Merge "fs_mgr_overlayfs: Cleanup -user build stubs"
diff --git a/bootstat/boot_reason_test.sh b/bootstat/boot_reason_test.sh
index 299b5d4..845b303 100755
--- a/bootstat/boot_reason_test.sh
+++ b/bootstat/boot_reason_test.sh
@@ -367,8 +367,6 @@
adb logcat -b all ${timestamp} |
grep bootstat[^e] |
grep -v -F "bootstat: Service started: /system/bin/bootstat --record_boot_complete${match}
-bootstat: Failed to read /data/misc/bootstat/post_decrypt_time_elapsed: No such file or directory
-bootstat: Failed to parse boot time record: /data/misc/bootstat/post_decrypt_time_elapsed
bootstat: Service started: /system/bin/bootstat --record_boot_reason
bootstat: Service started: /system/bin/bootstat --set_system_boot_reason
bootstat: Service started: /system/bin/bootstat --record_time_since_factory_reset
@@ -388,7 +386,6 @@
init : processing action (sys.boot_completed=1 && sys.bootstat.first_boot_completed=0) from (/system/etc/init/bootstat.rc
(/system/bin/bootstat --record_boot_complete --record_boot_reason --record_time_since_factory_reset -l)'
(/system/bin/bootstat --set_system_boot_reason --record_boot_complete --record_boot_reason --record_time_since_factory_reset -l)'
- (/system/bin/bootstat -r post_decrypt_time_elapsed)'
init : Command 'exec - system log -- /system/bin/bootstat --record_boot_complete' action=sys.boot_completed=1 && sys.bootstat.first_boot_completed=0 (/system/etc/init/bootstat.rc:
init : Command 'exec - system log -- /system/bin/bootstat --record_boot_reason' action=sys.boot_completed=1 && sys.bootstat.first_boot_completed=0 (/system/etc/init/bootstat.rc:
init : Command 'exec - system log -- /system/bin/bootstat --record_time_since_factory_reset' action=sys.boot_completed=1 && sys.bootstat.first_boot_completed=0 (/system/etc/init/bootstat.rc:
diff --git a/bootstat/bootstat.cpp b/bootstat/bootstat.cpp
index 589b99a..844357c 100644
--- a/bootstat/bootstat.cpp
+++ b/bootstat/bootstat.cpp
@@ -67,15 +67,9 @@
{"boot_complete",
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__BOOT_COMPLETE}},
- {"boot_decryption_complete",
- {android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
- android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__BOOT_COMPLETE_ENCRYPTION}},
{"boot_complete_no_encryption",
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__BOOT_COMPLETE_NO_ENCRYPTION}},
- {"boot_complete_post_decrypt",
- {android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
- android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__BOOT_COMPLETE_POST_DECRYPT}},
{"factory_reset_boot_complete",
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__FACTORY_RESET_BOOT_COMPLETE}},
@@ -83,22 +77,12 @@
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::
BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__FACTORY_RESET_BOOT_COMPLETE_NO_ENCRYPTION}},
- {"factory_reset_boot_complete_post_decrypt",
- {android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
- android::util::
- BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__FACTORY_RESET_BOOT_COMPLETE_POST_DECRYPT}},
{"ota_boot_complete",
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__OTA_BOOT_COMPLETE}},
{"ota_boot_complete_no_encryption",
{android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__OTA_BOOT_COMPLETE_NO_ENCRYPTION}},
- {"ota_boot_complete_post_decrypt",
- {android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
- android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__OTA_BOOT_COMPLETE_POST_DECRYPT}},
- {"post_decrypt_time_elapsed",
- {android::util::BOOT_TIME_EVENT_ELAPSED_TIME_REPORTED,
- android::util::BOOT_TIME_EVENT_ELAPSED_TIME__EVENT__POST_DECRYPT}},
// DURATION
{"absolute_boot_time",
{android::util::BOOT_TIME_EVENT_DURATION_REPORTED,
@@ -1313,8 +1297,7 @@
return android::base::boot_clock::now().time_since_epoch() - GetBootTimeOffset();
}
-// Records several metrics related to the time it takes to boot the device,
-// including disambiguating boot time on encrypted or non-encrypted devices.
