OSDN Git Service
David Anderson [Wed, 22 May 2019 00:13:45 +0000 (17:13 -0700)]
Merge "Replace manual dm ioctls with libdm."
am:
bc5818774c
Change-Id: Id7ebd240d7c3e16397fcdd044113b54700b11fd5
David Anderson [Tue, 21 May 2019 21:46:38 +0000 (21:46 +0000)]
Merge "Replace manual dm ioctls with libdm."
Nick Kralevich [Wed, 15 May 2019 19:25:11 +0000 (12:25 -0700)]
Merge "FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce"
am:
3b290ece1a
Change-Id: I7d25b2611fb9c8e84139e3a00ccd88a1cc145f3b
Treehugger Robot [Wed, 15 May 2019 19:06:04 +0000 (19:06 +0000)]
Merge "FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce"
Nick Kralevich [Tue, 14 May 2019 16:30:29 +0000 (09:30 -0700)]
FsCrypt.cpp: Do delayed restorecon on /data/vendor_ce
When Android boots after file_contexts has changed, the boot process
walks the entire /data partition, updating any changed SELinux labels as
appropriate. However, credential encrypted ("ce") directories are
deliberately excluded from this early boot directory walk. Files within
ce directories have their filenames encrypted, and as a result, cannot
match the file_contexts entries. Only after the user has unlocked their
device are the unencrypted filenames available and a restorecon
appropriate.
Ensure that we do a post-unlock restorecon on /data/vendor_ce, like we
do for /data/system_ce and /data/misc_ce. This ensures the labels on
files within these directories are correct after the device has been
unlocked.
(cherrypicked from commit
6a3ef488e5fea4f9c5992c76f4b20e7c800881c1)
Bug:
132349934
Test: See bug
132349934 comment #12 for test procedure
Change-Id: Ifcbef5fdfb236ec6dea418efa9d965db3a3b782f
David Anderson [Mon, 13 May 2019 20:02:54 +0000 (13:02 -0700)]
Replace manual dm ioctls with libdm.
This mostly 1:1 replaces manual ioctls to device-mapper with calls to
libdm. There were two exceptions:
(1) There is a very old table-load-retry loop to workaround issues with
umount (b/
7220345). This loop has been preserved, however, it now
includes DM_DEV_CREATE as well as DM_TABLE_LOAD.
(2) There was some ancient code to set DM_DEV_GEOMETRY for obb
dm-devices. This never did anything since geometry must be set after
loading a table. When setting it before (as vold was doing), the
subsequent DM_TABLE_LOAD will clear it.
Bug:
132206403
Test: FBE device boots
FBE device w/ metadata encryption boots
FDE device boots
atest StorageManagerIntegrationTest
Change-Id: Ib6db6b47329f093ac7084edaf604eddace8b9ac6
Martijn Coenen [Tue, 7 May 2019 06:57:12 +0000 (23:57 -0700)]
Merge "Stop using trigger_reset_main."
am:
91a6c016ec
Change-Id: Id4baa15b619a941c7059d19c59645a45b9060433
Martijn Coenen [Tue, 7 May 2019 06:41:01 +0000 (06:41 +0000)]
Merge "Stop using trigger_reset_main."
Martijn Coenen [Wed, 24 Apr 2019 08:41:11 +0000 (10:41 +0200)]
Stop using trigger_reset_main.
This trigger was used on FDE devices to bring down the minimal
framework, and worked by shutting down the 'main' service class.
With APEX being introduced, we want to restart all services that were
started after the tmpfs /data was mounted, as those are the services
that haven't been able to use updated APEXes in the (real) /data.
In order to do this, we need to reset more classes; that in turn
made the 'shutdown_main' trigger pretty much similar to the
previously existing 'trigger_shutdown_framework' trigger; so instead
of keeping two duplicate triggers, use only the
'trigger_shutdown_framework' one.
