external/avb/libavb provides the new Android Verified Boot (AVB) flow.
It has different verity metadata format than previous formats in
fs_mgr_verity.cpp fs_mgr should support using libavb to read the metadata
(a.k.a. HASHTREE descriptor in AVB) to enable dm-verity in kernel.
Two important files in this commit:
- fs_mgr_avb_ops.c: an implementation of struct AvbOps* for libavb to do
platform dependent I/O operations, e.g., read_from_partition.
- fs_mgr_avb.cpp: it reads the metadata (a.k.a. vbmeta images in AVB) from
all partitions, verifies its integrity against the values of
androidboot.vbmeta.{hash_alg, size, digest} passed from bootloader in
kernel command line. Then enable dm-verity for partitions having the
corresponding HASHTREE descriptor and with an 'avb' fstab flag.
Bug: 31264231
Test: Enable dm-verity on /system partition
Test: Enable dm-verity with FEC on /system partition
Change-Id: I4652806984fe5a30c61be0839135b5ca78323d38
When doing a factory reset in recovery, flash erase & logical block
sizes are needed for tuning the parameters of the new userdata image.
Add flags to allow this information to be stored in recovery.fstab
Test: Factory reset marlin & confirm userdata is rebuilt correctly
Bug: 33243520
Change-Id: I6c4414d4e9026be4a3646523656ac151e93015e7
Signed-off-by: Connor O'Brien <connoro@google.com>
ASan runtime library depends on liblog, so we have to disable ASan,
but nothing else.
Bug: 33091541
Test: SANITIZE_TARGET=address keeps working
Change-Id: I6e22925b7f1d5ec86fe1bd8c00dba4c3e86ddf3f
* changes:
tombstoned: silence spurious error messages.
Actually don't start tombstoned until /data is mounted.
debuggerd_handler: add SIGSYS to the list of handled signals.
tkill and tgkill are syscalls that do not have glibc wrappers, but
they are required in order to send a signal to a specific thread.
Non-android software may call them directly with syscall(). Bionic
provides a wrapper for tgkill, so seccomp allows it, but not for
tkill. Add tkill to the whitelist.
This can be reproduced with:
sleep 1000 & sleep 1 ; strace -p $!
then hit ctrl-C, and the shell will print "Bad system call" because
the strace process died with SIGSYS
Bug: 34586922
Test: repro case is fixed
Change-Id: Ib6962a967f2cc757f2906de7905e75e1b6d6f39f
restart_syscall is used by the kernel whenever a syscall with a
timeout is interrupted. Whitelist it in seccomp to prevent
processes being killed with SIGSYS when being ptraced.
Bug: 34586922
Test: hwui_unit_tests
Change-Id: Ic47dcad33f3082eb5673c3c67fe17200d4daaf74
New protocol assumes that there is no limit on name or value
and effectively removed limit on property name length.
It also send back a uint32_t with error code (or 0 on success)
Bug: http://b/33926793
Test: mm, boot, run bionic-unit-tests --gtest_filter=prop*
Change-Id: Iac6290398ddc495e03f8fbbc3a79e923eff5df6f
Actually exit when receiving a signal via kill(2) or raise(2) and
PR_GET_DUMPABLE is 0.
Bug: none
Test: /data/nativetest/debuggerd_test/debuggerd_test32
Test: /data/nativetest64/bionic-unit-tests/bionic-unit-tests --gtest_filter=pthread_DeathTest.pthread_mutex_lock_null_64
Change-Id: I833a2a34238129237bd9f953959ebda51d8d04d7
For the gTests logcat.tz, logcat.tail_3, logcat.tail_10,
logcat.tail_100, logcat.tail_1000 and logcat.tail_time tests inject
messages if we come up short should the background logging not be
sufficient to feed the test requirements. Test frames run the
tests right after reboot requiring injection. Will have radio
silence, so we also add kernel logs if available to help add to the
background logging activity level.
We also will inject a radio message for logcat.buckets so that test
can survive no radio content.