+// Records several metrics related to the time it takes to boot the device.
void RecordBootComplete() {
BootEventRecordStore boot_event_store;
BootEventRecordStore::BootEventRecord record;
@@ -1341,25 +1324,15 @@
return;
}
- // post_decrypt_time_elapsed is only logged on encrypted devices.
- if (boot_event_store.GetBootEvent("post_decrypt_time_elapsed", &record)) {
- // Log the amount of time elapsed until the device is decrypted, which
- // includes the variable amount of time the user takes to enter the
- // decryption password.
- boot_event_store.AddBootEventWithValue("boot_decryption_complete", uptime_s.count());
+ // The *_no_encryption events are emitted unconditionally, since they are left
+ // over from a time when encryption meant "full-disk encryption". But Android
+ // now always uses file-based encryption instead of full-disk encryption. At
+ // some point, these misleading and redundant events should be removed.
+ boot_event_store.AddBootEventWithValue(boot_complete_prefix + "_no_encryption",
+ uptime_s.count());
- // Subtract the decryption time to normalize the boot cycle timing.
- std::chrono::seconds boot_complete = std::chrono::seconds(uptime_s.count() - record.second);
- boot_event_store.AddBootEventWithValue(boot_complete_prefix + "_post_decrypt",
- boot_complete.count());
- } else {
- boot_event_store.AddBootEventWithValue(boot_complete_prefix + "_no_encryption",
- uptime_s.count());
- }
-
- // Record the total time from device startup to boot complete, regardless of
- // encryption state.
- // Note: we are recording seconds here even though the field in statsd atom specifies
+ // Record the total time from device startup to boot complete. Note: we are
+ // recording seconds here even though the field in statsd atom specifies
// milliseconds.
boot_event_store.AddBootEventWithValue(boot_complete_prefix, uptime_s.count());
diff --git a/bootstat/bootstat.rc b/bootstat/bootstat.rc
index a350fe7..23f01d1 100644
--- a/bootstat/bootstat.rc
+++ b/bootstat/bootstat.rc
@@ -33,7 +33,6 @@
chown system log /data/misc/bootstat/last_boot_time_utc
chown system log /data/misc/bootstat/ota_boot_complete
chown system log /data/misc/bootstat/ota_boot_complete_no_encryption
- chown system log /data/misc/bootstat/post_decrypt_time_elapsed
chown system log /data/misc/bootstat/ro.boottime.init
chown system log /data/misc/bootstat/ro.boottime.init.cold_boot_wait
chown system log /data/misc/bootstat/ro.boottime.init.selinux
diff --git a/debuggerd/handler/debuggerd_handler.cpp b/debuggerd/handler/debuggerd_handler.cpp
index 55770f1..c64de0e 100644
--- a/debuggerd/handler/debuggerd_handler.cpp
+++ b/debuggerd/handler/debuggerd_handler.cpp
@@ -103,9 +103,15 @@
static bool is_permissive_mte() {
// Environment variable for testing or local use from shell.
char* permissive_env = getenv("MTE_PERMISSIVE");
+ char process_sysprop_name[512];
+ async_safe_format_buffer(process_sysprop_name, sizeof(process_sysprop_name),
+ "persist.device_config.memory_safety_native.permissive.process.%s",
+ getprogname());
// DO NOT REPLACE this with GetBoolProperty. That uses std::string which allocates, so it is
// not async-safe (and this functiong gets used in a signal handler).
return property_parse_bool("persist.sys.mte.permissive") ||
+ property_parse_bool("persist.device_config.memory_safety_native.permissive.default") ||
+ property_parse_bool(process_sysprop_name) ||
(permissive_env && ParseBool(permissive_env) == ParseBoolResult::kTrue);
}
diff --git a/fastboot/device/commands.cpp b/fastboot/device/commands.cpp
index 823783e..3799d1f 100644
--- a/fastboot/device/commands.cpp
+++ b/fastboot/device/commands.cpp
@@ -40,6 +40,8 @@
#include <storage_literals/storage_literals.h>
#include <uuid/uuid.h>
+#include <bootloader_message/bootloader_message.h>
+
#include "BootControlClient.h"
#include "constants.h"
#include "fastboot_device.h"
@@ -154,6 +156,14 @@
return true;
}
+static void PostWipeData() {
+ std::string err;
+ // Reset mte state of device.
