Commit graph

432 commits

Author SHA1 Message Date
Tao Bao
c0f56ad766 More accurate checking for overlapped ranges.
A RangeSet has half-closed half-open bounds. For example, "3,5" contains
blocks 3 and 4. So "3,5" and "5,7" are actually not overlapped.

Bug: 22098085
Change-Id: I75e54a6506f2a20255d782ee710e889fad2eaf29
2015-06-25 17:07:45 -07:00
Sami Tolvanen
a3c75e3ea6 Zero blocks before BLKDISCARD
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.

Bug: 20614277
Bug: 20881595
Change-Id: I4f6f2db39db990879ff10468c9db41606497bd6f
2015-06-10 17:09:48 +01:00
Sami Tolvanen
e82fa18d3d Revert "Zero blocks before BLKDISCARD"
This reverts commit 96392b97f6.

Change-Id: I77acc27158bad3cd8948390a3955197646a43a31
2015-06-10 15:58:12 +00:00
Sami Tolvanen
96392b97f6 Zero blocks before BLKDISCARD
Due to observed BLKDISCARD flakiness, overwrite blocks that we want
to discard with zeros first to avoid later issues with dm-verity if
BLKDISCARD is not successful.

Bug: 20614277
Bug: 20881595
Change-Id: I0280fe115b020dcab35f49041fb55b7f8e793da3
2015-06-09 21:57:06 +01:00
Tao Bao
80e46e08de recovery: Switch to clang
And a few trival fixes to suppress warnings.

Change-Id: I38734b5f4434643e85feab25f4807b46a45d8d65
2015-06-03 11:30:03 -07:00
Tao Bao
1eb9003b77 Fix build: fprintf without modifier
Change-Id: I66ae21a25a25fa3c70837bc54a7d406182d4cf37
2015-06-03 09:55:38 -07:00
Tao Bao
a69e608a52 Merge "Log update outputs in order" 2015-06-03 16:15:50 +00:00
Tao Bao
b6918c7c43 Log update outputs in order
Although stdout and stderr are both redirected to log file with no
buffering, we are seeing some outputs are mixed in random order.
This is because ui_print commands from the updater are passed to the
recovery binary via a pipe, which may interleave with other outputs
that go to stderr directly.

In recovery, adding ui::PrintOnScreenOnly() function to handle
ui_print command, which skips printing to stdout. Meanwhile, updater
prints the contents to stderr in addition to piping them to recovery.

Change-Id: Idda93ea940d2e23a0276bb8ead4aa70a3cb97700
2015-06-02 22:15:40 -07:00
Elliott Hughes
1441a9654f Merge "Really don't use TEMP_FAILURE_RETRY with close in recovery." 2015-05-29 18:02:57 +00:00
Elliott Hughes
b3ac676192 Really don't use TEMP_FAILURE_RETRY with close in recovery.
I missed one last time.

Bug: http://b/20501816
Change-Id: I9896ee2704237d61ee169f898680761e946e0a56
2015-05-28 23:06:17 -07:00
Sami Tolvanen
cc2428c818 Handle BLKDISCARD failures
In the block updater, if BLKDISCARD fails, the error is silently
ignored and some of the blocks may not be erased. This means the
target partition will have inconsistent contents.

If the ioctl fails, return an error and abort the update.

Bug: 20614277
Change-Id: I33867ba9337c514de8ffae59f28584b285324067
2015-05-28 09:09:02 +01:00
Dan Albert
e49a9e527a Stop using libstdc++.
These are already getting libc++, so it isn't necessary. If any of the
other static libraries (such as adb) use new or delete from libc++,
there will be symbol collisions.

Change-Id: I55e43ec60006d3c2403122fa1174bde06f18e09f
2015-05-19 11:33:18 -07:00
Sami Tolvanen
6253753ab9 Merge "Add error and range checks to parse_range" 2015-05-18 08:08:54 +00:00
Elliott Hughes
b47afedb42 Don't use TEMP_FAILURE_RETRY on close in recovery.
Bug: http://b/20501816
Change-Id: I35efcd8dcec7a6492ba70602d380d9980cdda31f
2015-05-15 16:19:20 -07:00
Sami Tolvanen
f2bac04e1b Add error and range checks to parse_range
Only trusted input is passed to parse_range, but check for invalid
input to catch possible problems in transfer lists.

Bug: 21033983
Bug: 21034030
Bug: 21034172
Bug: 21034406
Change-Id: Ia17537a2d23d5f701522fbc42ed38924e1ee3366
2015-05-15 18:48:28 +01:00
Elliott Hughes
7bad7c4646 Check all lseek calls succeed.
Also add missing TEMP_FAILURE_RETRYs on read, write, and lseek.

Bug: http://b/20625546
Change-Id: I03b198e11c1921b35518ee2dd005a7cfcf4fd94b
2015-04-29 17:46:43 -07:00
Sami Tolvanen
43b748f254 Don't remove existing explicitly stashed blocks
When automatically stashing overlapping blocks, should the stash
file already exist due to an explicit stash command, it's not safe
to remove the stash file after the command has completed.

Note that it is safe to assume that the stash file will remain in
place during the execution of the next command, so we don't have
take other measures to preserve overlapping blocks.

