Merge "Consume design capacity in health HAL 2.1"
diff --git a/code_coverage/Android.bp b/code_coverage/Android.bp
new file mode 100644
index 0000000..b51c802
--- /dev/null
+++ b/code_coverage/Android.bp
@@ -0,0 +1,83 @@
+
+prebuilt_etc {
+ name: "code_coverage.policy",
+ sub_dir: "seccomp_policy",
+ filename_from_src: true,
+ arch: {
+ arm: {
+ src: "empty_policy/code_coverage.arm.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.arm.policy",
+ },
+ },
+ },
+ arm64: {
+ src: "empty_policy/code_coverage.arm64.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.arm64.policy",
+ },
+ },
+ },
+ x86: {
+ src: "empty_policy/code_coverage.x86.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.x86.policy",
+ },
+ },
+ },
+ x86_64: {
+ src: "empty_policy/code_coverage.x86_64.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.x86_64.policy",
+ },
+ },
+ },
+ },
+ required: [
+ "code_coverage.policy.other",
+ ],
+}
+
+prebuilt_etc {
+ name: "code_coverage.policy.other",
+ sub_dir: "seccomp_policy",
+ filename_from_src: true,
+ arch: {
+ arm: {
+ src: "empty_policy/code_coverage.arm64.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.arm64.policy",
+ },
+ },
+ },
+ arm64: {
+ src: "empty_policy/code_coverage.arm.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.arm.policy",
+ },
+ },
+ },
+ x86: {
+ src: "empty_policy/code_coverage.x86_64.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.x86_64.policy",
+ },
+ },
+ },
+ x86_64: {
+ src: "empty_policy/code_coverage.x86.policy",
+ product_variables: {
+ native_coverage: {
+ src: "seccomp_policy/code_coverage.x86.policy",
+ },
+ },
+ },
+ },
+}
diff --git a/code_coverage/Android.mk b/code_coverage/Android.mk
deleted file mode 100644
index 80ab36b..0000000
--- a/code_coverage/Android.mk
+++ /dev/null
@@ -1,37 +0,0 @@
-# policies to allow processes inside minijail to dump code coverage information
-#
-
-LOCAL_PATH := $(call my-dir)
-
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := code_coverage.policy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MULTILIB := both
-
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))
-LOCAL_MODULE_STEM_32 := code_coverage.arm.policy
-LOCAL_MODULE_STEM_64 := code_coverage.arm64.policy
-endif
-
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), x86 x86_64))
-LOCAL_MODULE_STEM_32 := code_coverage.x86.policy
-LOCAL_MODULE_STEM_64 := code_coverage.x86_64.policy
-endif
-
-# different files for different configurations
-ifeq ($(NATIVE_COVERAGE),true)
-LOCAL_SRC_FILES_arm := seccomp_policy/code_coverage.arm.policy
-LOCAL_SRC_FILES_arm64 := seccomp_policy/code_coverage.arm64.policy
-LOCAL_SRC_FILES_x86 := seccomp_policy/code_coverage.x86.policy
-LOCAL_SRC_FILES_x86_64 := seccomp_policy/code_coverage.x86_64.policy
-else
-LOCAL_SRC_FILES_arm := empty_policy/code_coverage.arm.policy
-LOCAL_SRC_FILES_arm64 := empty_policy/code_coverage.arm64.policy
-LOCAL_SRC_FILES_x86 := empty_policy/code_coverage.x86.policy
-LOCAL_SRC_FILES_x86_64 := empty_policy/code_coverage.x86_64.policy
-endif
-
-LOCAL_MODULE_TARGET_ARCH := arm arm64 x86 x86_64
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy
-include $(BUILD_PREBUILT)
diff --git a/debuggerd/Android.bp b/debuggerd/Android.bp
index c8df3e3..e3ce531 100644
--- a/debuggerd/Android.bp
+++ b/debuggerd/Android.bp
@@ -355,3 +355,49 @@
init_rc: ["tombstoned/tombstoned.rc"],
}
+
+prebuilt_etc {
+ name: "crash_dump.policy",
+ sub_dir: "seccomp_policy",
+ filename_from_src: true,
+ arch: {
+ arm: {
+ src: "seccomp_policy/crash_dump.arm.policy",
+ },
+ arm64: {
+ src: "seccomp_policy/crash_dump.arm64.policy",
+ },
+ x86: {
+ src: "seccomp_policy/crash_dump.x86.policy",
+ },
+ x86_64: {
+ src: "seccomp_policy/crash_dump.x86_64.policy",
+ },
+ },
+ required: [
+ "crash_dump.policy_other",
+ ],
+}
+
+
+// NB -- this installs "the other" architecture. (puts 32 bit config in on 64 bit device)
+// or at least that is the intention so that we get both of them populated
+prebuilt_etc {
+ name: "crash_dump.policy_other",
+ sub_dir: "seccomp_policy",
+ filename_from_src: true,
+ arch: {
+ arm: {
+ src: "seccomp_policy/crash_dump.arm64.policy",
+ },
+ arm64: {
+ src: "seccomp_policy/crash_dump.arm.policy",
+ },
+ x86: {
+ src: "seccomp_policy/crash_dump.x86_64.policy",
+ },
+ x86_64: {
+ src: "seccomp_policy/crash_dump.x86.policy",
+ },
+ },
+}
diff --git a/debuggerd/Android.mk b/debuggerd/Android.mk
deleted file mode 100644
index c03b41d..0000000
--- a/debuggerd/Android.mk