Bug:
118485723
Test: Taimen configured as FDE boots, Taimen configured as FBE boots
Change-Id: I0d80ef2528bd70870b063a2c580cd00a03de9961
Paul Lawrence [Tue, 23 Apr 2019 23:25:53 +0000 (16:25 -0700)]
Merge "Use correct Statuses from Checkpoint code"
am:
8d4164f92f
Change-Id: I35ffbb3bc89eb695aa86c45f4aa0a8633cfd11b9
Treehugger Robot [Tue, 23 Apr 2019 23:07:27 +0000 (23:07 +0000)]
Merge "Use correct Statuses from Checkpoint code"
Paul Lawrence [Fri, 19 Apr 2019 21:26:39 +0000 (14:26 -0700)]
Use correct Statuses from Checkpoint code
Bug:
130190815
Test: Added fake error to code and checked correct error was caught
Change-Id: If9ab9357f0f961607e15a4ba18d9d85bc9923019
xzj [Fri, 19 Apr 2019 21:15:15 +0000 (14:15 -0700)]
Merge "fix data encryption fail when ENCRYPTION_FLAG_NO_UI is set"
am:
c222ad20ee
Change-Id: I5ebb8825b40c3ce088607f8a4aa6d4fb506f6bd5
Treehugger Robot [Fri, 19 Apr 2019 20:27:44 +0000 (20:27 +0000)]
Merge "fix data encryption fail when ENCRYPTION_FLAG_NO_UI is set"
xzj [Fri, 12 Oct 2018 02:17:11 +0000 (10:17 +0800)]
fix data encryption fail when ENCRYPTION_FLAG_NO_UI is set
cause: data partition not being umount before real encryption
Change-Id: If5cc084c182d96c6205359b76ee0c474f6a77a2e
Sandeep Patil [Wed, 17 Apr 2019 22:10:43 +0000 (15:10 -0700)]
Merge "Add visible logs about fstrim run for block based checkpoints"
am:
419528be57
Change-Id: I546d5cb3807cd217e9ab992ee517d4a3164566e5
Treehugger Robot [Wed, 17 Apr 2019 21:11:04 +0000 (21:11 +0000)]
Merge "Add visible logs about fstrim run for block based checkpoints"
Sandeep Patil [Mon, 15 Apr 2019 15:45:27 +0000 (08:45 -0700)]
Add visible logs about fstrim run for block based checkpoints
Bug:
120095226
Test: Tested by forcing /data/system/last-fstrim last modified time back
2 years & manually trigger checkpoint using 'vdc checkpoint startCheckpoint 1'
Change-Id: I0cb8b6a85ae787e1ba2cdd7998a46942ca69760f
Merged-In: I0cb8b6a85ae787e1ba2cdd7998a46942ca69760f
Signed-off-by: Sandeep Patil <sspatil@google.com>
Eric Biggers [Fri, 5 Apr 2019 23:00:39 +0000 (16:00 -0700)]
Merge "Don't drop as many caches when evicting CE key"
am:
a057b27f2a
Change-Id: Ic98dbb34e6696de5ddcaeccb4ae0108cbe0a1921
Eric Biggers [Fri, 5 Apr 2019 21:04:22 +0000 (21:04 +0000)]
Merge "Don't drop as many caches when evicting CE key"
Eric Biggers [Wed, 3 Apr 2019 22:44:06 +0000 (15:44 -0700)]
Don't drop as many caches when evicting CE key
When a user's CE key is removed, write "2" to /proc/sys/vm/drop_caches
rather than "3". This avoids unnecessarily evicting the pagecache of
in-use inodes. It's only necessary to evict the inodes of the relevant
encrypted files, and these are already sync'ed and no longer in-use.
For this mode "2" suffices, as this evicts "reclaimable slab objects",
including inodes; and evicting an inode implies evicting its pagecache.
This matches the recommendation I've made in the documentation for the
fscrypt kernel feature at
https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html#online-attacks
Test: Sanity check that directories are still "locked" properly:
Unlock device with PIN. Then in adb shell: 'stop; start;
sleep 10; ls /data/data/' still shows filenames in ciphertext form.