Test: set device to airplane mode (to stress this problem) then:
adb logcat -b all -c && adb shell su root \
/data/nativetest/logcat-unit-tests/logcat-unit-tests \
--gtest_filter=logcat.tail_1000 (or others in this set)
Bug: 34454772
Change-Id: I5ec246552f3ab1fc9c5864ed69d63b851fdf538d
* changes:
crash_dump: set a watchdog timer.
crash_dump: switch to PTRACE_SEIZE.
crash_dump: clear the default crash handlers.
crash_dump: remove extra log.
debuggerd_handler: actually wait for pseudothread to exit.
PTRACE_DETACH is only necessary if the process is in group-stop state,
the tracer exiting is sufficient to detach and resume tracees.
Using this, set a 5 second timer with alarm(2) that just kills us, to
avoid leaving processes stopped.
Bug: http://b/34472671
Test: debuggerd_test
Test: crasher + manually inserting a 10 second sleep into crash_dump
Change-Id: Iacaa796f79037aa1585f3f2159abe45ef0069311
ptrace(PTRACE_ATTACH) does not immediately put the traced process in a
stopped state. If we manage to call PTRACE_CONT on it before it
finishes, we'll fail. Switch to using PTRACE_SEIZE and PTRACE_INTERRUPT
to guarantee that the target stops immediately.
This also has the advantage of never putting the process in group-stop
state, which means if we exit prematurely (e.g. if we crash during
stack unwinding), the target process will be resumed without any
intervention needed.
Bug: http://b/34472671
Test: while true; do debuggerd -b `pidof audioserver`; done
Change-Id: I7549f67489646cf300b8c9aa8c735e5e897806ef
crash_dump is a dynamic executable that gets the default crash dumping
handlers set by the linker. Turn them off to prevent crash_dump from
dumping itself.
Bug: http://b/34472671
Test: inserted an abort into crash_dump
Change-Id: Ic9d708805ad47afbb2a9ff37e2ca059f23f421de
Occasionally, the pseudothread wouldn't exit in time after unlocking
the mutex to get crash_dump to proceed, resulting in spurious error
messages. Instead of using a mutex to emulate pthread_join, just
implement it correctly.
Bug: http://b/34472671
Test: debuggerd_test
Change-Id: I5c2658a84e9407ed8cc0ef2ad0fb648c388b7ad1
Moved headers from include/libcutils and include/liblog to
libcutils/include and liblog/include respectively, so they can be
exported via these libs. They needed to be moved since Soong does
not allow export from external folder.
Added symlink from old locations. They are needed since Soong
includes system/core/include by default. Once all modules are
cleaned up to explicitly add the required libs, the symlinks will be
removed.
Also added liblog_vndk_headers that exports a special log/log.h for
VNDK.
Moved headers of libcutils to libcutils_headers. They should be used
by modules for header-only inlines. Added libcutils_headers as
dependency of libcutils.
Added libcutils_vndk_headers that exports a special cutils/log.h
deprecating usage of the file. A later CL will deprecate the one in
libcutils_headers
Test: Add above libs to shared lib of local module
Change-Id: I6e1f9c5f23d8b6eae13dc3b7e5dfe7fae93b8510
Do not report security buffer errors if not specifically
named in the buffer list.
Test: gTest logcat-unit-test --gtest_filter=logcat.security
Bug: 34511645
Change-Id: I028d51abad0329fcf42e467b135d035b06c1d2e3
When vold mounts the encrypted /data partition, it first checks for and
kills processes that have open fds to the tmpfs placeholder at /data.
This resulted in a 20 second boot-time regression (vold's timeout period)
when tombstoned was started before vold.
Bug: http://b/34461270
Test: boot is faster, no messages from vold in console spew
Test: tombstoned still started by init
Change-Id: Ib5e9ddb05f40c9da852f00e103861c6ff2d94888
A TOCTOU race can occur between listing threads and attaching them.
Don't abort and leave the process in a stopped state when this happens.
Bug: http://b/34472671
Test: while true; do debuggerd -b `pidof audioserver`; done
Change-Id: Ib1632c3423fddf506b5c7874223c82fada78a85e
bowgotsai