Merge "Move Trusty C++ KeyMint to v4" into main
diff --git a/METADATA b/METADATA
deleted file mode 100644
index d97975c..0000000
--- a/METADATA
+++ /dev/null
@@ -1,3 +0,0 @@
-third_party {
- license_type: NOTICE
-}
diff --git a/fs_mgr/libfstab/fstab.cpp b/fs_mgr/libfstab/fstab.cpp
index ca35990..01e0e3d 100644
--- a/fs_mgr/libfstab/fstab.cpp
+++ b/fs_mgr/libfstab/fstab.cpp
@@ -39,10 +39,6 @@
#include "fstab_priv.h"
#include "logging_macros.h"
-#if !defined(MS_LAZYTIME)
-#define MS_LAZYTIME (1 << 25)
-#endif
-
using android::base::EndsWith;
using android::base::ParseByteCount;
using android::base::ParseInt;
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
index a0c5c66..febb484 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/merge_worker.cpp
@@ -233,6 +233,11 @@
return false;
}
+ std::optional<std::lock_guard<std::mutex>> buffer_lock;
+ // Acquire the buffer lock at this point so that RA thread
+ // doesn't step into this buffer. See b/377819507
+ buffer_lock.emplace(snapuserd_->GetBufferLock());
+
snapuserd_->SetMergeInProgress(ra_block_index_);
loff_t offset = 0;
@@ -383,6 +388,9 @@
// Mark the block as merge complete
snapuserd_->SetMergeCompleted(ra_block_index_);
+ // Release the buffer lock
+ buffer_lock.reset();
+
// Notify RA thread that the merge thread is ready to merge the next
// window
snapuserd_->NotifyRAForMergeReady();
@@ -415,6 +423,11 @@
return false;
}
+ std::optional<std::lock_guard<std::mutex>> buffer_lock;
+ // Acquire the buffer lock at this point so that RA thread
+ // doesn't step into this buffer. See b/377819507
+ buffer_lock.emplace(snapuserd_->GetBufferLock());
+
snapuserd_->SetMergeInProgress(ra_block_index_);
loff_t offset = 0;
@@ -468,6 +481,9 @@
// Mark the block as merge complete
snapuserd_->SetMergeCompleted(ra_block_index_);
+ // Release the buffer lock
+ buffer_lock.reset();
+
// Notify RA thread that the merge thread is ready to merge the next
// window
snapuserd_->NotifyRAForMergeReady();
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
index c7de995..2340b0b 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_core.h
@@ -186,6 +186,7 @@
bool IsIouringSupported();
bool CheckPartitionVerification();
+ std::mutex& GetBufferLock() { return buffer_lock_; }
private:
bool ReadMetadata();
@@ -216,6 +217,9 @@
std::mutex lock_;
std::condition_variable cv;
+ // Lock the buffer used for snapshot-merge
+ std::mutex buffer_lock_;
+
void* mapped_addr_;
size_t total_mapped_addr_length_;
diff --git a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
index 3007d45..c7ae519 100644
--- a/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
+++ b/fs_mgr/libsnapshot/snapuserd/user-space-merge/snapuserd_readahead.cpp
@@ -706,25 +706,32 @@
return false;
}
- // Copy the data to scratch space
- memcpy(metadata_buffer_, ra_temp_meta_buffer_.get(), snapuserd_->GetBufferMetadataSize());
- memcpy(read_ahead_buffer_, ra_temp_buffer_.get(), total_blocks_merged_ * BLOCK_SZ);
+ // Acquire buffer lock before doing memcpy to the scratch buffer. Although,
+ // by now snapshot-merge thread shouldn't be working on this scratch space
+ // but we take additional measure to ensure that the buffer is not being
+ // used by the merge thread at this point. see b/377819507
+ {
+ std::lock_guard<std::mutex> buffer_lock(snapuserd_->GetBufferLock());
+ // Copy the data to scratch space
+ memcpy(metadata_buffer_, ra_temp_meta_buffer_.get(), snapuserd_->GetBufferMetadataSize());
+ memcpy(read_ahead_buffer_, ra_temp_buffer_.get(), total_blocks_merged_ * BLOCK_SZ);
- loff_t offset = 0;
- std::unordered_map<uint64_t, void*>& read_ahead_buffer_map = snapuserd_->GetReadAheadMap();
- read_ahead_buffer_map.clear();
+ loff_t offset = 0;
+ std::unordered_map<uint64_t, void*>& read_ahead_buffer_map = snapuserd_->GetReadAheadMap();
+ read_ahead_buffer_map.clear();
- for (size_t block_index = 0; block_index < blocks_.size(); block_index++) {
- void* bufptr = static_cast<void*>((char*)read_ahead_buffer_ + offset);
