Merge "Remove unnecessary #includes."
diff --git a/code_coverage/seccomp_policy/code_coverage.arm.policy b/code_coverage/seccomp_policy/code_coverage.arm.policy
index b80910f..3589379 100644
--- a/code_coverage/seccomp_policy/code_coverage.arm.policy
+++ b/code_coverage/seccomp_policy/code_coverage.arm.policy
@@ -1,4 +1,5 @@
close: 1
+fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
diff --git a/code_coverage/seccomp_policy/code_coverage.arm64.policy b/code_coverage/seccomp_policy/code_coverage.arm64.policy
index 7040ea2..fdb4d1e 100644
--- a/code_coverage/seccomp_policy/code_coverage.arm64.policy
+++ b/code_coverage/seccomp_policy/code_coverage.arm64.policy
@@ -1,4 +1,5 @@
close: 1
+fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
diff --git a/code_coverage/seccomp_policy/code_coverage.policy.def b/code_coverage/seccomp_policy/code_coverage.policy.def
index 599c4a4..b6a4c6d 100644
--- a/code_coverage/seccomp_policy/code_coverage.policy.def
+++ b/code_coverage/seccomp_policy/code_coverage.policy.def
@@ -13,6 +13,9 @@
// 2nd-Nth: uses mmap() to update in place
close: 1
+// fchmod allowed to set libprofile-clang-extras, which wraps `open` calls, to
+// set correct permission for coverage files.
+fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
diff --git a/code_coverage/seccomp_policy/code_coverage.x86.policy b/code_coverage/seccomp_policy/code_coverage.x86.policy
index f8e0cc0..145d3a3 100644
--- a/code_coverage/seccomp_policy/code_coverage.x86.policy
+++ b/code_coverage/seccomp_policy/code_coverage.x86.policy
@@ -1,4 +1,5 @@
close: 1
+fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
diff --git a/code_coverage/seccomp_policy/code_coverage.x86_64.policy b/code_coverage/seccomp_policy/code_coverage.x86_64.policy
index dcf2f9a..11c8075 100644
--- a/code_coverage/seccomp_policy/code_coverage.x86_64.policy
+++ b/code_coverage/seccomp_policy/code_coverage.x86_64.policy
@@ -1,4 +1,5 @@
close: 1
+fchmod: 1
mkdirat: 1
msync: 1
munmap: 1
diff --git a/fs_mgr/libfiemap/image_manager.cpp b/fs_mgr/libfiemap/image_manager.cpp
index 93fc131..841f215 100644
--- a/fs_mgr/libfiemap/image_manager.cpp
+++ b/fs_mgr/libfiemap/image_manager.cpp
@@ -486,15 +486,14 @@
if (!MapWithLoopDeviceList(loop_devices, name, timeout_ms, path)) {
return false;
}
+ } else {
+ auto status_message = "loop:" + loop_devices.back();
+ auto status_file = GetStatusFilePath(name);
+ if (!android::base::WriteStringToFile(status_message, status_file)) {
+ PLOG(ERROR) << "Write failed: " << status_file;
+ return false;
+ }
}
-
- auto status_message = "loop:" + loop_devices.back();
- auto status_file = GetStatusFilePath(name);
- if (!android::base::WriteStringToFile(status_message, status_file)) {
- PLOG(ERROR) << "Write failed: " << status_file;
- return false;
- }
-
auto_detach.Commit();
*path = loop_devices.back();
diff --git a/fs_mgr/libsnapshot/include_test/libsnapshot/test_helpers.h b/fs_mgr/libsnapshot/include_test/libsnapshot/test_helpers.h
index 7aef086..ff0047e 100644
--- a/fs_mgr/libsnapshot/include_test/libsnapshot/test_helpers.h
+++ b/fs_mgr/libsnapshot/include_test/libsnapshot/test_helpers.h
@@ -51,8 +51,8 @@
extern std::unique_ptr<SnapshotManager> sm;
extern class TestDeviceInfo* test_device;
extern std::string fake_super;
-static constexpr uint64_t kSuperSize = 16_MiB + 4_KiB;
-static constexpr uint64_t kGroupSize = 16_MiB;
+static constexpr uint64_t kSuperSize = 32_MiB + 4_KiB;
+static constexpr uint64_t kGroupSize = 32_MiB;
// Redirect requests for "super" to our fake super partition.