Change-Id: I1bdf3c420ebf63e98cc314498211061ea36f2942
Paul Crowley [Fri, 5 Apr 2019 19:15:24 +0000 (12:15 -0700)]
Merge changes I40575081,I1ca8f8cf,I38bfd273
am:
1c6a56b27f
Change-Id: I8410e8cb691eb0b5e3e721b6b715eb30f28eef51
Paul Crowley [Fri, 5 Apr 2019 18:26:39 +0000 (18:26 +0000)]
Merge changes I40575081,I1ca8f8cf,I38bfd273
* changes:
clang-format Utils.cpp
vold: fsync both file and directory after write keys
vold: Introduce android::vold::writeStringToFile
Paul Crowley [Fri, 5 Apr 2019 11:09:57 +0000 (04:09 -0700)]
clang-format Utils.cpp
Test: treehugger
Change-Id: I405750812ae037088492bfa7d8db6a8a56cb3425
Tommy Chiu [Tue, 26 Mar 2019 06:14:19 +0000 (14:14 +0800)]
vold: fsync both file and directory after write keys
Use vold version of writeStringToFile which fsync files, and
manually fsync directories after initialize global DE
(cherry picked from commit
a98464f688d6e16ca7558251306ece98058b55ce)
Bug:
71810347
Test: Build pass and reboot stress test.
Original boot failure symptom is NOT reproducible.
Change-Id: I1ca8f8cf0ccfd01075a9c33f79042e58d99aea26
Merged-In: I1ca8f8cf0ccfd01075a9c33f79042e58d99aea26
Tommy Chiu [Tue, 26 Mar 2019 09:18:09 +0000 (17:18 +0800)]
vold: Introduce android::vold::writeStringToFile
Remove static definition of writeStringToFile, and
move it from KeyStorage to Utils
(cherry picked from commit
0bd2d116921ab46312cc4a37246a68d38447a72b)
Bug:
71810347
Test: Build pass and reboot stress test.
Change-Id: I38bfd27370ac2372e446dc699f518122e73c6877
Merged-In: I38bfd27370ac2372e446dc699f518122e73c6877
Sandeep Patil [Thu, 4 Apr 2019 18:39:35 +0000 (11:39 -0700)]
Merge "vdc: print the failed command with failure status."
am:
b8d17384c5
Change-Id: I6d778f903948cfcee5e377ab22502ed4e1b52ba7
Treehugger Robot [Thu, 4 Apr 2019 18:16:27 +0000 (18:16 +0000)]
Merge "vdc: print the failed command with failure status."
Eric Biggers [Thu, 4 Apr 2019 16:37:52 +0000 (09:37 -0700)]
Merge "Add missing null terminator for getopt_long()"
am:
4d05e017f9
Change-Id: I18d49879af84b0d58254eda501e0ed7ea5a3ca11
Sandeep Patil [Thu, 4 Apr 2019 16:35:51 +0000 (09:35 -0700)]
vdc: print the failed command with failure status.
vdc currently only prints generic binder failure status on failure.
This doesn't help debugging early boot failures at all since we don't
know which exact vdc command failed. Fix that by adding the command as
part of the failure message.
Bug:
129946805
Test: Boot cuttlefish
Change-Id: Ic2367cf592d6b5bf23d6d4b1447baa1baf41afe7
Signed-off-by: Sandeep Patil <sspatil@google.com>
Eric Biggers [Thu, 4 Apr 2019 16:18:18 +0000 (16:18 +0000)]
Merge "Add missing null terminator for getopt_long()"
Eric Biggers [Wed, 3 Apr 2019 23:32:24 +0000 (16:32 -0700)]
Add missing null terminator for getopt_long()
getopt_long() assumes an all-zeroes 'struct option' at the end of the
array. Add it.
Fortunately this isn't causing problems in practice because vold is
always passed valid command line options...
Test: Running 'vold --foo' no longer segfaults.
Change-Id: I2cd3af501cc1aa11327a8062ec492be1d23defdf
Daniel Rosenberg [Tue, 2 Apr 2019 21:23:59 +0000 (14:23 -0700)]
Merge "Retry opening loop device"
am:
c8f5cbb5b1
Change-Id: I5657465fe50f61e3c45e7d13eb5953ef7771d5fa
Daniel Rosenberg [Tue, 2 Apr 2019 20:28:44 +0000 (20:28 +0000)]
Merge "Retry opening loop device"
Daniel Rosenberg [Mon, 1 Apr 2019 23:09:28 +0000 (16:09 -0700)]
Retry opening loop device
If more than the default number of loop devices is in use, we may need
to wait for the device path to be available.