+ if (!WriteMiscMemtagMessage({}, &err)) {
+ LOG(ERROR) << "Failed to reset MTE state: " << err;
+ }
+}
+
const std::unordered_map<std::string, std::function<bool(FastbootDevice*)>> kSpecialVars = {
{"all", GetVarAll},
{"dmesg", GetDmesg},
@@ -232,6 +242,7 @@
//Perform oem PostWipeData if Android userdata partition has been erased
bool support_oem_postwipedata = false;
if (partition_name == "userdata") {
+ PostWipeData();
support_oem_postwipedata = OemPostWipeData(device);
}
@@ -610,6 +621,10 @@
if (ret < 0) {
return device->WriteStatus(FastbootResult::FAIL, strerror(-ret));
}
+ if (partition_name == "userdata") {
+ PostWipeData();
+ }
+
return device->WriteStatus(FastbootResult::OKAY, "Flashing succeeded");
}
diff --git a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc
index 2750096..522fe08 100644
--- a/fs_mgr/libsnapshot/snapuserd/snapuserd.rc
+++ b/fs_mgr/libsnapshot/snapuserd/snapuserd.rc
@@ -4,6 +4,7 @@
disabled
user root
group root system
+ task_profiles OtaProfiles
seclabel u:r:snapuserd:s0
service snapuserd_proxy /system/bin/snapuserd -socket-handoff
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_dm_user.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_dm_user.cpp
index 1e300d2..0d0f711 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_dm_user.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_dm_user.cpp
@@ -253,6 +253,11 @@
bool Worker::RunThread() {
SNAP_LOG(INFO) << "Processing snapshot I/O requests....";
+
+ if (setpriority(PRIO_PROCESS, gettid(), kNiceValueForMergeThreads)) {
+ SNAP_PLOG(ERROR) << "Failed to set priority for TID: " << gettid();
+ }
+
// Start serving IO
while (true) {
if (!ProcessIORequest()) {
diff --git a/gatekeeperd/Android.bp b/gatekeeperd/Android.bp
index 0aedc58..838f734 100644
--- a/gatekeeperd/Android.bp
+++ b/gatekeeperd/Android.bp
@@ -43,6 +43,8 @@
"libutils",
"libcrypto",
"libhidlbase",
+ "lib_android_keymaster_keymint_utils",
+ "android.hardware.gatekeeper-V1-ndk",
"android.hardware.gatekeeper@1.0",
"libgatekeeper_aidl",
"android.security.authorization-ndk",
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index 8792c83..76fcd55 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -25,6 +25,7 @@
#include <unistd.h>
#include <memory>
+#include <KeyMintUtils.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android/binder_ibinder.h>
@@ -38,6 +39,7 @@
#include <log/log.h>
#include <utils/String16.h>
+#include <aidl/android/hardware/gatekeeper/IGatekeeper.h>
#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
#include <aidl/android/security/authorization/IKeystoreAuthorization.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
@@ -49,27 +51,35 @@
using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
using android::hardware::gatekeeper::V1_0::IGatekeeper;
+using AidlGatekeeperEnrollResp = aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse;
+using AidlGatekeeperVerifyResp = aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse;
+using AidlIGatekeeper = aidl::android::hardware::gatekeeper::IGatekeeper;
+
using ::android::binder::Status;
using ::android::service::gatekeeper::BnGateKeeperService;
using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType;
using ::aidl::android::hardware::security::keymint::HardwareAuthToken;
+using ::aidl::android::hardware::security::keymint::km_utils::authToken2AidlVec;
using ::aidl::android::security::authorization::IKeystoreAuthorization;
namespace android {
static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
static const String16 DUMP_PERMISSION("android.permission.DUMP");
+constexpr const char gatekeeperServiceName[] = "android.hardware.gatekeeper.IGatekeeper/default";
class GateKeeperProxy : public BnGateKeeperService {