class TestPartitionOpener final : public android::fs_mgr::PartitionOpener {
diff --git a/fs_mgr/libsnapshot/snapshot.cpp b/fs_mgr/libsnapshot/snapshot.cpp
index f0646fc..21b720e 100644
--- a/fs_mgr/libsnapshot/snapshot.cpp
+++ b/fs_mgr/libsnapshot/snapshot.cpp
@@ -676,6 +676,8 @@
}
}
+ bool compression_enabled = false;
+
uint64_t total_cow_file_size = 0;
DmTargetSnapshot::Status initial_target_values = {};
for (const auto& snapshot : snapshots) {
@@ -692,6 +694,8 @@
return false;
}
total_cow_file_size += snapshot_status.cow_file_size();
+
+ compression_enabled |= snapshot_status.compression_enabled();
}
if (cow_file_size) {
@@ -703,6 +707,7 @@
initial_status.set_sectors_allocated(initial_target_values.sectors_allocated);
initial_status.set_total_sectors(initial_target_values.total_sectors);
initial_status.set_metadata_sectors(initial_target_values.metadata_sectors);
+ initial_status.set_compression_enabled(compression_enabled);
// Point of no return - mark that we're starting a merge. From now on every
// snapshot must be a merge target.
@@ -1405,7 +1410,7 @@
return false;
}
- CHECK(base_sectors == target.spec.length);
+ CHECK(base_sectors <= target.spec.length);
if (!snapuserd_client_->AttachDmUser(misc_name)) {
// This error is unrecoverable. We cannot proceed because reads to
@@ -2285,9 +2290,15 @@
}
bool SnapshotManager::WriteUpdateState(LockedFile* lock, UpdateState state) {
- SnapshotUpdateStatus status = {};
+ SnapshotUpdateStatus status;
status.set_state(state);
- status.set_compression_enabled(IsCompressionEnabled());
+
+ // If we're transitioning between two valid states (eg, we're not beginning
+ // or ending an OTA), then make sure to propagate the compression bit.
+ if (!(state == UpdateState::Initiated || state == UpdateState::None)) {
+ SnapshotUpdateStatus old_status = ReadSnapshotUpdateStatus(lock);
+ status.set_compression_enabled(old_status.compression_enabled());
+ }
return WriteSnapshotUpdateStatus(lock, status);
}
@@ -2477,6 +2488,12 @@
auto lock = LockExclusive();
if (!lock) return Return::Error();
+ auto update_state = ReadUpdateState(lock.get());
+ if (update_state != UpdateState::Initiated) {
+ LOG(ERROR) << "Cannot create update snapshots in state " << update_state;
+ return Return::Error();
+ }
+
// TODO(b/134949511): remove this check. Right now, with overlayfs mounted, the scratch
// partition takes up a big chunk of space in super, causing COW images to be created on
// retrofit Virtual A/B devices.
@@ -2571,6 +2588,14 @@
return Return::Error();
}
+ SnapshotUpdateStatus status = {};
+ status.set_state(update_state);
+ status.set_compression_enabled(cow_creator.compression_enabled);
+ if (!WriteSnapshotUpdateStatus(lock.get(), status)) {
+ LOG(ERROR) << "Unable to write new update state";
+ return Return::Error();
+ }
+
created_devices.Release();
LOG(INFO) << "Successfully created all snapshots for target slot " << target_suffix;
diff --git a/fs_mgr/libsnapshot/snapshot_test.cpp b/fs_mgr/libsnapshot/snapshot_test.cpp
index bb44425..80a6074 100644
--- a/fs_mgr/libsnapshot/snapshot_test.cpp
+++ b/fs_mgr/libsnapshot/snapshot_test.cpp
@@ -854,15 +854,15 @@
group_->add_partition_names("prd");
sys_ = manifest_.add_partitions();
sys_->set_partition_name("sys");
- sys_->set_estimate_cow_size(6_MiB);
+ sys_->set_estimate_cow_size(2_MiB);
SetSize(sys_, 3_MiB);
vnd_ = manifest_.add_partitions();
vnd_->set_partition_name("vnd");
- vnd_->set_estimate_cow_size(6_MiB);
+ vnd_->set_estimate_cow_size(2_MiB);
SetSize(vnd_, 3_MiB);
prd_ = manifest_.add_partitions();
prd_->set_partition_name("prd");
- prd_->set_estimate_cow_size(6_MiB);
+ prd_->set_estimate_cow_size(2_MiB);
SetSize(prd_, 3_MiB);
// Initialize source partition metadata using |manifest_|.
