emplace_back(path_name + options);
+ module_count_++;
return true;
}
diff --git a/libmodprobe/libmodprobe_test.cpp b/libmodprobe/libmodprobe_test.cpp
index 879c7f2..eea0abd 100644
--- a/libmodprobe/libmodprobe_test.cpp
+++ b/libmodprobe/libmodprobe_test.cpp
@@ -161,6 +161,7 @@
EXPECT_TRUE(modules_loaded == expected_modules_loaded);
+ EXPECT_TRUE(m.GetModuleCount() == 15);
EXPECT_TRUE(m.Remove("test4"));
GTEST_LOG_(INFO) << "Expected modules loaded after removing test4 (in order):";
diff --git a/libsparse/sparse.cpp b/libsparse/sparse.cpp
index 24c6379..8622b4c 100644
--- a/libsparse/sparse.cpp
+++ b/libsparse/sparse.cpp
@@ -136,11 +136,23 @@
return 0;
}
+/*
+ * This is a workaround for 32-bit Windows: Limit the block size to 64 MB before
+ * fastboot executable binary for windows 64-bit is released (b/156057250).
+ */
+#define MAX_BACKED_BLOCK_SIZE ((unsigned int) (64UL << 20))
+
int sparse_file_write(struct sparse_file* s, int fd, bool gz, bool sparse, bool crc) {
+ struct backed_block* bb;
int ret;
int chunks;
struct output_file* out;
+ for (bb = backed_block_iter_new(s->backed_block_list); bb; bb = backed_block_iter_next(bb)) {
+ ret = backed_block_split(s->backed_block_list, bb, MAX_BACKED_BLOCK_SIZE);
+ if (ret) return ret;
+ }
+
chunks = sparse_count_chunks(s);
out = output_file_open_fd(fd, s->block_size, s->len, gz, sparse, chunks, crc);
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 2d67194..01609db 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -517,6 +517,8 @@
mkdir /metadata/apex 0700 root system
mkdir /metadata/apex/sessions 0700 root system
+
+ mkdir /metadata/staged-install 0770 root system
on late-fs
# Ensure that tracefs has the correct permissions.
# This does not work correctly if it is called in post-fs.