- uint64_t new_block = blocks_[block_index];
+ for (size_t block_index = 0; block_index < blocks_.size(); block_index++) {
+ void* bufptr = static_cast<void*>((char*)read_ahead_buffer_ + offset);
+ uint64_t new_block = blocks_[block_index];
- read_ahead_buffer_map[new_block] = bufptr;
- offset += BLOCK_SZ;
+ read_ahead_buffer_map[new_block] = bufptr;
+ offset += BLOCK_SZ;
+ }
+
+ total_ra_blocks_completed_ += total_blocks_merged_;
+ snapuserd_->SetMergedBlockCountForNextCommit(total_blocks_merged_);
}
- total_ra_blocks_completed_ += total_blocks_merged_;
- snapuserd_->SetMergedBlockCountForNextCommit(total_blocks_merged_);
-
// Flush the scratch data - Technically, we should flush only for overlapping
// blocks; However, since this region is mmap'ed, the dirty pages can still
// get flushed to disk at any random point in time. Instead, make sure
diff --git a/fs_mgr/tests/fs_mgr_test.cpp b/fs_mgr/tests/fs_mgr_test.cpp
index 6e050cf..8004977 100644
--- a/fs_mgr/tests/fs_mgr_test.cpp
+++ b/fs_mgr/tests/fs_mgr_test.cpp
@@ -37,10 +37,6 @@
using namespace android::fs_mgr;
using namespace testing;
-#if !defined(MS_LAZYTIME)
-#define MS_LAZYTIME (1 << 25)
-#endif
-
namespace {
const std::string cmdline =
diff --git a/init/Android.bp b/init/Android.bp
index 4025a6b..4ee3be2 100644
--- a/init/Android.bp
+++ b/init/Android.bp
@@ -176,6 +176,7 @@
"libxml2",
"lib_apex_manifest_proto_lite",
"update_metadata-protos",
+ "libgenfslabelsversion.ffi",
],
shared_libs: [
"libbase",
diff --git a/init/libprefetch/prefetch/prefetch.rc b/init/libprefetch/prefetch/prefetch.rc
index 9f2cb7f..fb3fb3b 100644
--- a/init/libprefetch/prefetch/prefetch.rc
+++ b/init/libprefetch/prefetch/prefetch.rc
@@ -1,3 +1,16 @@
+on init && property:ro.prefetch_boot.enabled=true
+ start prefetch
+
+service prefetch /system/bin/prefetch start
+ class main
+ user root
+ group root system
+ disabled
+ oneshot
+
+on property:ro.prefetch_boot.record=true
+ start prefetch_record
+
service prefetch_record /system/bin/prefetch record --duration ${ro.prefetch_boot.duration_s:-0}
class main
user root
@@ -5,6 +18,9 @@
disabled
oneshot
+on property:ro.prefetch_boot.replay=true
+ start prefetch_replay
+
service prefetch_replay /system/bin/prefetch replay --io-depth ${ro.prefetch_boot.io_depth:-2} --max-fds ${ro.prefetch_boot.max_fds:-128}
class main
user root
diff --git a/init/libprefetch/prefetch/src/arch/android.rs b/init/libprefetch/prefetch/src/arch/android.rs
new file mode 100644
index 0000000..3404e42
--- /dev/null
+++ b/init/libprefetch/prefetch/src/arch/android.rs
@@ -0,0 +1,118 @@
+use crate::Error;
+use crate::RecordArgs;
+use crate::StartArgs;
+use log::info;
+use log::warn;
+use std::fs::File;
+use std::fs::OpenOptions;
+use std::io::Write;
+use std::time::Duration;
+
+use rustutils::system_properties::error::PropertyWatcherError;
+use rustutils::system_properties::PropertyWatcher;
+
+const PREFETCH_RECORD_PROPERTY: &str = "prefetch_boot.record";
+const PREFETCH_REPLAY_PROPERTY: &str = "prefetch_boot.replay";
+const PREFETCH_RECORD_PROPERTY_STOP: &str = "ro.prefetch_boot.record_stop";
+
+fn wait_for_property_true(
+ property_name: &str,
+ timeout: Option<Duration>,
+) -> Result<(), PropertyWatcherError> {
+ let mut prop = PropertyWatcher::new(property_name)?;
+ prop.wait_for_value("1", timeout)?;
+ Ok(())
+}
+
+/// Wait for record to stop
+pub fn wait_for_record_stop() {
+ wait_for_property_true(PREFETCH_RECORD_PROPERTY_STOP, None).unwrap_or_else(|e| {
+ warn!("failed to wait for {} with error: {}", PREFETCH_RECORD_PROPERTY_STOP, e)
+ });
+}
+
+fn start_prefetch_service(property_name: &str) -> Result<(), Error> {
+ match rustutils::system_properties::write(property_name, "true") {
+ Ok(_) => {}
+ Err(_) => {
+ return Err(Error::Custom { error: "Failed to start prefetch service".to_string() });
+ }
+ }
+ Ok(())
+}
+
+/// Start prefetch service
+///
+/// 1: Check the presence of the file 'prefetch_ready'. If it doesn't
+/// exist then the device is booting for the first time after wipe.