+++ /dev/null
@@ -1,24 +0,0 @@
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-LOCAL_MODULE := crash_dump.policy
-LOCAL_MODULE_CLASS := ETC
-LOCAL_MULTILIB := both
-
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), arm arm64))
-LOCAL_MODULE_STEM_32 := crash_dump.arm.policy
-LOCAL_MODULE_STEM_64 := crash_dump.arm64.policy
-endif
-
-ifeq ($(TARGET_ARCH), $(filter $(TARGET_ARCH), x86 x86_64))
-LOCAL_MODULE_STEM_32 := crash_dump.x86.policy
-LOCAL_MODULE_STEM_64 := crash_dump.x86_64.policy
-endif
-
-LOCAL_MODULE_PATH := $(TARGET_OUT)/etc/seccomp_policy
-LOCAL_SRC_FILES_arm := seccomp_policy/crash_dump.arm.policy
-LOCAL_SRC_FILES_arm64 := seccomp_policy/crash_dump.arm64.policy
-LOCAL_SRC_FILES_x86 := seccomp_policy/crash_dump.x86.policy
-LOCAL_SRC_FILES_x86_64 := seccomp_policy/crash_dump.x86_64.policy
-LOCAL_MODULE_TARGET_ARCH := arm arm64 x86 x86_64
-include $(BUILD_PREBUILT)
diff --git a/init/first_stage_mount.cpp b/init/first_stage_mount.cpp
index 21663e6..622e457 100644
--- a/init/first_stage_mount.cpp
+++ b/init/first_stage_mount.cpp
@@ -21,6 +21,7 @@
#include <unistd.h>
#include <chrono>
+#include <filesystem>
#include <map>
#include <memory>
#include <set>
@@ -99,7 +100,11 @@
void GetDmLinearMetadataDevice(std::set<std::string>* devices);
bool InitDmLinearBackingDevices(const android::fs_mgr::LpMetadata& metadata);
void UseDsuIfPresent();
+ // Reads all fstab.avb_keys from the ramdisk for first-stage mount.
void PreloadAvbKeys();
+ // Copies /avb/*.avbpubkey used for DSU from the ramdisk to /metadata for key
+ // revocation check by DSU installation service.
+ void CopyDsuAvbKeys();
ListenerAction UeventCallback(const Uevent& uevent, std::set<std::string>* required_devices);
@@ -595,7 +600,12 @@
return entry.mount_point == "/metadata";
});
if (metadata_partition != fstab_.end()) {
- MountPartition(metadata_partition, true /* erase_same_mounts */);
+ if (MountPartition(metadata_partition, true /* erase_same_mounts */)) {
+ // Copies DSU AVB keys from the ramdisk to /metadata.
+ // Must be done before the following TrySwitchSystemAsRoot().
+ // Otherwise, ramdisk will be inaccessible after switching root.
+ CopyDsuAvbKeys();
+ }
}
if (!CreateLogicalPartitions()) return false;
@@ -663,6 +673,27 @@
return true;
}
+// Preserves /avb/*.avbpubkey to /metadata/gsi/dsu/avb/, so they can be used for
+// key revocation check by DSU installation service. Note that failing to
+// copy files to /metadata is NOT fatal, because it is auxiliary to perform
+// public key matching before booting into DSU images on next boot. The actual
+// public key matching will still be done on next boot to DSU.
+void FirstStageMount::CopyDsuAvbKeys() {
+ std::error_code ec;
+ // Removing existing keys in gsi::kDsuAvbKeyDir as they might be stale.
+ std::filesystem::remove_all(gsi::kDsuAvbKeyDir, ec);
+ if (ec) {
+ LOG(ERROR) << "Failed to remove directory " << gsi::kDsuAvbKeyDir << ": " << ec.message();
+ }
+ // Copy keys from the ramdisk /avb/* to gsi::kDsuAvbKeyDir.
+ static constexpr char kRamdiskAvbKeyDir[] = "/avb";
+ std::filesystem::copy(kRamdiskAvbKeyDir, gsi::kDsuAvbKeyDir, ec);
+ if (ec) {
+ LOG(ERROR) << "Failed to copy " << kRamdiskAvbKeyDir << " into " << gsi::kDsuAvbKeyDir
+ << ": " << ec.message();
+ }
+}
+
void FirstStageMount::UseDsuIfPresent() {
std::string error;
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 41007c1..c5b7576 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -65,6 +65,7 @@
#include <android-base/parseint.h>
#include <android-base/unique_fd.h>
#include <fs_avb/fs_avb.h>
+#include <libgsi/libgsi.h>
#include <selinux/android.h>
#include "debug_ramdisk.h"
@@ -533,6 +534,8 @@
selinux_android_restorecon("/apex", 0);
selinux_android_restorecon("/linkerconfig", 0);
+
+ selinux_android_restorecon(gsi::kDsuAvbKeyDir, SELINUX_ANDROID_RESTORECON_RECURSE);
}
int SelinuxKlogCallback(int type, const char* fmt, ...) {
diff --git a/liblog/Android.bp b/liblog/Android.bp
index 2cf60e0..7f183c2 100644
--- a/liblog/Android.bp
+++ b/liblog/Android.bp
@@ -121,6 +121,10 @@
],
logtags: ["event.logtags"],
compile_multilib: "both",
+ apex_available: [
+ "//apex_available:anyapex",
+ "//apex_available:platform",
+ ],
}
ndk_headers {
diff --git a/libutils/Android.bp b/libutils/Android.bp
index efa4c41..3311793 100644
--- a/libutils/Android.bp
+++ b/libutils/Android.bp
@@ -159,6 +159,11 @@
],
},
},
+
+ apex_available: [
+ "//apex_available:anyapex",
+ "//apex_available:platform",
+ ],
}
cc_library {