Author: Tom Marshall <tdm.code@gmail.com>
Date: Wed Oct 25 20:27:08 2017 +0200
Revert "kill package_extract_dir"
changes for P:
- bring back the mkdir_recursively variant which takes a timestamp.
- add libziparchive dependency
- fix otautil header paths
changes for Q:
- change ziputil naming convention to lowercase
This reverts commit 53c38b1538.
Change-Id: I71c488e96a1f23aace3c38fc283aae0165129a12
Author: Tom Marshall <tdm.code@gmail.com>
Date: Thu Dec 14 22:37:17 2017 +0100
Revert "Remove the obsolete package_extract_dir() test"
This reverts commit bb7e005a79.
Change-Id: I643235d6605d7da2a189eca10ec999b25c23e1f9
Author: Tom Marshall <tdm.code@gmail.com>
Date: Wed Aug 23 18:14:00 2017 +0000
Revert "updater: Remove some obsoleted functions for file-based OTA."
This reverts commit 63d786cf22.
These functions will be used for third party OTA zips, so keep them.
Change-Id: I24b67ba4c86f8f86d0a41429a395fece1a383efd
Author: Stricted <info@stricted.net>
Date: Mon Mar 12 18:11:56 2018 +0100
recovery: updater: Fix SymlinkFn args
Change-Id: If2ba1b7a8b5ac471a2db84f352273fd0ea7c81a2
Author: Simon Shields <simon@lineageos.org>
Date: Thu Aug 9 01:17:21 2018 +1000
Revert "updater: Remove dead make_parents()."
This reverts commit 5902691764.
Change-Id: I69eadf1a091f6ecd45531789dedf72a178a055ba
Author: Simon Shields <simon@lineageos.org>
Date: Thu Aug 9 01:20:40 2018 +1000
Revert "otautil: Delete dirUnlinkHierarchy()."
changes for P:
- Fix missing PATH_MAX macro from limits.h
This reverts commit 7934985e0c.
Change-Id: I67ce71a1644b58a393dce45a6c3dee97830b9ee4
Author: XiNGRZ <chenxingyu92@gmail.com>
Date: Tue Dec 3 14:31:56 2019 +0800
updater: Fix lost capabilities of set_metadata
This was broken since Android O. During a file-based incremental OTA,
capability flags were cleared but not being set again properly, leading
some critical processes (e.g. surfaceflinger and pm-service) fails.
For more details, see: 65b8d749f7
Change-Id: I20e616cd83ec1cd1b79717a6703919316ad77938
[mikeioannina]: Squash for Q and run through clang-format
[Chippa_a]: Adapt for Android R updater and libziparchive API
Change-Id: I91973bc9e9f8d100688c0112fda9043fd45eb86a
This would succeed eventually anyway: the first time round the connect() succeeds, returns 0, and we go around the loop again; the second time the connect() fails (because we're already connected), returns -1, and we set success to true and exit the loop. But this means that the intended retry functionality is broken.
Change-Id: If631d59e23b12e9aa952cdb528160b19b9a94b1c
This CL is created as a best effort to migrate test targets to the new Android ownership model.
It is based on historical data from repository history and insights from git blame.
Given the nature of this effort, there may be instances of incorrect attribution. If you find incorrect or unnecessary
attribution in this CL, please create a new CL to fix that.
For detailed guidelines and further information on the migration please refer to the link below,
go/new-android-ownership-model
Bug: 304529413
Test: N/A
Change-Id: Ia2268756e71b22238b17b21d336f5f7e5bd35b0b
* Timed out runs do not show any warning messages.
* These test files cannot finish clang-tidy runs with
the following settings:
TIDY_TIMEOUT=90
WITH_TIDY=1
CLANG_ANALYZER_CHECKS=1
* When TIDY_TIMEOUT is set, in Android continuous builds,
tidy_timeout_srcs files will not be compiled by clang-tidy.
When developers build locally without TIDY_TIMEOUT,
tidy_timeout_srcs files will be compiled.
* Some of these test modules may be split into smaller ones,
or disable some time consuming checks, and then
enable clang-tidy to run within limited time.
Bug: 201099167
Test: make droid tidy-bootable-recovery_subset
Change-Id: I3c4606959ab70e339df201501356b24953d4fb8a
Now we added a libz variant without the offending optimizations,
re-enable tests.
Test: treehugger
Bug: 177076632
Change-Id: I6969090b2cb4c059d952df7cc034d0ed1ac366b2
libz contain platform dependent optimization flags, and sometimes that
cause reconstruction of blobs to fail. Use libz_stable instead
Bug: 177076632
Test: treehugger
Change-Id: I3a8c1591672537d1c754b2bc5b26f939dd80ed47
For a proper solution, add a variant of libz which doesn't have platform
dependent optimizations, and make imgdiff use that version.
Test: treehugger
Bug: 177076632
Change-Id: Ia9e926c1adf22d351315eeec5ad1fabc3d48efd5
This is a pretty simplistic approach, it just shoves random data at the
verifier. The OTA format isn't too complicated so this should hopefully
be sufficient to let the fuzzer exercise the potentially interesting
parsing code.
Test: Let the fuzzer run on device for awhile:
1) FUZZ=libinstall_verify_package_fuzzer
2) SANITIZE_TARGET=hwaddress make ${FUZZ}
3) cd ${ANDROID_PRODUCT_OUT} && adb root && adb sync data
4) adb shell /data/fuzz/arm64/${FUZZ}/${FUZZ}
Change-Id: Icac6bde017b497d9f92c06191eb29e107ba9c0a7
Bump the timeout as we see some flakiness in b/170178152. The other
part of the config is copied from the auto-generated config in
out/host/linux-x86/testcases/recovery_host_test/recovery_host_test.config
Bug: 170178152
Test: treehugger
Change-Id: Ia84c90ba6a686c47ecc7d8331c7e8c7cb4b78292
There's already library support for zip64 in libziparchive. We just need
to start using the new APIs.