public:
GateKeeperProxy() {
clear_state_if_needed_done = false;
hw_device = IGatekeeper::getService();
+ ::ndk::SpAIBinder ks2Binder(AServiceManager_getService(gatekeeperServiceName));
+ aidl_hw_device = AidlIGatekeeper::fromBinder(ks2Binder);
is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
- if (!hw_device) {
+ if (!aidl_hw_device && !hw_device) {
LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
}
}
@@ -95,7 +105,9 @@
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
- if (hw_device) {
+ if (aidl_hw_device) {
+ aidl_hw_device->deleteAllUsers();
+ } else if (hw_device) {
hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
}
}
@@ -150,7 +162,7 @@
uint32_t adjust_userId(uint32_t userId) {
static constexpr uint32_t kGsiOffset = 1000000;
CHECK(userId < kGsiOffset);
- CHECK(hw_device != nullptr);
+ CHECK((aidl_hw_device != nullptr) || (hw_device != nullptr));
if (is_running_gsi) {
return userId + kGsiOffset;
}
@@ -176,7 +188,7 @@
// need a desired password to enroll
if (desiredPassword.size() == 0) return GK_ERROR;
- if (!hw_device) {
+ if (!aidl_hw_device && !hw_device) {
LOG(ERROR) << "has no HAL to talk to";
return GK_ERROR;
}
@@ -185,9 +197,13 @@
android::hardware::hidl_vec<uint8_t> curPwd;
if (currentPasswordHandle && currentPassword) {
- if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
- LOG(INFO) << "Password handle has wrong length";
- return GK_ERROR;
+ if (hw_device) {
+ // Hidl Implementations expects passwordHandle to be in
+ // gatekeeper::password_handle_t format.
+ if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(INFO) << "Password handle has wrong length";
+ return GK_ERROR;
+ }
}
curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
currentPasswordHandle->size());
@@ -199,7 +215,27 @@
newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
uint32_t hw_userId = adjust_userId(userId);
- Return<void> hwRes = hw_device->enroll(
+ uint64_t secureUserId = 0;
+ if (aidl_hw_device) {
+ // AIDL gatekeeper service
+ AidlGatekeeperEnrollResp rsp;
+ auto result = aidl_hw_device->enroll(hw_userId, curPwdHandle, curPwd, newPwd, &rsp);
+ if (!result.isOk()) {
+ LOG(ERROR) << "enroll transaction failed";
+ return GK_ERROR;
+ }
+ if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
+ *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
+ secureUserId = static_cast<uint64_t>(rsp.secureUserId);
+ } else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT &&
+ rsp.timeoutMs > 0) {
+ *gkResponse = GKResponse::retry(rsp.timeoutMs);
+ } else {
+ *gkResponse = GKResponse::error();
+ }
+ } else if (hw_device) {
+ // HIDL gatekeeper service
+ Return<void> hwRes = hw_device->enroll(
hw_userId, curPwdHandle, curPwd, newPwd,
[&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
@@ -211,22 +247,26 @@
*gkResponse = GKResponse::error();
}
});
- if (!hwRes.isOk()) {
- LOG(ERROR) << "enroll transaction failed";
- return GK_ERROR;
+ if (!hwRes.isOk()) {
+ LOG(ERROR) << "enroll transaction failed";
+ return GK_ERROR;
+ }
+ if (gkResponse->response_code() == GKResponseCode::OK) {
+ if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(ERROR) << "HAL returned password handle of invalid length "
+ << gkResponse->payload().size();
+ return GK_ERROR;
+ }
+
+ const gatekeeper::password_handle_t* handle =
+ reinterpret_cast<const gatekeeper::password_handle_t*>(
+ gkResponse->payload().data());
+ secureUserId = handle->user_id;
+ }
}
if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
- if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
- LOG(ERROR) << "HAL returned password handle of invalid length "
- << gkResponse->payload().size();
- return GK_ERROR;
- }
-
- const gatekeeper::password_handle_t* handle =
