From e8565ac94a3aec39cc9efafe4cbb0b453d0a285f Mon Sep 17 00:00:00 2001 From: Andreas Gampe Date: Fri, 15 Mar 2019 14:22:04 -0700 Subject: [PATCH] Init: Load fsverity keys earlier Keys may be required for apex updates (post-installs), so load them before starting apexd. Bug: 125474642 Test: m Test: manual Change-Id: I32ddb6ae6854334e8ee7e195173ecfaed565d783 --- rootdir/init.rc | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index 4c5259626..0e961631b 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -418,6 +418,13 @@ on post-fs-data mkdir /data/bootchart 0755 shell shell bootchart start + # Load fsverity keys. This needs to happen before apexd, as post-install of + # APEXes may rely on keys. + exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity + exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity + # Prevent future key links to fsverity keyring + exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity + # Make sure that apexd is started in the default namespace enter_default_mount_ns @@ -585,12 +592,6 @@ on post-fs-data # Set SELinux security contexts on upgrade or policy update. restorecon --recursive --skip-ce /data - # load fsverity keys - exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity - exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity - # Prevent future key links to fsverity keyring - exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity - # Check any timezone data in /data is newer than the copy in the runtime module, delete if not. exec - system system -- /system/bin/tzdatacheck /apex/com.android.runtime/etc/tz /data/misc/zoneinfo