Bug:
128873591
Bug:
122059364
Test: Set up adopted virtual disk and check that it loads on boot
Change-Id: I201dcc32043664076f50b0d6f40de6e5e1a65342
Jaegeuk Kim [Mon, 1 Apr 2019 14:13:28 +0000 (07:13 -0700)]
Merge "idle-maint: don't need to change discard_granularity"
am:
444a24558d
Change-Id: If0679363fb8563dedb43f8bd6266c74e4869d44f
Jaegeuk Kim [Mon, 1 Apr 2019 14:04:24 +0000 (14:04 +0000)]
Merge "idle-maint: don't need to change discard_granularity"
Nick Kralevich [Sat, 30 Mar 2019 01:38:21 +0000 (18:38 -0700)]
Merge "vold: add android-* to tidy_checks"
am:
1820b9b3b9
Change-Id: I5b1c6926f050df8b24ee3d52b93080dab0745571
Nick Kralevich [Sat, 30 Mar 2019 01:38:04 +0000 (18:38 -0700)]
Merge "vold: cleanups for O_CLOEXEC tidy checks."
am:
a59868d6de
Change-Id: Ice4a6009beb2d41d381e461b00be93471b100778
Nick Kralevich [Sat, 30 Mar 2019 01:27:57 +0000 (01:27 +0000)]
Merge "vold: add android-* to tidy_checks"
Nick Kralevich [Sat, 30 Mar 2019 01:27:38 +0000 (01:27 +0000)]
Merge "vold: cleanups for O_CLOEXEC tidy checks."
Paul Lawrence [Sat, 30 Mar 2019 00:16:19 +0000 (17:16 -0700)]
Merge "Fix checkpoint on Taimen"
am:
3889f17ad1
Change-Id: I06af82f6534b26e595be3aa1d39588175920d0db
Treehugger Robot [Fri, 29 Mar 2019 23:09:52 +0000 (23:09 +0000)]
Merge "Fix checkpoint on Taimen"
Nick Kralevich [Fri, 29 Mar 2019 23:07:58 +0000 (16:07 -0700)]
vold: add android-* to tidy_checks
Bug:
129350825
Test: compiles and boots
Change-Id: If5a6267cc56bfc0ba73602bfa520035197b4fb90
Nick Kralevich [Fri, 29 Mar 2019 23:03:51 +0000 (16:03 -0700)]
vold: cleanups for O_CLOEXEC tidy checks.
Bug:
129350825
Test: compiles and boots
Change-Id: I83a484ca15df1b757b670008f15af5504bc94df1
Paul Lawrence [Fri, 29 Mar 2019 20:06:34 +0000 (13:06 -0700)]
Fix checkpoint on Taimen
Bug:
129494872
Test: VtsKernelCheckpointTest runs and passes
Change-Id: Ib2de866db7c847d569789d1aa6cdbad7c3ee7ff4
Bernie Innocenti [Fri, 29 Mar 2019 04:09:18 +0000 (21:09 -0700)]
Merge "Fix bogus error checking on unique_fd"
am:
95587b085e
Change-Id: Ic11222fdc81a9a2e15546378f1bc5012107c50af
Treehugger Robot [Fri, 29 Mar 2019 03:52:46 +0000 (03:52 +0000)]
Merge "Fix bogus error checking on unique_fd"
Jaegeuk Kim [Thu, 28 Mar 2019 13:40:12 +0000 (06:40 -0700)]
idle-maint: don't need to change discard_granularity
F2FS changes proper configurations along with gc_urgent, so idle-maint doesn't
need to set this redundantly.
Change-Id: I4a71a5d877a3bb9636e2b65132ec806edc56a8fe
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Bernie Innocenti [Thu, 28 Mar 2019 06:24:30 +0000 (15:24 +0900)]
Fix bogus error checking on unique_fd
The expression "!fd" calls the implicit conversion to int, but comparing
the raw fd against 0 does not work, since open() and other POSIX calls
returning a file descriptor use -1 to signal an error.
Test: m vold
Change-Id: I0847c276f39cb9dd09c7ffb96951276113418fc8
Daniel Rosenberg [Wed, 27 Mar 2019 02:45:51 +0000 (19:45 -0700)]
Merge "Switch Checkpoint health sleep time to ms."
am:
32a8a47b07
Change-Id: If927a879f06faac4fde97dde41f2017010f7001c
Daniel Rosenberg [Wed, 27 Mar 2019 02:34:24 +0000 (02:34 +0000)]
Merge "Switch Checkpoint health sleep time to ms."