@@ -1050,11 +1050,17 @@
ASSERT_TRUE(sm->UnmapUpdateSnapshot(name));
}
- // Grow all partitions.
+ // Grow all partitions. Set |prd| large enough that |sys| and |vnd|'s COWs
+ // fit in super, but not |prd|.
constexpr uint64_t partition_size = 3788_KiB;
SetSize(sys_, partition_size);
SetSize(vnd_, partition_size);
- SetSize(prd_, partition_size);
+ SetSize(prd_, 18_MiB);
+
+ // Make sure |prd| does not fit in super at all. On VABC, this means we
+ // fake an extra large COW for |vnd| to fill up super.
+ vnd_->set_estimate_cow_size(30_MiB);
+ prd_->set_estimate_cow_size(30_MiB);
AddOperationForPartitions();
@@ -1066,11 +1072,7 @@
auto tgt = MetadataBuilder::New(*opener_, "super", 1);
ASSERT_NE(tgt, nullptr);
ASSERT_NE(nullptr, tgt->FindPartition("sys_b-cow"));
- if (IsCompressionEnabled()) {
- ASSERT_EQ(nullptr, tgt->FindPartition("vnd_b-cow"));
- } else {
- ASSERT_NE(nullptr, tgt->FindPartition("vnd_b-cow"));
- }
+ ASSERT_NE(nullptr, tgt->FindPartition("vnd_b-cow"));
ASSERT_EQ(nullptr, tgt->FindPartition("prd_b-cow"));
// Write some data to target partitions.
@@ -1104,6 +1106,7 @@
// Initiate the merge and wait for it to be completed.
ASSERT_TRUE(init->InitiateMerge());
+ ASSERT_EQ(init->IsSnapuserdRequired(), IsCompressionEnabled());
ASSERT_EQ(UpdateState::MergeCompleted, init->ProcessUpdateState());
// Check that the target partitions have the same content after the merge.
@@ -1128,6 +1131,7 @@
SetSize(sys_, 4_MiB); // grows
SetSize(vnd_, 2_MiB); // shrinks
// prd_b is unchanged
+ ASSERT_TRUE(sm->BeginUpdate());
ASSERT_TRUE(sm->CreateUpdateSnapshots(manifest_));
ASSERT_EQ(4_MiB, GetSnapshotSize("sys_b").value_or(0));
}
@@ -1137,6 +1141,7 @@
TEST_F(SnapshotUpdateTest, CowPartitionDoNotTakeOldPartitions) {
SetSize(sys_, 2_MiB); // shrinks
// vnd_b and prd_b are unchanged.
+ ASSERT_TRUE(sm->BeginUpdate());
ASSERT_TRUE(sm->CreateUpdateSnapshots(manifest_));
auto tgt = MetadataBuilder::New(*opener_, "super", 1);
@@ -1260,6 +1265,11 @@
// Test that at the second update, old COW partition spaces are reclaimed.
TEST_F(SnapshotUpdateTest, ReclaimCow) {
+ // Make sure VABC cows are small enough that they fit in fake_super.
+ sys_->set_estimate_cow_size(64_KiB);
+ vnd_->set_estimate_cow_size(64_KiB);
+ prd_->set_estimate_cow_size(64_KiB);
+
// Execute the first update.
ASSERT_TRUE(sm->BeginUpdate());
ASSERT_TRUE(sm->CreateUpdateSnapshots(manifest_));
@@ -1376,9 +1386,13 @@
TEST_F(SnapshotUpdateTest, MergeCannotRemoveCow) {
// Make source partitions as big as possible to force COW image to be created.
- SetSize(sys_, 5_MiB);
- SetSize(vnd_, 5_MiB);
- SetSize(prd_, 5_MiB);
+ SetSize(sys_, 10_MiB);
+ SetSize(vnd_, 10_MiB);
+ SetSize(prd_, 10_MiB);
+ sys_->set_estimate_cow_size(12_MiB);
+ vnd_->set_estimate_cow_size(12_MiB);
+ prd_->set_estimate_cow_size(12_MiB);
+
src_ = MetadataBuilder::New(*opener_, "super", 0);
ASSERT_NE(src_, nullptr);
src_->RemoveGroupAndPartitions(group_->name() + "_a");
@@ -1676,6 +1690,8 @@
SetSize(sys_, partition_size);
AddOperation(sys_, data_size);
+ sys_->set_estimate_cow_size(partition_size + data_size);
+
// Set hastree extents.