+/// Thus, we would just create the file and exit as we do not want
+/// to initiate the record after data wipe primiarly because boot
+/// after data wipe is long and the I/O pattern during first boot may not actually match
+/// with subsequent boot.
+///
+/// 2: If the file 'prefetch_ready' is present:
+///
+/// a: Compare the build-finger-print of the device with the one record format
+/// is associated with by reading the file 'build_finger_print'. If they match,
+/// start the prefetch_replay.
+///
+/// b: If they don't match, then the device was updated through OTA. Hence, start
+/// a fresh record and delete the build-finger-print file. This should also cover
+/// the case of device rollback.
+///
+/// c: If the build-finger-print file doesn't exist, then just restart the record
+/// from scratch.
+pub fn start_prefetch(args: &StartArgs) -> Result<(), Error> {
+ if !args.path.exists() {
+ match File::create(args.path.clone()) {
+ Ok(_) => {}
+ Err(_) => {
+ return Err(Error::Custom { error: "File Creation failed".to_string() });
+ }
+ }
+ return Ok(());
+ }
+
+ if args.build_fingerprint_path.exists() {
+ let device_build_fingerprint = rustutils::system_properties::read("ro.build.fingerprint")
+ .map_err(|e| Error::Custom {
+ error: format!("Failed to read ro.build.fingerprint: {}", e),
+ })?;
+ let pack_build_fingerprint = std::fs::read_to_string(&args.build_fingerprint_path)?;
+ if pack_build_fingerprint.trim() == device_build_fingerprint.as_deref().unwrap_or_default()
+ {
+ info!("Start replay");
+ start_prefetch_service(PREFETCH_REPLAY_PROPERTY)?;
+ } else {
+ info!("Start record");
+ std::fs::remove_file(&args.build_fingerprint_path)?;
+ start_prefetch_service(PREFETCH_RECORD_PROPERTY)?;
+ }
+ } else {
+ info!("Start record");
+ start_prefetch_service(PREFETCH_RECORD_PROPERTY)?;
+ }
+ Ok(())
+}
+
+/// Write build finger print to associate prefetch pack file
+pub fn write_build_fingerprint(args: &RecordArgs) -> Result<(), Error> {
+ let mut build_fingerprint_file = OpenOptions::new()
+ .write(true)
+ .create(true)
+ .truncate(true)
+ .open(&args.build_fingerprint_path)
+ .map_err(|source| Error::Create {
+ source,
+ path: args.build_fingerprint_path.to_str().unwrap().to_owned(),
+ })?;
+
+ let device_build_fingerprint =
+ rustutils::system_properties::read("ro.build.fingerprint").unwrap_or_default();
+ let device_build_fingerprint = device_build_fingerprint.unwrap_or_default();
+
+ build_fingerprint_file.write_all(device_build_fingerprint.as_bytes())?;
+ build_fingerprint_file.sync_all()?;
+
+ Ok(())
+}
diff --git a/init/libprefetch/prefetch/src/args.rs b/init/libprefetch/prefetch/src/args.rs
index 4c1e689..e534210 100644
--- a/init/libprefetch/prefetch/src/args.rs
+++ b/init/libprefetch/prefetch/src/args.rs
@@ -25,6 +25,8 @@
pub use args_internal::OutputFormat;
pub use args_internal::ReplayArgs;
+#[cfg(target_os = "android")]
+pub use args_internal::StartArgs;
pub use args_internal::TracerType;
pub use args_internal::{DumpArgs, MainArgs, RecordArgs, SubCommands};
use serde::Deserialize;
@@ -66,6 +68,8 @@
SubCommands::Dump(arg) => {
ensure_path_exists(&arg.path)?;
}
+ #[cfg(target_os = "android")]
+ SubCommands::Start(_arg) => return Ok(()),
}
Ok(())
}
diff --git a/init/libprefetch/prefetch/src/args/args_argh.rs b/init/libprefetch/prefetch/src/args/args_argh.rs
index 8ac95fc..65084ee 100644
--- a/init/libprefetch/prefetch/src/args/args_argh.rs
+++ b/init/libprefetch/prefetch/src/args/args_argh.rs
@@ -40,6 +40,38 @@
Replay(ReplayArgs),
/// Dump prefetch data in human readable format
Dump(DumpArgs),
+ /// Start prefetch service if possible
+ /// If the pack file is present, then prefetch replay is started
+ /// If the pack file is absent or if the build fingerprint
+ /// of the current pack file is different, then prefetch record is started.