Daniel Rosenberg [Wed, 27 Mar 2019 02:18:18 +0000 (19:18 -0700)]
Merge "Fixed min_free_bytes prop name and usleep time default"
am:
7522da3036
Change-Id: I242863be8d2b0b9ff780670b340f8acbfdaad52e
Daniel Rosenberg [Wed, 27 Mar 2019 02:01:48 +0000 (02:01 +0000)]
Merge "Fixed min_free_bytes prop name and usleep time default"
Suren Baghdasaryan [Wed, 27 Mar 2019 01:48:13 +0000 (18:48 -0700)]
Merge "Convert ifstream usage into fopen() to prevent fd leaks into child processes"
am:
93fb6083d4
Change-Id: I28dc4717f22207e310c5701a78c04214ffa4d52a
Suren Baghdasaryan [Wed, 27 Mar 2019 01:31:15 +0000 (01:31 +0000)]
Merge "Convert ifstream usage into fopen() to prevent fd leaks into child processes"
Daniel Rosenberg [Tue, 26 Mar 2019 21:42:14 +0000 (14:42 -0700)]
Switch Checkpoint health sleep time to ms.
This changes the property from microsecond to milliseconds, as we don't
need that sort of precision here. Also switches from using ulseep, which
has been removed from POSIX, to nanosleep.
Test: Builds, Boots, Times
Change-Id: Iefbaf8489ba05d8d688542fd7d4305efb980e701
Satoshi Futenma [Mon, 25 Mar 2019 14:13:36 +0000 (23:13 +0900)]
Fixed min_free_bytes prop name and usleep time default
Test: check build
Bug:
129299864
Change-Id: Iab6a01d15185dd19604cd8d3d7ea4efc2b020e34
Suren Baghdasaryan [Tue, 26 Mar 2019 17:00:05 +0000 (10:00 -0700)]
Convert ifstream usage into fopen() to prevent fd leaks into child processes
std::ifstream does not use O_CLOEXEC flag when opening files. This leads
to file descriptors being inherited by child processes. In the case of vold
this results in leaking FDs to less privileged children with no permission
for these files which occasionally leads to SELinux denials.
Bug:
129298168
Change-Id: Id2731782a25d65c9a7cbf25dc441f3e7a17609c1
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Rubin Xu [Fri, 22 Mar 2019 13:17:06 +0000 (06:17 -0700)]
Merge "Remove excess logging in secdiscard"
am:
b640f4e337
Change-Id: Ic4509611efc55b0953ccca02fd7730740982728a
Treehugger Robot [Fri, 22 Mar 2019 13:05:35 +0000 (13:05 +0000)]
Merge "Remove excess logging in secdiscard"
Daniel Rosenberg [Thu, 21 Mar 2019 21:19:27 +0000 (14:19 -0700)]
Merge changes I977cc03b,I7b621476,Ib57f4461
am:
58551c0568
Change-Id: I0ecec87455c3c8daa53b00be941539998eea1cd2
Daniel Rosenberg [Thu, 21 Mar 2019 21:01:08 +0000 (21:01 +0000)]
Merge changes I977cc03b,I7b621476,Ib57f4461
* changes:
Add health check to checkpointing
Change abortChanges to take a message and bool
Make needsCheckpoint cover whole session
Daniel Rosenberg [Wed, 21 Nov 2018 03:03:11 +0000 (19:03 -0800)]
Add health check to checkpointing
Take action if we are running out of checkpoint space.
Configurable via ro.sys properties.
ro.sys.cp_usleeptime = Time to sleep between checks
ro.sys.cp_min_free_bytes = Min free space to act on
ro.sys.cp_commit_on_full = action to take. Either commits or reboots to
continue attempt without checkpoint, or retry
and eventually abort OTA
Test: Trigger a checkpoint and fill the disk.
Bug:
119769392
Change-Id: I977cc03b7aef9320d661c8a0d716f8a1ef0be347
Daniel Rosenberg [Thu, 21 Mar 2019 00:02:47 +0000 (17:02 -0700)]
Change abortChanges to take a message and bool
abortChanges will attempt to pass a reboot message, and will only reboot
if the device is currently checkpointing. Additionally, it can opt to
attempt to prevent future attempts. This only works for non-bootloader
controlled updates. Failures are ignored, as it will always reboot the
device. In the unlikely event of such a failure, the device will
continue to retry as though you did not ask to prevent future attempts.
