Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
Duplicate changes made to init.rc for https://android-review.googlesource.com/98852
in the init.rc used for recovery mode.
Bug 15849856
Change-Id: Ia376ddf6373a28718653f7fb1435bf7ecb33d813
In kernel 3.10, f_adb has been removed and adbd can use functionfs
instead. Mount functionfs on boot for adbd. On older kernels, mount
will fail silently and adbd will revert to f_adb.
Change-Id: I5db57aaf35b35859ea88c7d0e0661d8c553e5811
When adbd runs as root, it should transition into the
su domain. This is needed to run the adbd and shell
domains in enforcing on userdebug / eng devices without
breaking developer workflows.
Use the new device_banner command line option.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
The syntax of init's mount command changed in April 2008 but
recovery's init.rc was never updated, so recovery's /tmp has been on
the root fs all this time. Fix.
Also add /system/bin to the PATH in recovery, which is handy for
debugging.
Change-Id: I39f7ae435a8ce3bad691e4b7c307db0bd8de1302
Otherwise everything is left running in the kernel domain when
booting recovery.
Change-Id: Ie3d86547d5be0b68dd1875a97afe1e00fc3e4da1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Recovery's init.rc was missing a line (added to the main system's
init.rc in change Ic97fd464440ff4a29fc9da7ad15949ac5215ade3) is
required for secure adb to work.
Change-Id: Id79b94d2abb4cbe3cca7cabeb4bc5faf7205e56b
Change I84c0513acb549720cb0e8c9fcbda0050f5c396f5 moved reboot
functionality into init but did not update the recovery partition; so
"adb reboot" and /system/bin/reboot in recovery are both broken.
Change-Id: Ie2d14627a686ffb5064256b6c399723636dff116
Some devices need hardware specific services started in recovery, for
example watchdogd. Import init.recovery.${ro.hardware}.rc from the
recovery init.rc.
Bug: 6953625
Change-Id: I4a4cee210238150ffaabe774a44340ec3c8ff78c
Make minadbd drop its root privileges after initializing. We need to
make the /tmp directory writable by the shell group so that it can
drop the sideloaded file there.
Change-Id: I67b292cf769383f0f67fb934e5a80d408a4c131d
Wrote some missing items in recovery, most notably the serial number so that it shows up correctly on adb.
Change-Id: If430c0b78191c8d77f781aa605b5081571451775
Always start adbd if ro.debuggable=1 rather than basing it on user preference
in persistent system properties.
Use new D001 product ID, which I just allocated for "android recovery mode"
Change-Id: I6f1eac5257eaad2e538c0a8dd549ad89219efa3e
Signed-off-by: Mike Lockwood <lockwood@android.com>
Merge commit 'ecc76ba5516d62a886f9c290906e0ca50702c9ab' into gingerbread
* commit 'ecc76ba5516d62a886f9c290906e0ca50702c9ab':
Set adbd to be disabled by default in recovery