sys_->mutable_hash_tree_data_extent()->set_start_block(0);
sys_->mutable_hash_tree_data_extent()->set_num_blocks(data_size / block_size);
@@ -1716,6 +1732,10 @@
// Test for overflow bit after update
TEST_F(SnapshotUpdateTest, Overflow) {
+ if (IsCompressionEnabled()) {
+ GTEST_SKIP() << "No overflow bit set for userspace COWs";
+ }
+
const auto actual_write_size = GetSize(sys_);
const auto declared_write_size = actual_write_size - 1_MiB;
@@ -1743,12 +1763,15 @@
auto userdata = std::make_unique<LowSpaceUserdata>();
ASSERT_TRUE(userdata->Init(kMaxFree));
- // Grow all partitions to 5_MiB, total 15_MiB. This requires 15 MiB of CoW space. After
- // using the empty space in super (< 1 MiB), it uses at least 14 MiB of /userdata space.
- constexpr uint64_t partition_size = 5_MiB;
+ // Grow all partitions to 10_MiB, total 30_MiB. This requires 30 MiB of CoW space. After
+ // using the empty space in super (< 1 MiB), it uses 30 MiB of /userdata space.
+ constexpr uint64_t partition_size = 10_MiB;
SetSize(sys_, partition_size);
SetSize(vnd_, partition_size);
SetSize(prd_, partition_size);
+ sys_->set_estimate_cow_size(partition_size);
+ vnd_->set_estimate_cow_size(partition_size);
+ prd_->set_estimate_cow_size(partition_size);
AddOperationForPartitions();
@@ -1758,7 +1781,7 @@
ASSERT_FALSE(res);
ASSERT_EQ(Return::ErrorCode::NO_SPACE, res.error_code());
ASSERT_GE(res.required_size(), 14_MiB);
- ASSERT_LT(res.required_size(), 15_MiB);
+ ASSERT_LT(res.required_size(), 40_MiB);
}
class AutoKill final {
diff --git a/gatekeeperd/Android.bp b/gatekeeperd/Android.bp
index 27a6452..2d9a820 100644
--- a/gatekeeperd/Android.bp
+++ b/gatekeeperd/Android.bp
@@ -28,6 +28,7 @@
shared_libs: [
"libbinder",
+ "libbinder_ndk",
"libgatekeeper",
"libgsi",
"liblog",
@@ -40,6 +41,8 @@
"libhidlbase",
"android.hardware.gatekeeper@1.0",
"libgatekeeper_aidl",
+ "android.hardware.security.keymint-unstable-ndk_platform",
+ "android.security.authorization-ndk_platform",
],
static_libs: ["libscrypt_static"],
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index b982dbc..941f8c2 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -19,42 +19,45 @@
#include <android/service/gatekeeper/BnGateKeeperService.h>
#include <gatekeeper/GateKeeperResponse.h>
+#include <endian.h>
#include <errno.h>
#include <fcntl.h>
-#include <inttypes.h>
-#include <stdint.h>
#include <unistd.h>
#include <memory>
-#include <android/security/keystore/IKeystoreService.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
+#include <android/binder_ibinder.h>
+#include <android/binder_manager.h>
+#include <android/security/keystore/IKeystoreService.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
#include <binder/PermissionCache.h>
-#include <gatekeeper/password_handle.h> // for password_handle_t
-#include <hardware/gatekeeper.h>
+#include <gatekeeper/password_handle.h> // for password_handle_t
#include <hardware/hw_auth_token.h>
-#include <keystore/keystore.h> // For error code
#include <keystore/keystore_return_types.h>
#include <libgsi/libgsi.h>
#include <log/log.h>
-#include <utils/Log.h>
#include <utils/String16.h>
-#include <hidl/HidlSupport.h>
+#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
+#include <aidl/android/security/authorization/IKeystoreAuthorization.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
+#include <hidl/HidlSupport.h>
using android::sp;
-using android::hardware::gatekeeper::V1_0::IGatekeeper;
-using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
-using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
using android::hardware::Return;
+using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
+using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
+using android::hardware::gatekeeper::V1_0::IGatekeeper;
using ::android::binder::Status;
using ::android::service::gatekeeper::BnGateKeeperService;
using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
+using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType;
+using ::aidl::android::hardware::security::keymint::HardwareAuthToken;
+using ::aidl::android::security::authorization::IKeystoreAuthorization;
namespace android {
@@ -62,7 +65,7 @@
static const String16 DUMP_PERMISSION("android.permission.DUMP");
class GateKeeperProxy : public BnGateKeeperService {
-public:
+ public:
GateKeeperProxy() {
clear_state_if_needed_done = false;
hw_device = IGatekeeper::getService();
@@ -73,8 +76,7 @@
}
}
- virtual ~GateKeeperProxy() {
- }
+ virtual ~GateKeeperProxy() {}
void store_sid(uint32_t userId, uint64_t sid) {
char filename[21];
@@ -96,7 +98,7 @@
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
if (hw_device) {
- hw_device->deleteAllUsers([](const GatekeeperResponse &){});
+ hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
}
}
@@ -104,7 +106,7 @@
}
bool mark_cold_boot() {
- const char *filename = ".coldboot";
+ const char* filename = ".coldboot";
if (access(filename, F_OK) == -1) {
int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
if (fd < 0) {
@@ -299,7 +301,36 @@
if (gkResponse->response_code() == GKResponseCode::OK) {
if (gkResponse->payload().size() != 0) {
+ // try to connect to IKeystoreAuthorization AIDL service first.
