verity toggle through adb failed to work for early mount due to fstab
entries being moved into kernel/dt. This change fixes that by using the
new fs_mgr_read_fstab_default() api that will make sure all fstab
entries (from dt as well as from /fstab.{ro.hardware}) are combined
before returning the fstab object.
b/27805372
Test: early mount /system and /vendor on angler.
- test adb disable-verity && adb root to ensure rebooted instance
doesn't have 'partition.system.verified' property set. i.e. verity is
indeed disabled.
- test adb enable-verity && adb root to ensure rebooted instance does
have 'partition.system.verified' property set, i.e. verity is enabled.
also verified by trying to do 'adb remount' which correctly warns about
verity
Change-Id: Iffdcc0a0b959a65c326219bd4e9e41cba9ec7c88
Signed-off-by: Sandeep Patil <sspatil@google.com>
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
The clang static analyzer is complaining that we are not checking the
setegid() return value, so let's add these checks. We should never
fail to return to AID_ROOT, so fail hard in this case.
Bug: 26962034
Test: Boot bullhead
Test: export WITH_STATIC_ANALYZER=1 and run 'mm' in the project directory
Change-Id: I62e95b045c5734305c71502871b6cf17f152edbc
Changes to the REALTIME clock can cause Condition::waitRelative() to
timeout early or delayed. This behavior is undesired and new since
https://android-review.googlesource.com/#/c/181058/ moved the
underlying pthread_cond_timedwait() implementation to use absolute
timeouts rather than relative ones. Having Condition use
CLOCK_MONOTONIC prevents these timeout issues.
Bug: 34592766
Bug: 35678943
Test: Boot bullhead
Test: Ensure time changes do not cause Condition::waitRelative() to
timeout early or delayed
Change-Id: I3a8d7a48f9b42fe990c3c7331313b6d85aa546f9
* changes:
fs_mgr: add a generic fs_mgr_get_boot_config internal API
init: early_mount: create device node for verity metadata partition
init: early_mount: disallow partitions to be verified at boot
init: early_mount: add support to mount verity enabled partitions early
fs_mgr: make fs_mgr_setup_verity public API
fs_mgr: fix the fs_mgr_setup_verity param name
init: refactor to allow successive device_init calls
fs_mgr: add fs_mgr_do_mount_one() API
Add a 'host-features' command to get the features of the currently
running host adb server. Abuse it to report libusb status.
Bug: http://b/34983123
Test: adb host-features; adb kill-server; ADB_LIBUSB=1 adb start-server; adb host-features
Change-Id: I0e8d503a2dbdff9002ebb6ce8a298498a9421422
Provide minimal redirection functionality, adding stdout redirection
to the existing stderr redirection parsing.
- stderr and stdout redirection do _not_ support append, will treat
like write only.
- stderr redirection does _not_ support filename. Only 2>&1 to
join stderr and stdout and 2>/dev/null to drop content on floor.
- stdout redirection supports filename only.
- stderr 2>&1 redirection must be last for shell compatibility.
- preserve 2>&1 through file rotation (bugfix)
Test: logcat-benchmarks --benchmark_filter='BM_logcat_popen*|BM_logcat_system*'
Bug: 35326290
Change-Id: Id36b59358167f21381bd1dbf0bd7a7e10e2a2ed9
This is the precursor for "Plan B" recovery when access to
/dev/event-log-tags is blocked to untrusted zones. Also
deals with mitigating issues with long-lived mappings that
do not update /dev/event-log-tags when dynamically changed.
Test: gTest logd-unit-test --gtest_filter=logd.getEventTag_42
Bug: 31456426
Bug: 35326290
Change-Id: I3db2e73763603727a369da3952c5ab4cf709f901
Both humans and the clang static analyzer find libadf's error handling
confusing.
Now that the platform has better C++ support, we can clean up things up
by switching to C++ and using STL + RAII in targeted parts of the code.
This isn't a complete rewrite in idiomatic C++, but it's enough to get
rid of all the "goto" statements (and the false-positive memory leaks
found by clang's static analyzer).
Bug: 27125399
Test: WITH_STATIC_ANALYZER=1 mmm system/core/adf/libadf
Test: /data/nativetest/adf-unit-tests/adf-unit-tests (on Nexus 9)
Test: /data/nativetest64/adf-unit-tests/adf-unit-tests (on Nexus 9)
Change-Id: Ie9dd5d5dc424d1a3ddcc3cba836fce04190f46fd
Signed-off-by: Greg Hackmann <ghackmann@google.com>
depending on when fs_mgr is trying to read the configuration passed into
the kernel commandline, it may be able to read it successfully.
Specially in the case when init has not initialized properties.
This change adds a new fs_mgr_get_boot_config() API to be used by all
fs_mgr code in order to get filesystem parameters specified in kernel
command line or device tree. This way the fs_mgr code doesn't have to
handle the "early" cases separately anywhere.
Test:
Tested angler boot with both /system and /vendor mounted in init
first stage.