- reinterpret_cast<const gatekeeper::password_handle_t*>(
- gkResponse->payload().data());
- store_sid(userId, handle->user_id);
+ store_sid(userId, secureUserId);
GKResponse verifyResponse;
// immediately verify this password so we don't ask the user to enter it again
@@ -260,15 +300,18 @@
// can't verify if we're missing either param
if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
- if (!hw_device) return GK_ERROR;
-
- if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
- LOG(INFO) << "Password handle has wrong length";
+ if (!aidl_hw_device && !hw_device) {
+ LOG(ERROR) << "has no HAL to talk to";
return GK_ERROR;
}
- const gatekeeper::password_handle_t* handle =
- reinterpret_cast<const gatekeeper::password_handle_t*>(
- enrolledPasswordHandle.data());
+
+ if (hw_device) {
+ // Hidl Implementations expects passwordHandle to be in gatekeeper::password_handle_t
+ if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(INFO) << "Password handle has wrong length";
+ return GK_ERROR;
+ }
+ }
uint32_t hw_userId = adjust_userId(userId);
android::hardware::hidl_vec<uint8_t> curPwdHandle;
@@ -278,13 +321,36 @@
enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
providedPassword.size());
- Return<void> hwRes = hw_device->verify(
+ uint64_t secureUserId = 0;
+ if (aidl_hw_device) {
+ // AIDL gatekeeper service
+ AidlGatekeeperVerifyResp rsp;
+ auto result =
+ aidl_hw_device->verify(hw_userId, challenge, curPwdHandle, enteredPwd, &rsp);
+ if (!result.isOk()) {
+ LOG(ERROR) << "verify transaction failed";
+ return GK_ERROR;
+ }
+ if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
+ secureUserId = rsp.hardwareAuthToken.userId;
+ // Serialize HardwareAuthToken to a vector as hw_auth_token_t.
+ *gkResponse = GKResponse::ok(authToken2AidlVec(rsp.hardwareAuthToken),
+ rsp.statusCode ==
+ AidlIGatekeeper::STATUS_REENROLL /* reenroll */);
+ } else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT) {
+ *gkResponse = GKResponse::retry(rsp.timeoutMs);
+ } else {
+ *gkResponse = GKResponse::error();
+ }
+ } else if (hw_device) {
+ // HIDL gatekeeper service
+ Return<void> hwRes = hw_device->verify(
hw_userId, challenge, curPwdHandle, enteredPwd,
[&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
*gkResponse = GKResponse::ok(
- {rsp.data.begin(), rsp.data.end()},
- rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
+ {rsp.data.begin(), rsp.data.end()},
+ rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
*gkResponse = GKResponse::retry(rsp.timeout);
} else {
@@ -292,9 +358,14 @@
}
});
- if (!hwRes.isOk()) {
- LOG(ERROR) << "verify transaction failed";
- return GK_ERROR;
+ if (!hwRes.isOk()) {
+ LOG(ERROR) << "verify transaction failed";
+ return GK_ERROR;
+ }
+ const gatekeeper::password_handle_t* handle =
+ reinterpret_cast<const gatekeeper::password_handle_t*>(
+ enrolledPasswordHandle.data());
+ secureUserId = handle->user_id;
}
if (gkResponse->response_code() == GKResponseCode::OK) {
@@ -333,7 +404,7 @@
}
}
- maybe_store_sid(userId, handle->user_id);
+ maybe_store_sid(userId, secureUserId);
}
return Status::ok();
@@ -354,8 +425,10 @@
}
clear_sid(userId);
- if (hw_device) {
- uint32_t hw_userId = adjust_userId(userId);
+ uint32_t hw_userId = adjust_userId(userId);
+ if (aidl_hw_device) {
+ aidl_hw_device->deleteUser(hw_userId);
+ } else if (hw_device) {
hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {});
}
return Status::ok();
@@ -382,7 +455,7 @@
return PERMISSION_DENIED;
}
- if (hw_device == NULL) {
+ if (aidl_hw_device == nullptr && hw_device == nullptr) {
const char* result = "Device not available";
write(fd, result, strlen(result) + 1);
} else {
@@ -394,6 +467,9 @@
}
private:
+ // AIDL gatekeeper service.