+ #[cfg(target_os = "android")]
+ Start(StartArgs),
+}
+
+#[cfg(target_os = "android")]
+fn default_ready_path() -> PathBuf {
+ PathBuf::from("/metadata/prefetch/prefetch_ready")
+}
+
+#[cfg(target_os = "android")]
+fn default_build_finger_print_path() -> PathBuf {
+ PathBuf::from("/metadata/prefetch/build_finger_print")
+}
+
+#[cfg(target_os = "android")]
+#[derive(Eq, PartialEq, Debug, Default, FromArgs)]
+/// Start prefetch service based on if pack file is present.
+#[argh(subcommand, name = "start")]
+pub struct StartArgs {
+ /// file path to check if prefetch_ready is present.
+ ///
+ /// A new file is created at the given path if it's not present.
+ #[argh(option, default = "default_ready_path()")]
+ pub path: PathBuf,
+
+ /// file path where build fingerprint is stored
+ #[argh(option, default = "default_build_finger_print_path()")]
+ pub build_fingerprint_path: PathBuf,
}
impl Default for SubCommands {
@@ -110,6 +142,11 @@
from_str_fn(parse_tracing_instance)
)]
pub tracing_instance: Option<String>,
+
+ #[cfg(target_os = "android")]
+ /// store build_finger_print to tie the pack format
+ #[argh(option, default = "default_build_finger_print_path()")]
+ pub build_fingerprint_path: PathBuf,
}
/// Type of tracing subsystem to use.
diff --git a/init/libprefetch/prefetch/src/lib.rs b/init/libprefetch/prefetch/src/lib.rs
index 4b56b13..6564c4b 100644
--- a/init/libprefetch/prefetch/src/lib.rs
+++ b/init/libprefetch/prefetch/src/lib.rs
@@ -20,6 +20,10 @@
mod format;
mod replay;
mod tracer;
+#[cfg(target_os = "android")]
+mod arch {
+ pub mod android;
+}
use std::fs::File;
use std::fs::OpenOptions;
@@ -38,6 +42,8 @@
pub use args::args_from_env;
use args::OutputFormat;
pub use args::ReplayArgs;
+#[cfg(target_os = "android")]
+pub use args::StartArgs;
pub use args::{DumpArgs, MainArgs, RecordArgs, SubCommands};
pub use error::Error;
pub use format::FileId;
@@ -45,29 +51,11 @@
pub use format::Record;
pub use format::RecordsFile;
use log::info;
-#[cfg(target_os = "android")]
-use log::warn;
pub use replay::Replay;
pub use tracer::nanoseconds_since_boot;
#[cfg(target_os = "android")]
-use rustutils::system_properties;
-#[cfg(target_os = "android")]
-use rustutils::system_properties::error::PropertyWatcherError;
-#[cfg(target_os = "android")]
-use rustutils::system_properties::PropertyWatcher;
-
-#[cfg(target_os = "android")]
-fn wait_for_property_true(property_name: &str) -> Result<(), PropertyWatcherError> {
- let mut prop = PropertyWatcher::new(property_name)?;
- loop {
- prop.wait(None)?;
- if system_properties::read_bool(property_name, false)? {
- break;
- }
- }
- Ok(())
-}
+pub use arch::android::*;
/// Records prefetch data for the given configuration
pub fn record(args: &RecordArgs) -> Result<(), Error> {
@@ -85,11 +73,10 @@
thread::sleep(duration);
} else {
#[cfg(target_os = "android")]
- wait_for_property_true("sys.boot_completed").unwrap_or_else(|e| {
- warn!("failed to wait for sys.boot_completed with error: {}", e)
- });
+ wait_for_record_stop();
}
+ info!("Prefetch record exiting");
// We want to unwrap here on failure to send this signal. Otherwise
// tracer will continue generating huge records data.