+ AIBinder* authzAIBinder =
+ AServiceManager_checkService("android.security.authorization");
+ ::ndk::SpAIBinder authzBinder(authzAIBinder);
+ auto authzService = IKeystoreAuthorization::fromBinder(authzBinder);
+ if (authzService) {
+ if (gkResponse->payload().size() != sizeof(hw_auth_token_t)) {
+ LOG(ERROR) << "Incorrect size of AuthToken payload.";
+ return GK_ERROR;
+ }
+
+ const hw_auth_token_t* hwAuthToken =
+ reinterpret_cast<const hw_auth_token_t*>(gkResponse->payload().data());
+ HardwareAuthToken authToken;
+
+ authToken.timestamp.milliSeconds = betoh64(hwAuthToken->timestamp);
+ authToken.challenge = hwAuthToken->challenge;
+ authToken.authenticatorId = hwAuthToken->authenticator_id;
+ authToken.authenticatorType = static_cast<HardwareAuthenticatorType>(
+ betoh32(hwAuthToken->authenticator_type));
+ authToken.mac.assign(&hwAuthToken->hmac[0], &hwAuthToken->hmac[32]);
+ auto result = authzService->addAuthToken(authToken);
+ if (!result.isOk()) {
+ LOG(ERROR) << "Failure in sending AuthToken to AuthorizationService.";
+ return GK_ERROR;
+ }
+ AIBinder_decStrong(authzAIBinder);
+ }
sp<IServiceManager> sm = defaultServiceManager();
+
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<security::keystore::IKeystoreService> service =
interface_cast<security::keystore::IKeystoreService>(binder);
@@ -310,9 +341,12 @@
if (!binder_result.isOk() ||
!keystore::KeyStoreServiceReturnCode(result).isOk()) {
LOG(ERROR) << "Failure sending auth token to KeyStore: " << result;
+ return GK_ERROR;
}
} else {
- LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with Keystore.";
+ LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with "
+ "Keystore.";
+ return GK_ERROR;
}
}
@@ -366,23 +400,23 @@
}
if (hw_device == NULL) {
- const char *result = "Device not available";
+ const char* result = "Device not available";
write(fd, result, strlen(result) + 1);
} else {
- const char *result = "OK";
+ const char* result = "OK";
write(fd, result, strlen(result) + 1);
}
return OK;
}
-private:
+ private:
sp<IGatekeeper> hw_device;
bool clear_state_if_needed_done;
bool is_running_gsi;
};
-}// namespace android
+} // namespace android
int main(int argc, char* argv[]) {
ALOGI("Starting gatekeeperd...");
diff --git a/libcutils/memory.cpp b/libcutils/memory.cpp
index a899d80..5a410c2 100644
--- a/libcutils/memory.cpp
+++ b/libcutils/memory.cpp
@@ -18,7 +18,9 @@
#include <log/log.h>
+#if !defined(__APPLE__)
#include <malloc.h>
+#endif
void process_disable_memory_mitigations() {
bool success = false;
diff --git a/libprocessgroup/cgroup_map.cpp b/libprocessgroup/cgroup_map.cpp
index b82b0ab..5ca0967 100644
--- a/libprocessgroup/cgroup_map.cpp
+++ b/libprocessgroup/cgroup_map.cpp
@@ -71,7 +71,7 @@
if (!HasValue()) return false;
if (state_ == UNKNOWN) {
- if (ACgroupController_getFlags != nullptr) {
+ if (__builtin_available(android 30, *)) {
uint32_t flags = ACgroupController_getFlags(controller_);
state_ = (flags & CGROUPRC_CONTROLLER_FLAG_MOUNTED) != 0 ? USABLE : MISSING;
} else {
@@ -172,7 +172,7 @@
auto controller_count = ACgroupFile_getControllerCount();
for (uint32_t i = 0; i < controller_count; ++i) {
const ACgroupController* controller = ACgroupFile_getController(i);
- if (ACgroupController_getFlags != nullptr) {
+ if (__builtin_available(android 30, *)) {
LOG(INFO) << "\t" << ACgroupController_getName(controller) << " ver "
<< ACgroupController_getVersion(controller) << " path "