Test: vdc checkpoint abortChanges abort_retry_test 1
vdc checkpoint abortChanges abort_noretry_test 0
Change-Id: I7b6214765a1faaf4fd193c73331696b53ae572d2
Daniel Rosenberg [Tue, 19 Mar 2019 21:02:59 +0000 (14:02 -0700)]
Make needsCheckpoint cover whole session
This makes needCheckpoint return true when the device will or is using
checkpointing.
Test: vdc checkpoint startCheckpoint 1
reboot
vdc checkpoint needsCheckpoint
should return 1 before and after data mounts, and 0 once the
checkpoint has been committed
Change-Id: Ib57f4461d837f41a8110ed318168165a684d913a
Rubin Xu [Thu, 21 Mar 2019 18:13:40 +0000 (18:13 +0000)]
Remove excess logging in secdiscard
Remove all debug logs to reduce logspam a bit.
Bug:
64349233
Test: manual
Change-Id: I234fae7b9fb719b09af27985736f43f085dad301
Paul Crowley [Tue, 19 Mar 2019 19:31:37 +0000 (12:31 -0700)]
Merge "Shell no longer globs, so glob in pushBackContents"
am:
a41b7849d0
Change-Id: Iedd9a6d6834adc844e13e9ec596062032588fd53
Paul Crowley [Tue, 19 Mar 2019 19:13:56 +0000 (19:13 +0000)]
Merge "Shell no longer globs, so glob in pushBackContents"
Paul Lawrence [Mon, 18 Mar 2019 23:08:51 +0000 (16:08 -0700)]
Merge "Add vdc checkpoint supportsBlockCheckpoint"
am:
860c731158
Change-Id: I61a7059649e8dc0ff5096f3494d5e4b0f8f3b787
Treehugger Robot [Mon, 18 Mar 2019 22:56:47 +0000 (22:56 +0000)]
Merge "Add vdc checkpoint supportsBlockCheckpoint"
Paul Lawrence [Mon, 18 Mar 2019 20:36:40 +0000 (13:36 -0700)]
Add vdc checkpoint supportsBlockCheckpoint
Also add vdc checkpoint supportsFileCheckpoint
This is to allow tests to be specific to supported checkpoint mode.
Test: Built on Taimen and Crosshatch, made sure both new functions work
as expected
Change-Id: I0eab7453b13c0a2e31840ef9ad24a692cec55b00
Paul Crowley [Mon, 18 Mar 2019 17:26:47 +0000 (10:26 -0700)]
Shell no longer globs, so glob in pushBackContents
Bug:
113246065
Bug:
123057215
Test: As described in b/
113246065 comment 1
Change-Id: Id766773ed4abe80a9fc1d5305f099aedfe8eed90
Chris Fries [Thu, 14 Mar 2019 15:34:06 +0000 (08:34 -0700)]
Merge "Fsync directories before delete key"
am:
7573874d3f
Change-Id: I568638b5de3c58d868024f959f890094eb1bd501
Chris Fries [Thu, 14 Mar 2019 15:19:20 +0000 (15:19 +0000)]
Merge "Fsync directories before delete key"
Woody Lin [Mon, 11 Mar 2019 12:58:20 +0000 (20:58 +0800)]
Fsync directories before delete key
The boot failure symptom is reproduced on Walleye devices. System boots
up after taking OTA and try to upgrade key, but keymaster returns "failed
to ugprade key". Device reboots to recovery mode because of the failure,
and finally trapped in bootloader screen. Possible scenario is:
(After taking OTA)
vold sends old key and op=UPGRADE to keymaster
keymaster creates and saves new key to RPMB, responses new key to vold
vold saves new key as temp key
vold renames temp key to main key -------------- (1) -- still in cache
vold sends old key and op=DELETE_KEY to keymaster
keymaster removes old key from RPMB ------------ (2) -- write directly to RPMB
==> SYSTEM INTERRUPTED BY CRASH OR SOMETHING; ALL CACHE LOST.
==> System boots up, key in RPMB is deleted but key in storage is old key.
Solution: A Fsync is required between (1) and (2) to cover this case.
Detail analysis: b/
124279741#comment21
Bug:
112145641
Bug:
124279741
Test: Insert fault right after deleteKey in vold::begin (KeyStorage.cpp),
original boot failure symptom is NOT reproducible.