exit_tx.send(()).unwrap();
@@ -107,9 +94,16 @@
std::fs::set_permissions(&args.path, std::fs::Permissions::from_mode(0o644))
.map_err(|source| Error::Create { source, path: args.path.to_str().unwrap().to_owned() })?;
+ // Write the record file
out_file
.write_all(&rf.add_checksum_and_serialize()?)
.map_err(|source| Error::Write { path: args.path.to_str().unwrap().to_owned(), source })?;
+ out_file.sync_all()?;
+
+ // Write build-finger-print file
+ #[cfg(target_os = "android")]
+ write_build_fingerprint(args)?;
+
Ok(())
}
diff --git a/init/libprefetch/prefetch/src/main.rs b/init/libprefetch/prefetch/src/main.rs
index 046e07e..eab826f 100644
--- a/init/libprefetch/prefetch/src/main.rs
+++ b/init/libprefetch/prefetch/src/main.rs
@@ -22,6 +22,8 @@
use prefetch_rs::init_logging;
use prefetch_rs::record;
use prefetch_rs::replay;
+#[cfg(target_os = "android")]
+use prefetch_rs::start_prefetch;
use prefetch_rs::LogLevel;
use prefetch_rs::MainArgs;
use prefetch_rs::SubCommands;
@@ -33,6 +35,8 @@
SubCommands::Record(args) => record(args),
SubCommands::Replay(args) => replay(args),
SubCommands::Dump(args) => dump(args),
+ #[cfg(target_os = "android")]
+ SubCommands::Start(args) => start_prefetch(args),
};
if let Err(err) = ret {
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 5ced0b8..6316b4d 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -69,6 +69,7 @@
#include <android/avf_cc_flags.h>
#include <fs_avb/fs_avb.h>
#include <fs_mgr.h>
+#include <genfslabelsversion.h>
#include <libgsi/libgsi.h>
#include <libsnapshot/snapshot.h>
#include <selinux/android.h>
@@ -190,22 +191,6 @@
return true;
}
-int GetVendorGenfsVersion() {
- std::string line;
- if (!ReadFirstLine("/vendor/etc/selinux/genfs_labels_version.txt", &line)) {
- PLOG(ERROR) << "Failed to read /vendor/etc/selinux/genfs_labels_version.txt; assuming it's "
- "202404";
- return 202404;
- }
- int version;
- if (!ParseInt(line, &version)) {
- PLOG(ERROR) << "Failed to parse the genfs labels version " << line
- << "; assuming it's 202404";
- return 202404;
- }
- return version;
-}
-
constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
bool IsSplitPolicyDevice() {
@@ -342,11 +327,14 @@
std::vector<std::string> genfs_cil_files;
- int vendor_genfs_version = GetVendorGenfsVersion();
+ int vendor_genfs_version = get_genfs_labels_version();
std::string genfs_cil_file =
std::format("/system/etc/selinux/plat_sepolicy_genfs_{}.cil", vendor_genfs_version);
if (access(genfs_cil_file.c_str(), F_OK) != 0) {
+ LOG(INFO) << "Missing " << genfs_cil_file << "; skipping";
genfs_cil_file.clear();
+ } else {
+ LOG(INFO) << "Using " << genfs_cil_file << " for genfs labels";
}
// clang-format off
diff --git a/libprocessgroup/include/processgroup/processgroup.h b/libprocessgroup/include/processgroup/processgroup.h
index d27b568..6a026a7 100644
--- a/libprocessgroup/include/processgroup/processgroup.h
+++ b/libprocessgroup/include/processgroup/processgroup.h
@@ -16,7 +16,6 @@
#pragma once
-#include <sys/cdefs.h>
#include <sys/types.h>
#include <initializer_list>
#include <span>
@@ -24,8 +23,6 @@
#include <string_view>
#include <vector>
-__BEGIN_DECLS
-
static constexpr std::string CGROUPV2_HIERARCHY_NAME = "cgroup2";
bool CgroupsAvailable();
@@ -39,8 +36,6 @@
bool SetProcessProfiles(uid_t uid, pid_t pid, const std::vector<std::string>& profiles);
bool SetUserProfiles(uid_t uid, const std::vector<std::string>& profiles);
-__END_DECLS
-
bool SetTaskProfiles(pid_t tid, std::initializer_list<std::string_view> profiles,
bool use_fd_cache = false);