<< ACgroupController_getPath(controller) << " flags "
diff --git a/libprocessgroup/cgrouprc/include/android/cgrouprc.h b/libprocessgroup/cgrouprc/include/android/cgrouprc.h
index 7e74432..9a79954 100644
--- a/libprocessgroup/cgrouprc/include/android/cgrouprc.h
+++ b/libprocessgroup/cgrouprc/include/android/cgrouprc.h
@@ -28,8 +28,6 @@
struct ACgroupController;
typedef struct ACgroupController ACgroupController;
-#if __ANDROID_API__ >= __ANDROID_API_Q__
-
// ACgroupFile
/**
@@ -71,8 +69,6 @@
#define CGROUPRC_CONTROLLER_FLAG_MOUNTED 0x1
#define CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION 0x2
-#if __ANDROID_API__ >= __ANDROID_API_R__
-
/**
* Returns the flags bitmask of the given controller.
* If the given controller is null, return 0.
@@ -80,8 +76,6 @@
__attribute__((warn_unused_result, weak)) uint32_t ACgroupController_getFlags(
const ACgroupController*) __INTRODUCED_IN(30);
-#endif
-
/**
* Returns the name of the given controller.
* If the given controller is null, return nullptr.
@@ -97,5 +91,3 @@
__INTRODUCED_IN(29);
__END_DECLS
-
-#endif
diff --git a/libsync/include/ndk/sync.h b/libsync/include/ndk/sync.h
index 2a59e35..38ccb68 100644
--- a/libsync/include/ndk/sync.h
+++ b/libsync/include/ndk/sync.h
@@ -33,8 +33,6 @@
__BEGIN_DECLS
-#if __ANDROID_API__ >= 26
-
/* Fences indicate the status of an asynchronous task. They are initially
* in unsignaled state (0), and make a one-time transition to either signaled
* (1) or error (< 0) state. A sync file is a collection of one or more fences;
@@ -101,8 +99,6 @@
*/
void sync_file_info_free(struct sync_file_info* info) __INTRODUCED_IN(26);
-#endif /* __ANDROID_API__ >= 26 */
-
__END_DECLS
#endif /* ANDROID_SYNC_H */
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 049301d..19c00f9 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -856,13 +856,6 @@
wait_for_prop apexd.status activated
perform_apex_config
- # Lock the fs-verity keyring, so no more keys can be added
- exec -- /system/bin/fsverity_init --lock
-
- # After apexes are mounted, tell keymaster early boot has ended, so it will
- # stop allowing use of early-boot keys
- exec - system system -- /system/bin/vdc keymaster earlyBootEnded
-
# Special-case /data/media/obb per b/64566063
mkdir /data/media 0770 media_rw media_rw encryption=None
exec - media_rw media_rw -- /system/bin/chattr +F /data/media
@@ -872,15 +865,22 @@
init_user0
+ # Set SELinux security contexts on upgrade or policy update.
+ restorecon --recursive --skip-ce /data
+
+ # After apexes are mounted, tell keymaster early boot has ended, so it will
+ # stop allowing use of early-boot keys
+ exec - system system -- /system/bin/vdc keymaster earlyBootEnded
+
+ # Lock the fs-verity keyring, so no more keys can be added
+ exec -- /system/bin/fsverity_init --lock
+
# Allow apexd to snapshot and restore device encrypted apex data in the case
# of a rollback. This should be done immediately after DE_user data keys
# are loaded. APEXes should not access this data until this has been
# completed and apexd.status becomes "ready".
exec_start apexd-snapshotde
- # Set SELinux security contexts on upgrade or policy update.
- restorecon --recursive --skip-ce /data
-
# Check any timezone data in /data is newer than the copy in the time zone data
# module, delete if not.
exec - system system -- /system/bin/tzdatacheck /apex/com.android.tzdata/etc/tz /data/misc/zoneinfo