Change-Id: Ib8c349d6d033f86b247f4b35b8354d97cf249d26
The Android Open Source Project [Mon, 11 Mar 2019 23:55:26 +0000 (16:55 -0700)]
[automerger skipped] Merge "DO NOT MERGE - Skip PPRL.190305.001 into master"
am:
027fe9217c -s ours
am skip reason: subject contains skip directive
Change-Id: I2dc06015f2c873a8d9a62d743d97fc489937b644
The Android Open Source Project [Mon, 11 Mar 2019 23:54:31 +0000 (16:54 -0700)]
[automerger skipped] DO NOT MERGE - Skip PPRL.190305.001 into master
am:
37c6ce4fb0 -s ours
am skip reason: subject contains skip directive
Change-Id: I6fa5c1108107e07e1d6c77592eaa6269672fdd2b
Treehugger Robot [Mon, 11 Mar 2019 23:16:31 +0000 (23:16 +0000)]
Merge "DO NOT MERGE - Skip PPRL.190305.001 into master"
The Android Open Source Project [Mon, 11 Mar 2019 21:57:55 +0000 (14:57 -0700)]
DO NOT MERGE - Skip PPRL.190305.001 into master
Bug:
127812889
Change-Id: I5bff7948e2fc254d0595329bd7a7262586de0c32
Jiyong Park [Sat, 9 Mar 2019 01:55:15 +0000 (17:55 -0800)]
Merge "Don't unmount /storage for early native processes"
am:
ee9554b2d9
Change-Id: I985413323a86816b392bd00211c550aef93328ae
Treehugger Robot [Sat, 9 Mar 2019 01:33:40 +0000 (01:33 +0000)]
Merge "Don't unmount /storage for early native processes"
Daniel Rosenberg [Fri, 8 Mar 2019 02:43:46 +0000 (18:43 -0800)]
Merge changes I91cf0def,I47570e8e
am:
5f01cf3cac
Change-Id: If269c0d3134dc98683982a96224885503b2f8434
Treehugger Robot [Thu, 7 Mar 2019 23:56:21 +0000 (23:56 +0000)]
Merge changes I91cf0def,I47570e8e
* changes:
Make Checkpoint restore resume safe
Add vdc checkpoint restoreCheckpointPart
Daniel Rosenberg [Sat, 2 Mar 2019 06:01:22 +0000 (22:01 -0800)]
Make Checkpoint restore resume safe
This allows us to resume rolling back in the event of an unexpected
shutdown during the restore process. We save progress after we process
each log sector, and whenever restarting the current log sector would
result in invalid data.
Test: Run restore, interrupt it, and attempt to resume
Change-Id: I91cf0defb0d22fc5afdb9debc2963c956e9e171c
Daniel Rosenberg [Thu, 7 Mar 2019 01:45:17 +0000 (17:45 -0800)]
Add vdc checkpoint restoreCheckpointPart
Restores the first n entries of a checkpoint. Allows automated testing
of interrupted restores.
Test: vdc checkpoint restoreCheckpoint [device] [n]
Change-Id: I47570e8eba0bc3c6549a04a33600df05d393990b
Daniel Rosenberg [Thu, 7 Mar 2019 06:16:41 +0000 (22:16 -0800)]
Merge "Switch Checkpoint Restore code to c style File ops"
am:
bc1901f8af
Change-Id: I52f3551d5a86d7e2edbb116bec98e8d2a11535df
Daniel Rosenberg [Thu, 7 Mar 2019 06:10:58 +0000 (06:10 +0000)]
Merge "Switch Checkpoint Restore code to c style File ops"
Daniel Rosenberg [Tue, 5 Mar 2019 05:46:31 +0000 (21:46 -0800)]
Switch Checkpoint Restore code to c style File ops
In preparation for restore code, we need to guarantee fsync happens.
Switch over to fd based operations to prepare for that.
Test: Successfully restores device over reboots
Change-Id: Ic9901779e8a4258bf8090d6a62fa9829e343fd39
Jiyong Park [Fri, 4 Jan 2019 04:35:25 +0000 (13:35 +0900)]
Don't unmount /storage for early native processes
Motivation:
Early processes launched before the runtime APEX - that hosts the bionic
libs - is activated can't use the bionic libs from the APEX, but from the
system partition (which we call the bootstrap bionic). Other processes
after the APEX activation should use the bionic libs from the APEX.