Tested sailfish to make sure /vendor can be continued to be
mounted early without verity
Change-Id: I9a44cdfc32681f714c5d73ae55c3deda95c02545
Most devices pass the veritymode through 'androidboot.veritymode' kernel
cmdline partition. However, for those who don't, the verity state is
read from a different block device whose path it passed to "verify="
fs_mgr option in fstab.
This change add support for such a case if the partition that needs to
be mounted early requires this additional block device to load the
verity state from.
Note that, there can only be 1 partition to get the verity state
regardless of the number of partitions we enable verity for.
Bug: 27805372
Test: Test angler by removing the metdata argument in fstab when it
boots fine. Tested by adding the argument when it fails to boot as
veritymode gets set to EIO during early mount due to lack of access to
properties as expected.
TODO: fs_mgr must pull the veritymode from kernel cmdline or device tree
by itself
Change-Id: I9e62b8c1bf2c0ae0365677df697a0cbe9e5810c1
Signed-off-by: Sandeep Patil <sspatil@google.com>
While technically possible, the verification at boot basically will
block init for as long as the entire partition is read while nothing
else is running. Disallow that as this is not going to be used anywhere.
Bug: 27805372
Test: boot angler with verifyatboot fs_mgr option for early mounted
vendor partition. That resulted in a panic() as expected.
Change-Id: I9da5caa163cae8bce6dbfb630f0ed5605ea044a0
Signed-off-by: Sandeep Patil <sspatil@google.com>
support mounting partitions early regardless of their "verified" status.
uses the newly exported fs_mgr APIs to split verity setup and mount
operations.
b/27805372
Test:
Angler:
- Early mount /vendor without dm-verity
Sailfish:
- Early mount /vendor without dm-verity
- Early mount /vendor with dm-verity
TODO:
add support for metadata partition used in angler
to load dm-verity data
Change-Id: Ie2768d4d895c19d045293c573773ee7bb03fff99
Signed-off-by: Sandeep Patil <sspatil@google.com>
Consequently this removes the 'early' version of the exact same API.
This is to be used by early mount code where we need to do
1. setup verity
2. create verity device
3. mount partition
as separate steps since that happens during init first stage.
b/27805372
Test: Boot sailfish successfully
Change-Id: I01abecfdfa210d3e240a291ddcb3d2e9ed39ede6
Signed-off-by: Sandeep Patil <sspatil@google.com>
The 'verify_dev' parameter for fs_mgr_setup_verity is confusing, since
it doesn't necessarily control the "verification" part of the function.
Instead, it merely allows the caller to skip the
wait_for_dm_verity_device part of the function. So, rename that
parameter for what it is.
b/27805372
Test: Boot sailfish
Change-Id: I024e02fd728f5cd5bb333d9c3b512861731fa215
Signed-off-by: Sandeep Patil <sspatil@google.com>
device_init opens the uevent socket and sehandle when called.
For early_mount however, depending on the fs_mgr flags we may call this
in order to run coldboot for device mapper, dm-verity devices etc.
So the change makes sure we don't try to re-open the uevent socket,
file context handle and selinux status on successive calls to
device_init from within the same process.
b/27805372
Test: Boot saifish successfully
Change-Id: Ifa0e665403211684183efb9be66e4e8d0d86a206
Signed-off-by: Sandeep Patil <sspatil@google.com>
If devs is uninitialized and adf_devices() fails, we'll end up passing
the uninitialized pointer to free().
Test: /data/nativetest64/adf-unit-tests/adf-unit-tests (on Nexus 9 w/o root)
Change-Id: Ifc6038c1da14d32ee564675bac54fc7df2623c1d
Signed-off-by: Greg Hackmann <ghackmann@google.com>
gid_t and uid_t are unsigned ints, so we need to compare against unsigned
constants.
Bug: 26936282
Test: mmm system/core/libcutils/tests
Test: adb shell /data/nativetest/libcutils_test/libcutils_test32 \
--gtest_filter=MultiuserTest.* (on hikey)
Test: adb shell /data/nativetest64/libcutils_test/libcutils_test64 \
--gtest_filter=MultiuserTest.* (on hikey)
Change-Id: Ic4c8a137e3f37cb5e95ba925814f201cfd5a06b0
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The -Q option is used in emulator and it fails to redirect the
output of logcat to the desired file.
This CL fixes that problem.
There is no gTest because of /proc/cmdline sniffing for this option.
manually tested on /dev/qemu_pipe inside emulator
Test: manual
Bug: 35326290
Change-Id: I282da685e90450aadb2a989a0517dc3b1bb6634d
Explicitly link against the static libwinpthread.a to avoid a
dependency on the dll.
Also, make the tests link against libbase statically.
Bug: http://b/31665213
Test: wine adb.exe
Test: wine adb_test.exe
Change-Id: Ifd41afcb1756a4b9b6db12e102b4db502e73d846
Treehugger Robot