Bug: 167951876
Test: Sideload a large ota package in recovery
Change-Id: I652741965f28de079d873c6822317ee9fa855201
After http://go/aog/1306461, the metadata in the OTA package can have
multiple fingerprints or device names
e.g. from pre-device=lmiin to pre-device=lmiin|lmiinpro
This CL updates recovery code to recognize them
Test: Added unit tests for this
Bug: 159850736
Change-Id: If6315bf2d3dea77abb9d7d83145f55b0148cdfb1
The unit tests for imgpatch is comparing the compressed bytes. As
a result, these unit tests will fail with libz change.
Since the recovery image is just a gzipped ramdisk with some wrappings,
we can generate with minigzip it during the build time. This matches
the usage in the real world, where we generate the patch with the host
side libz; and apply the patch with the library on the device.
Bug: 149443852
Test: tests pass on Pixel3
Change-Id: I7885765a161c6bf765671bc55a72cfcaa04b4138
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_unit_test - no new failures
Change-Id: Ia5afd19854c3737110339fd59491b96708926ae5
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This reverts commit 5e6c4e9a91.
Reason for revert: BUG: 149432069 - build failure on git_qt-qpr1-dev-plus-aosp on docs. 'otautil/roots.h' file not found is the error.
Forrest run: https://android-build.googleplex.com/builds/forrest/run/L85900000460577420
Change-Id: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
Merged-In: I35119c2334895aa0ef4ed71b3ddd08f280c0c031
This library is empty, and its functionality has moved
into libbinder/libhwbinder.
Bug: 148692216
Test: N/A
Change-Id: Ie50d9130a8e43de7d5b222883169c26ab958e6d7
The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
The layout of the vendor space /misc partition was pretty confusing and
lead to some usage conflicts. To formalize the layout, we create a pixel
specific library with the definition & offset of various flags. The new
library also handles the R/W. As a result, we will leave system domain
/misc definitions in the libbootloader_message.
We also switch the misc_writer binary to use more specific options
instead of writing an arbitrary hex string. So we can avoid redefining
the string & offset in both init script and recovery ui.
Bug: 131775112
Test: unit tests pass, run misc_writer and check contents of /misc
Change-Id: I00f8842a81d1929e31a1de4d5eb09575ffad47c0
A number of utility functions are intended for serving recovery's own
use. Exposing them via libotautil (which is a static lib) would pass the
dependencies onto libotautil's users (e.g. recovery image, updater, host
simulator, device-specific recovery UI/updater extensions etc). This CL
finds a new home for the utils that are private to recovery.
Test: mmma bootable/recovery
Change-Id: I575e97ad099b85fe1c1c8c7c9458a5a43d4e11e1
And set it to false when installing recovery image via applypatch. We
only need to back up the source partition when doing in-place update
(e.g. when updating a given partition under recovery). When installing
recovery image via applypatch, we won't touch the source partition (i.e.
/boot).
Removing the backup step also allows dropping the dac_override_allowed
permission. Previously it was needed due to the access to /cache.
Because applypatch runs as root:root, while /cache is owned by
system:cache with 0770.
Bug: 68319577
Test: Invoke the code that installs recovery image; check that recovery
is installed successfully without denials.
Test: recovery_unit_test passes on taimen.
Change-Id: I549a770b511762189d6672a2835b6e403d695919
Tested by running recovery_unit_test as described in
https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/README.md
Attempted to build and boot a recovery image with the
same change to confirm it still works, but
m recoveryimage-nodeps
fails for me.
Bug: 140940227
Test: See above
Change-Id: I00545968a0e5684823e505f2ddbe7e993319b5d4
Add the command line option to select the work directory and save the
updated image files. Because some people might have interested in
getting updated images from an ota file.
Also, fix a minor issue that the destination of package_extract_file
needs to be updated if it's a block device. Otherwise, an unintended
file may be extracted in the callers' directory.
Test: run simulation, run unit tests
Change-Id: Ic6a7db0580bc1748d6e080102e4654da4e41fd8c
Stop building libimgdiff on device because we are only running
patching there.
Test: unit tests pass
Change-Id: I4225c6b52a536617301a64c405e325799a303b40
Make sure the simulator succeeds executing common non-A/B update
functions.
Bug: 131911365
Test: run unit tests
Change-Id: I520ce6a8827539b88a9e36f9e67eec30d8b586d4
Factor out a new function from ApplyFromSdcard that installs a package
from a local path. Inside this function, we start the fuse and choose the
type of data provider depending on the path string. And similar to the
existing logic, we treat the package as a block map if the path starts
with a '@'.
This is part of the effort to install larger than 2GiB packages on ILP32
devices.
Bug: 127071893
Test: Build a 32 bit sailfish and create a 3GiB OTA package. Sideload
the package, uncrypt and install the package from sdcard.
Change-Id: I328ea34fa530731acbce7554bfc3059313ad6ece
Implement the simulator runtime and build the updater simulator as a host
executable. The code to parse the target-files and mocks the block devices
will be submitted in the follow-up.
Bug: 131911365
Test: unit tests pass
Change-Id: Ib1ba939aec8333ca68a45139514d772ad7a27ad8
Remove some unnecessary includes or forward declarations. And include
the correct headers to build host executables.
Bug: 131911365
Test: unit tests pass
Change-Id: I62e75f60678159fe24619a4bd386b1416f1a5b5d