In order to let both types of processes to access the bionic libs via
the same standard paths /system/lib/{libc|libdl|libm}.so, some mount
namespace magic is used.
To be specific, when the device boots, the init initially bind-mounts
the bootstrap bionic libs to the standard paths with MS_PRIVATE. Early
processes are then executed with their own mount namespaces (via
unshare(CLONE_NEWNS)). After the runtime APEX is activated, init
bind-mounts the bionic libs in the APEX to the same standard paths.
Processes launched thereafter use the bionic libs from the APEX (which
can be updated.)
Important thing is that, since the propagation type of the mount points
(the standard paths) is 'private', the new bind-mount events for the
updated bionic libs should not affect the early processes. Otherwise,
they would experience sudden change of bionic libs at runtime. However,
other mount/unmounts events outside of the private mount points are
still shared across early/late processes as before. This is made possible
because the propagation type of / is 'shared' .
Problem:
vold uses the equality of the mount namespace to filter-out processes
that share the global mount namespace (the namespace of the init). However,
due to the aforementioned change, the early processes are not filtered
out because they have different mount namespaces. As a result,
umount2("/storage/") is executed on them and this unmount event
becomes visible to the global mount namespace (because as mentioned before /
is 'shared').
Solution:
Fiter-out the early processes by skipping a native (non-Java) process
whose UID is < AID_APP. The former condition is because all early
processes are native ones; i.e., zygote is started after the runtime
APEX is activated. The latter condition is to not filter-out native
processes created locally by apps.
Bug:
120266448
Test: m; device boots
Change-Id: I054deedc4af8421854cf35be84e14995523a259a
Paul Lawrence [Fri, 1 Mar 2019 21:35:24 +0000 (13:35 -0800)]
Merge "Make restore validation fast by using a map"
am:
decda14f02
Change-Id: I92c5bdf046ac7e6b2211021698990592fe5f3895
Paul Lawrence [Fri, 1 Mar 2019 21:19:27 +0000 (21:19 +0000)]
Merge "Make restore validation fast by using a map"
Paul Lawrence [Tue, 22 Jan 2019 22:31:43 +0000 (14:31 -0800)]
Make restore validation fast by using a map
Test: Successfully restores device over reboots
Change-Id: I4f1c5bbe6c07697a925a1a4efb92aefd15b61332
Xin Li [Thu, 21 Feb 2019 00:20:13 +0000 (16:20 -0800)]
DO NOT MERGE - Merge pi-dev@
5234907 into stage-aosp-master
Bug:
120848293
Change-Id: Ia3e46d3c5ca83da01e78e076d2810620812f5115
Paul Lawrence [Wed, 20 Feb 2019 12:22:43 +0000 (04:22 -0800)]
Merge "Do not trim unless we are actually checkpointing"
am:
2268c285a5
Change-Id: I031a25204269ea7d3d65349a3f281a3f1e07eadd
Treehugger Robot [Wed, 20 Feb 2019 12:09:31 +0000 (12:09 +0000)]
Merge "Do not trim unless we are actually checkpointing"
Paul Lawrence [Tue, 19 Feb 2019 22:18:54 +0000 (14:18 -0800)]
Do not trim unless we are actually checkpointing
I'm not convinced this explains the full regression, but it's a
worthwhile fix anyway.
Bug:
124774357
Test: Booted in checkpoint mode and non checkpoint mode
Change-Id: I6e0e1e59e27bd127feac218fff7d88bb3570b530
Xin Li [Thu, 14 Feb 2019 22:11:30 +0000 (22:11 +0000)]
Merge "DO NOT MERGE - Skip pi-platform-release (PPRL.190205.001) into stage-aosp-master" into stage-aosp-master
David Anderson [Thu, 14 Feb 2019 20:41:46 +0000 (12:41 -0800)]
Merge "Enable metadata encryption for userdata_gsi."
am:
99046b75c4
Change-Id: I90d530403f635427c7695e6a106526b51a7fc146
David Anderson [Thu, 14 Feb 2019 20:27:05 +0000 (20:27 +0000)]
Merge "Enable metadata encryption for userdata_gsi."