+ std::shared_ptr<AidlIGatekeeper> aidl_hw_device;
+ // HIDL gatekeeper service.
sp<IGatekeeper> hw_device;
bool clear_state_if_needed_done;
@@ -414,8 +490,8 @@
android::sp<android::IServiceManager> sm = android::defaultServiceManager();
android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
- android::status_t ret = sm->addService(
- android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
+ android::status_t ret =
+ sm->addService(android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
if (ret != android::OK) {
ALOGE("Couldn't register binder service!");
return -1;
diff --git a/init/Android.bp b/init/Android.bp
index 6255305..f0e362c 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -161,6 +161,7 @@
},
static_libs: [
"libavb",
+ "libbootloader_message",
"libc++fs",
"libcgrouprc_format",
"libfsverity_init",
@@ -181,7 +182,6 @@
],
shared_libs: [
"libbase",
- "libbootloader_message",
"libcrypto",
"libcutils",
"libdl",
diff --git a/init/service.cpp b/init/service.cpp
index 8334732..a633048 100644
--- a/init/service.cpp
+++ b/init/service.cpp
@@ -340,9 +340,18 @@
siginfo.si_status == BIONIC_SIGNAL_ART_PROFILER && !upgraded_mte_;
if (should_upgrade_mte) {
- LOG(INFO) << "Upgrading service " << name_ << " to sync MTE";
- once_environment_vars_.emplace_back("BIONIC_MEMTAG_UPGRADE_SECS", "60");
- upgraded_mte_ = true;
+ constexpr int kDefaultUpgradeSecs = 60;
+ int secs = GetIntProperty("persist.device_config.memory_safety_native.upgrade_secs.default",
+ kDefaultUpgradeSecs);
+ secs = GetIntProperty(
+ "persist.device_config.memory_safety_native.upgrade_secs.service." + name_, secs);
+ if (secs > 0) {
+ LOG(INFO) << "Upgrading service " << name_ << " to sync MTE for " << secs << " seconds";
+ once_environment_vars_.emplace_back("BIONIC_MEMTAG_UPGRADE_SECS", std::to_string(secs));
+ upgraded_mte_ = true;
+ } else {
+ LOG(INFO) << "Not upgrading service " << name_ << " to sync MTE due to device config";
+ }
}
#endif
diff --git a/janitors/OWNERS b/janitors/OWNERS
index 3e32c26..e132f0b 100644
--- a/janitors/OWNERS
+++ b/janitors/OWNERS
@@ -2,5 +2,5 @@
ccross@google.com
dwillemsen@google.com
enh@google.com
-hhb@google.com
narayan@google.com
+sadafebrahimi@google.com
\ No newline at end of file
diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h
index da5005c..1e035bb 100644
--- a/libcutils/include/private/android_filesystem_config.h
+++ b/libcutils/include/private/android_filesystem_config.h
@@ -140,6 +140,7 @@
#define AID_JC_IDENTITYCRED 1089 /* Javacard Identity Cred HAL - to manage omapi ARA rules */
#define AID_SDK_SANDBOX 1090 /* SDK sandbox virtual UID */
#define AID_SECURITY_LOG_WRITER 1091 /* write to security log */
+#define AID_PRNG_SEEDER 1092 /* PRNG seeder daemon */
/* Changes to this file must be made in AOSP, *not* in internal branches. */
#define AID_SHELL 2000 /* adb and debug shell user */
diff --git a/libprocessgroup/cgrouprc/libcgrouprc.map.txt b/libprocessgroup/cgrouprc/libcgrouprc.map.txt
index ce5c419..b62b10f 100644
--- a/libprocessgroup/cgrouprc/libcgrouprc.map.txt
+++ b/libprocessgroup/cgrouprc/libcgrouprc.map.txt
@@ -1,18 +1,18 @@
LIBCGROUPRC { # introduced=29
global:
- ACgroupFile_getVersion;
- ACgroupFile_getControllerCount;
- ACgroupFile_getController;
- ACgroupController_getVersion;
- ACgroupController_getName;
- ACgroupController_getPath;
+ ACgroupFile_getVersion; # llndk systemapi
+ ACgroupFile_getControllerCount; # llndk systemapi
+ ACgroupFile_getController; # llndk systemapi
