Snap for 13248265 from d8538e17a376270896a75e21b30a13a7e3d5fbda to 25Q2-release
Change-Id: I8084a13c38c7ebfe64c9f0f4de4180c2e6915ad3
diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp
index 6bb0ad7..e06a645 100644
--- a/init/first_stage_init.cpp
+++ b/init/first_stage_init.cpp
@@ -402,7 +402,7 @@
// /second_stage_resources is used to preserve files from first to second
// stage init
- CHECKCALL(mount("tmpfs", kSecondStageRes, "tmpfs", MS_NOSUID | MS_NODEV,
+ CHECKCALL(mount("tmpfs", kSecondStageRes, "tmpfs", MS_NOEXEC | MS_NOSUID | MS_NODEV,
"mode=0755,uid=0,gid=0"));
if (IsMicrodroid() && android::virtualization::IsOpenDiceChangesFlagEnabled()) {
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 2a27c1d..03fd2d2 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -56,6 +56,7 @@
#include <linux/audit.h>
#include <linux/netlink.h>
#include <stdlib.h>
+#include <sys/mount.h>
#include <sys/wait.h>
#include <unistd.h>
@@ -701,8 +702,8 @@
}
#ifdef ALLOW_REMOUNT_OVERLAYS
-void SetupOverlays() {
- if (android::fs_mgr::use_override_creds) return;
+bool EarlySetupOverlays() {
+ if (android::fs_mgr::use_override_creds) return false;
bool has_overlays = false;
std::string contents;
@@ -715,8 +716,16 @@
break;
}
- if (!has_overlays) return;
+ if (!has_overlays) return false;
+ if (mount("tmpfs", kSecondStageRes, "tmpfs", MS_REMOUNT | MS_NOSUID | MS_NODEV,
+ "mode=0755,uid=0,gid=0") == -1) {
+ PLOG(FATAL) << "Failed to remount tmpfs on " << kSecondStageRes << " to remove NO_EXEC";
+ }
+ return true;
+}
+
+void SetupOverlays() {
// After adb remount, we mount all r/o volumes with overlayfs to allow writing.
// However, since overlayfs performs its file operations in the context of the
// mounting process, this will not work as is - init is in the kernel domain in
@@ -728,7 +737,6 @@
// We will call overlay_remounter which will do the unmounts/mounts.
// But for that to work, the volumes must not be busy, so we need to copy
// overlay_remounter from system to a ramdisk and run it from there.
-
const char* kOverlayRemounter = "overlay_remounter";
auto or_src = std::filesystem::path("/system/xbin/") / kOverlayRemounter;
auto or_dest = std::filesystem::path(kSecondStageRes) / kOverlayRemounter;
@@ -756,6 +764,9 @@
PLOG(FATAL) << "execv(\"" << or_dest << "\") failed";
}
#else
+bool EarlySetupOverlays() {
+ return false;
+}
void SetupOverlays() {}
#endif
@@ -771,6 +782,9 @@
SelinuxSetupKernelLogging();
+ // Test to see if we should use overlays, and if so remount tmpfs before selinux will block
+ bool use_overlays = EarlySetupOverlays();
+
// TODO(b/287206497): refactor into different headers to only include what we need.
if (IsMicrodroid()) {
LoadSelinuxPolicyMicrodroid();
@@ -801,7 +815,7 @@
// SetupOverlays does not return if overlays exist, instead it execs overlay_remounter
// which then execs second stage init
- SetupOverlays();
+ if (use_overlays) SetupOverlays();
const char* path = "/system/bin/init";
const char* args[] = {path, "second_stage", nullptr};
diff --git a/storaged/main.cpp b/storaged/main.cpp
index bbed210..8e71180 100644
--- a/storaged/main.cpp
+++ b/storaged/main.cpp
@@ -25,13 +25,12 @@
#include <sys/types.h>
#include <vector>
-#include <android-base/macros.h>
#include <android-base/logging.h>
+#include <android-base/macros.h>
#include <android-base/stringprintf.h>
-#include <binder/ProcessState.h>
-#include <binder/IServiceManager.h>
#include <binder/IPCThreadState.h>
-#include <cutils/android_get_control_file.h>
+#include <binder/IServiceManager.h>
+#include <binder/ProcessState.h>
#include <cutils/sched_policy.h>
#include <private/android_filesystem_config.h>
diff --git a/storaged/storaged.rc b/storaged/storaged.rc
index 7085743..6debb69 100644
--- a/storaged/storaged.rc
+++ b/storaged/storaged.rc
@@ -2,7 +2,6 @@
class main
capabilities DAC_READ_SEARCH
priority 10
- file /d/mmc0/mmc0:0001/ext_csd r
task_profiles ServiceCapacityLow
user root
group package_info
diff --git a/trusty/secretkeeper/Android.bp b/trusty/secretkeeper/Android.bp
index 6523eda..d399bf8 100644
--- a/trusty/secretkeeper/Android.bp
+++ b/trusty/secretkeeper/Android.bp
@@ -27,18 +27,16 @@
"src/hal_main.rs",
],
rustlibs: [
+ "android.hardware.security.secretkeeper-V1-rust",
"libandroid_logger",
"libauthgraph_hal",
"libauthgraph_wire",
"libbinder_rs",
"liblibc",
"liblog_rust",
- "libsecretkeeper_hal",
+ "libsecretkeeper_hal_v1",
"libtrusty-rs",
],
- defaults: [
- "secretkeeper_use_latest_hal_aidl_rust",
- ],
prefer_rlib: true,
}