bool SetProcessProfiles(uid_t uid, pid_t pid, std::initializer_list<std::string_view> profiles);
@@ -50,7 +45,6 @@
bool SetProcessProfiles(uid_t uid, pid_t pid, std::span<const std::string_view> profiles);
#endif
-__BEGIN_DECLS
#ifndef __ANDROID_VNDK__
@@ -96,5 +90,3 @@
bool isProfileValidForProcess(const std::string& profile_name, uid_t uid, pid_t pid);
#endif // __ANDROID_VNDK__
-
-__END_DECLS
diff --git a/libutils/OWNERS b/libutils/OWNERS
index 40164aa..4ce6893 100644
--- a/libutils/OWNERS
+++ b/libutils/OWNERS
@@ -1 +1,2 @@
+shayba@google.com
smoreland@google.com
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 617e60a..1986374 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -596,6 +596,7 @@
mkdir /metadata/ota/snapshots 0750 root system
mkdir /metadata/watchdog 0770 root system
mkdir /metadata/tradeinmode 0770 root system
+ mkdir /metadata/prefetch 0770 root system
mkdir /metadata/apex 0700 root system
mkdir /metadata/apex/sessions 0700 root system
@@ -608,17 +609,6 @@
mkdir /metadata/staged-install 0770 root system
- mkdir /metadata/aconfig 0775 root system
- mkdir /metadata/aconfig/flags 0770 root system
- mkdir /metadata/aconfig/maps 0775 root system
- mkdir /metadata/aconfig/boot 0775 root system
-
- mkdir /metadata/aconfig_test_missions 0775 root system
-
- # See flag enable_system_aconfigd_rust, which toggles these processes.
- exec_start system_aconfigd_platform_init
- exec_start aconfigd-platform-init
-
on late-fs
# Ensure that tracefs has the correct permissions.
# This does not work correctly if it is called in post-fs.
@@ -735,7 +725,6 @@
mkdir /data/apex/active 0755 root system
mkdir /data/apex/backup 0700 root system
mkdir /data/apex/decompressed 0755 root system encryption=Require
- mkdir /data/apex/hashtree 0700 root system
mkdir /data/apex/sessions 0700 root system
mkdir /data/app-staging 0751 system system encryption=DeleteIfNecessary
mkdir /data/apex/ota_reserved 0700 root system encryption=Require
@@ -781,6 +770,8 @@
mkdir /data/misc/shared_relro 0771 shared_relro shared_relro
mkdir /data/misc/systemkeys 0700 system system
mkdir /data/misc/wifi 0770 wifi wifi
+ mkdir /data/misc/wifi/mainline_supplicant 0770 wifi wifi
+ mkdir /data/misc/wifi/mainline_supplicant/sockets 0770 wifi wifi
mkdir /data/misc/wifi/sockets 0770 wifi wifi
mkdir /data/misc/wifi/wpa_supplicant 0770 wifi wifi
mkdir /data/misc/ethernet 0770 system system
@@ -1125,9 +1116,9 @@
# System server manages zram writeback
chown root system /sys/block/zram0/idle
- chmod 0664 /sys/block/zram0/idle
+ chmod 0220 /sys/block/zram0/idle
chown root system /sys/block/zram0/writeback
- chmod 0664 /sys/block/zram0/writeback
+ chmod 0220 /sys/block/zram0/writeback
# to access F2FS sysfs on dm-<num> directly
mkdir /dev/sys/fs/by-name 0755 system system
diff --git a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
index 410e10a..e580651 100644
--- a/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
+++ b/trusty/keymint/android.hardware.security.keymint-service.rust.trusty.system.nonsecure.rc
@@ -11,7 +11,7 @@
# Only starts the non-secure KeyMint HALs when the KeyMint VM feature is enabled
# TODO(b/357821690): Start the KeyMint HALs when the KeyMint VM is ready once the Trusty VM
# has a mechanism to notify the host.
-on late-fs && property:ro.hardware.trusty.security_vm.keymint.enabled=1 && \
+on late-fs && property:trusty.security_vm.keymint.enabled=1 && \
property:trusty.security_vm.vm_cid=*
setprop system.keymint.trusty_ipc_dev VSOCK:${trusty.security_vm.vm_cid}:1
start system.keymint.rust-trusty.nonsecure