+ ACgroupController_getVersion; # llndk systemapi
+ ACgroupController_getName; # llndk systemapi
+ ACgroupController_getPath; # llndk systemapi
local:
*;
};
LIBCGROUPRC_30 { # introduced=30
global:
- ACgroupController_getFlags;
+ ACgroupController_getFlags; # llndk systemapi
local:
*;
};
diff --git a/libsparse/simg_dump.py b/libsparse/simg_dump.py
index 8811a52..47537ca 100755
--- a/libsparse/simg_dump.py
+++ b/libsparse/simg_dump.py
@@ -158,7 +158,7 @@
curtype = format("Fill with 0x%08X" % (fill))
if showhash:
h = hashlib.sha1()
- data = fill_bin * (blk_sz / 4);
+ data = fill_bin * (blk_sz // 4);
for block in range(chunk_sz):
h.update(data)
curhash = h.hexdigest()
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 60bf57b..ec760d3 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -796,6 +796,7 @@
mkdir /data/misc/vpn 0770 system vpn
mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
mkdir /data/misc/systemkeys 0700 system system
+ mkdir /data/misc/threadnetwork 0770 thread_network thread_network
mkdir /data/misc/wifi 0770 wifi wifi
mkdir /data/misc/wifi/sockets 0770 wifi wifi
mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
diff --git a/rootdir/init.zygote64.rc b/rootdir/init.zygote64.rc
index 5bde5f4..b6ca5c0 100644
--- a/rootdir/init.zygote64.rc
+++ b/rootdir/init.zygote64.rc
@@ -1,4 +1,4 @@
-service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
+service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server --socket-name=zygote
class main
priority -20
user root
@@ -13,5 +13,5 @@
onrestart restart media.tuner
onrestart restart netd
onrestart restart wificond
- task_profiles ProcessCapacityHigh
+ task_profiles ProcessCapacityHigh MaxPerformance
critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
diff --git a/rootdir/init.zygote64_32.rc b/rootdir/init.zygote64_32.rc
index efb30d6..109bf6c 100644
--- a/rootdir/init.zygote64_32.rc
+++ b/rootdir/init.zygote64_32.rc
@@ -1,20 +1,4 @@
-service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server --socket-name=zygote
- class main
- priority -20
- user root
- group root readproc reserved_disk
- socket zygote stream 660 root system
- socket usap_pool_primary stream 660 root system
- onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
- onrestart write /sys/power/state on
- onrestart restart audioserver
- onrestart restart cameraserver
- onrestart restart media
- onrestart restart media.tuner
- onrestart restart netd
- onrestart restart wificond
- task_profiles ProcessCapacityHigh MaxPerformance
- critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
+import /system/etc/init/hw/init.zygote64.rc
service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote --socket-name=zygote_secondary --enable-lazy-preload
class main
diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc
index a140c8c..4ec59af 100644
--- a/rootdir/ueventd.rc
+++ b/rootdir/ueventd.rc
@@ -37,6 +37,8 @@
/dev/tty 0666 root root
/dev/random 0666 root root
/dev/urandom 0666 root root
+# Aside from kernel threads, only prng_seeder needs access to HW RNG
+/dev/hw_random 0400 prng_seeder prng_seeder
/dev/ashmem* 0666 root root
/dev/binder 0666 root root
/dev/hwbinder 0666 root root
diff --git a/storaged/storaged.cpp b/storaged/storaged.cpp
index cefef6e..ba79ff7 100644
--- a/storaged/storaged.cpp
+++ b/storaged/storaged.cpp
@@ -27,6 +27,7 @@
#include <fstream>
#include <sstream>
#include <string>
+#include <utility>
#include <aidl/android/hardware/health/BnHealthInfoCallback.h>
#include <android-base/file.h>
