Fix recovery and enable by default
Ensure the boot partition is defined in fstab so "make dist" works
again, and also define sepolicy for recovery to enable the installation
of OTA packages with selinux enforcing. The build is now enabled by
default so we can catch future breakages more easily.
Bug: 113175337
Change-Id: Ie1a3291280ea641ea33ec8e1c575bfa0d5b4be0c
Signed-off-by: Alistair Strachan <astrachan@google.com>
diff --git a/shared/BoardConfig.mk b/shared/BoardConfig.mk
index 4cb2d75..2ed6ee1 100644
--- a/shared/BoardConfig.mk
+++ b/shared/BoardConfig.mk
@@ -20,6 +20,12 @@
TARGET_BOOTLOADER_BOARD_NAME := cutf
+# Boot partition size: 32M
+# This is only used for OTA update packages. The image size on disk
+# will not change (as is it not a filesystem.)
+BOARD_BOOTIMAGE_PARTITION_SIZE := 33554432
+BOARD_RECOVERYIMAGE_PARTITION_SIZE := 33554432
+
# Build a separate vendor.img partition
BOARD_USES_VENDORIMAGE := true
BOARD_VENDORIMAGE_FILE_SYSTEM_TYPE := ext4
@@ -143,9 +149,11 @@
TARGET_NO_RECOVERY ?= true
TARGET_RECOVERY_PIXEL_FORMAT := ABGR_8888
ifeq ($(TARGET_BUILD_SYSTEM_ROOT_IMAGE),true)
-TARGET_RECOVERY_FSTAB := device/google/cuttlefish/shared/config/fstab.dtb
+# Use the initrd version for the dtb build, because we need to have /system
+# defined somewhere, and the dtb fstab doesn't define it (deliberately)
+TARGET_RECOVERY_FSTAB ?= device/google/cuttlefish/shared/config/fstab.initrd
else
-TARGET_RECOVERY_FSTAB := device/google/cuttlefish/shared/config/fstab.initrd
+TARGET_RECOVERY_FSTAB ?= device/google/cuttlefish/shared/config/fstab.initrd
endif
# To see full logs from init, disable ratelimiting.
diff --git a/shared/config/fstab.dtb b/shared/config/fstab.dtb
index a601807..eaf53ee 100644
--- a/shared/config/fstab.dtb
+++ b/shared/config/fstab.dtb
@@ -1,3 +1,4 @@
+boot /boot emmc defaults recoveryonly
/dev/block/vdb /data ext4 nodev,noatime,nosuid,errors=panic wait,fileencryption=aes-256-xts:aes-256-cts
/dev/block/vdc /cache ext4 nodev,noatime,nosuid,errors=panic wait
/dev/block/vde /metadata ext4 nodev,noatime,nosuid,errors=panic wait,formattable
diff --git a/shared/config/fstab.initrd b/shared/config/fstab.initrd
index 08798dd..0b4d750 100644
--- a/shared/config/fstab.initrd
+++ b/shared/config/fstab.initrd
@@ -1,3 +1,4 @@
+boot /boot emmc defaults recoveryonly
/dev/block/vda /system ext4 noatime,ro,errors=panic wait
/dev/block/vdb /data ext4 nodev,noatime,nosuid,errors=panic wait,fileencryption=aes-256-xts:aes-256-cts
/dev/block/vdc /cache ext4 nodev,noatime,nosuid,errors=panic wait
diff --git a/shared/sepolicy/adbd.te b/shared/sepolicy/adbd.te
index 92cfb18..48c3e0c 100644
--- a/shared/sepolicy/adbd.te
+++ b/shared/sepolicy/adbd.te
@@ -2,3 +2,10 @@
# TODO(b/130668487): Label the vsock sockets.
allow adbd unlabeled:{socket vsock_socket} rw_socket_perms_no_ioctl;
allow adbd kernel:system module_request;
+
+recovery_only(`
+allow adbd tmpfs:dir w_dir_perms;
+allow adbd tmpfs:file create_file_perms;
+# TODO(b/130668487): Label the vsock sockets.
+allow su unlabeled:{ socket vsock_socket } rw_socket_perms_no_ioctl;
+')
diff --git a/shared/sepolicy/recovery.te b/shared/sepolicy/recovery.te
index e4677fe..e55c18b 100644
--- a/shared/sepolicy/recovery.te
+++ b/shared/sepolicy/recovery.te
@@ -1 +1,17 @@
allow recovery gpu_device:chr_file rw_file_perms;
+
+allow recovery appdomain_tmpfs:file r_file_perms;
+
+allow recovery sysfs_dm:dir r_dir_perms;
+allow recovery sysfs_dm:file r_file_perms;
+
+# TODO: This should really be 'super_block_device', but we can't label
+# vda both system_block_device and super_block_device..
+allowxperm recovery system_block_device:blk_file ioctl { BLKIOMIN BLKALIGNOFF };
+
+# Copied from update_engine.te:
+# Note: fsetid checks are triggered when creating a file in a directory with
+# the setgid bit set to determine if the file should inherit setgid. In this
+# case, setgid on the file is undesirable so we should just suppress the
+# denial.
+dontaudit recovery self:global_capability_class_set fsetid;