@@ -62,7 +63,7 @@
constexpr ssize_t benchmark_unit_size = 16 * 1024; // 16KB
-constexpr ssize_t min_benchmark_size = 128 * 1024; // 128KB
+constexpr size_t min_benchmark_size = 128 * 1024; // 128KB
} // namespace
@@ -244,9 +245,10 @@
proto.ParseFromString(ss.str());
const UidIOUsage& uid_io_usage = proto.uid_io_usage();
- uint32_t computed_crc = crc32(current_version,
- reinterpret_cast<const Bytef*>(uid_io_usage.SerializeAsString().c_str()),
- uid_io_usage.ByteSize());
+ uint32_t computed_crc =
+ crc32(current_version,
+ reinterpret_cast<const Bytef*>(uid_io_usage.SerializeAsString().c_str()),
+ uid_io_usage.ByteSizeLong());
if (proto.crc() != computed_crc) {
LOG(WARNING) << "CRC mismatch in " << proto_file;
return;
@@ -264,31 +266,29 @@
const UidIOUsage& uid_io_usage = proto->uid_io_usage();
proto->set_crc(crc32(current_version,
- reinterpret_cast<const Bytef*>(uid_io_usage.SerializeAsString().c_str()),
- uid_io_usage.ByteSize()));
+ reinterpret_cast<const Bytef*>(uid_io_usage.SerializeAsString().c_str()),
+ uid_io_usage.ByteSizeLong()));
uint32_t pagesize = sysconf(_SC_PAGESIZE);
if (user_id == USER_SYSTEM) {
proto->set_padding("", 1);
vector<char> padding;
- ssize_t size = ROUND_UP(MAX(min_benchmark_size, proto->ByteSize()),
- pagesize);
- padding = vector<char>(size - proto->ByteSize(), 0xFD);
+ ssize_t size = ROUND_UP(std::max(min_benchmark_size, proto->ByteSizeLong()), pagesize);
+ padding = vector<char>(size - proto->ByteSizeLong(), 0xFD);
proto->set_padding(padding.data(), padding.size());
- while (!IS_ALIGNED(proto->ByteSize(), pagesize)) {
+ while (!IS_ALIGNED(proto->ByteSizeLong(), pagesize)) {
padding.push_back(0xFD);
proto->set_padding(padding.data(), padding.size());
}
}
char* data = nullptr;
- if (posix_memalign(reinterpret_cast<void**>(&data),
- pagesize, proto->ByteSize())) {
- PLOG(ERROR) << "Faied to alloc aligned buffer (size: " << proto->ByteSize() << ")";
+ if (posix_memalign(reinterpret_cast<void**>(&data), pagesize, proto->ByteSizeLong())) {
+ PLOG(ERROR) << "Faied to alloc aligned buffer (size: " << proto->ByteSizeLong() << ")";
return data;
}
- proto->SerializeToArray(data, proto->ByteSize());
+ proto->SerializeToArray(data, proto->ByteSizeLong());
return data;
}
@@ -314,7 +314,7 @@
while (size > 0) {
start = steady_clock::now();
- ret = write(fd, data, MIN(benchmark_unit_size, size));
+ ret = write(fd, data, std::min(benchmark_unit_size, size));
if (ret <= 0) {
PLOG(ERROR) << "Faied to write tmp file: " << tmp_file;
return;
@@ -352,7 +352,7 @@
unique_ptr<char> proto_data(prepare_proto(user_id, proto));
if (proto_data == nullptr) return;
- flush_proto_data(user_id, proto_data.get(), proto->ByteSize());
+ flush_proto_data(user_id, proto_data.get(), proto->ByteSizeLong());
}
void storaged_t::flush_protos(unordered_map<int, StoragedProto>* protos) {
diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp
index 0e916ef..adc9fdf 100644
--- a/trusty/keymaster/Android.bp
+++ b/trusty/keymaster/Android.bp
@@ -123,7 +123,6 @@
],
required: [
"android.hardware.hardware_keystore.xml",
- "RemoteProvisioner",
],
}
diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk
index d40a59e..0609709 100644
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@@ -25,7 +25,8 @@
PRODUCT_PACKAGES += \
android.hardware.security.keymint-service.trusty \
android.hardware.gatekeeper@1.0-service.trusty \
- trusty_apploader
+ trusty_apploader \
+ RemoteProvisioner
PRODUCT_PROPERTY_OVERRIDES += \
ro.hardware.keystore_desede=true \