The stash file itself will be removed by a free command when it's
no longer needed.

Bug: 20297065
Change-Id: I8ff1a798b94086adff183c5aac03260eb947ae2c
2015-04-17 13:07:08 +01:00
Elliott Hughes
1fdd452f47 Always use strerror to report errno in recovery.
Change-Id: I7009959043150fabf5853a43ee2448c7fbea176e
2015-03-23 13:33:57 -07:00
Narayan Kamath
9c0f5d6b34 Remove more dead code from minzip.
I've added explanatory comments to mzExtractRecursive because
that function will live on as a utility even after we move the
zip format related logic to libziparchive.

bug: 19472796

(cherry-picked from commit c9ccdfd7a42de08c47ab771b94dc5b9d1f957b95)

Change-Id: I8b7fb6fa3eafb2e7ac080ef7a7eceb691b252d8a
2015-02-27 12:58:16 +00:00
Jesse Zhao
1df64d3278 Initialize stashbase even stash_max_blocks = 0
Change-Id: I480c02ffedd811f4dda9940ef979a05ff54f1435
Bug: 19410117
2015-02-17 17:09:29 -08:00
Elliott Hughes
2fd48fcca5 am 42b09d25: am 6a0d2fbc: Merge "There\'s no GPL code in \'updater\'."
* commit '42b09d255afdb47bc0546183cbc68e86147baaab':
  There's no GPL code in 'updater'.
2015-02-09 04:15:14 +00:00
Elliott Hughes
42b09d255a am 6a0d2fbc: Merge "There\'s no GPL code in \'updater\'."
* commit '6a0d2fbcaa1740da7bb0e7a0ef8280e8b7b9bb05':
  There's no GPL code in 'updater'.
2015-02-07 07:43:35 +00:00
Sami Tolvanen
0b52c91347 Merge "Support resuming block based OTAs" 2015-02-06 10:25:52 +00:00
Elliott Hughes
8a9014d572 There's no GPL code in 'updater'.
This notice was added for libsyspatch and libxdelta3, but that code
has been removed since.

Change-Id: I4008878ded56ca1d5094a8208728f8c02fe1fe03
2015-02-05 14:53:55 -08:00
Elliott Hughes
40862ab59e am aeecac54: Merge "Add missing includes."
* commit 'aeecac5444ce55d2e82ee1b2aa35ff61a038c14e':
  Add missing includes.
2015-01-30 21:16:36 +00:00
Sami Tolvanen
90221205a3 Support resuming block based OTAs
Add support for transfer list version 3, which allows us to
verify the status of each command and resume an interrupted
block based OTA update. Notes on the changes:

 - Move the previous BlockImageUpdateFn to a shorter and
   reusable PerformBlockImageUpdate, which can be used also
   in BlockImageVerifyFn for verification.

 - Split individual transfer list commands into separate
   functions with unified parameters for clarity, and use
   a hash table to locate them during execution.

 - Move common block reading and writing to ReadBlocks and
   WriteBlocks to reduce code duplication, and rename the
   readblock and writeblock to less confusing read_all and
   write_all.

The coding style of the new functions follows the existing
style in the updater/edify code.

Needs matching changes from
  Ia5c56379f570047f10f0aa7373a1025439495c98

Bug: 18262110
Change-Id: I1e752464134aeb2d396946348e6041acabe13942
2015-01-30 14:38:31 +00:00
Elliott Hughes
cd3c55ab40 Add missing includes.
Change-Id: I06ea08400efa511e627be37a4fd70fbdfadea2e6
2015-01-29 20:50:08 -08:00
Ying Wang
cdce7f7e55 am c43b17f0: Merge "Fix recovery image build for 32p"
* commit 'c43b17f0adac1092e221ce6166ca8bc464090525':
  Fix recovery image build for 32p
2014-12-02 00:07:35 +00:00
Bruce Beare
4c3c7a962f Fix recovery image build for 32p
When building for 32p, we need to be explicit that we wish to build
the 32bit version of the binaries that will be placed in the recovery
image. The recovery image doesn't actually care... but if we are not
explicit in this, the makefiles will ask for the 64bit binaries but the
Android.mk for the binaries will supply the 32bit images (causing the
build to fail).

Change-Id: Iea2d5f412740c082795da4358765751138a4b167
2014-11-30 19:21:19 -08:00
Michael Runge
5b9c4ce5a1 am b278c252: Add support for tune2fs file operations
* commit 'b278c252e148798346f85fc92eeea6afeb33fbf0':
  Add support for tune2fs file operations
2014-11-24 02:37:03 +00:00
Michael Runge
b278c252e1 Add support for tune2fs file operations
This allows tune2fs to be executed from within OTA scripts,
allowing for file system modifications without formatting the
partition

Bug: 18430740
Change-Id: I0c2e05b5ef4a81ecea043e9b7b99b545d18fe5e6
2014-11-21 13:02:03 -08:00
Michael Runge
fe8563f4f2 am 5ddf4293: Log mount/unmount errors to UI
* commit '5ddf4293df45a051c7900eeb62fb5ec4950b6cb6':
  Log mount/unmount errors to UI
2014-10-24 23:17:43 +00:00
Michael Runge
5ddf4293df Log mount/unmount errors to UI
Bug: 18092022
Change-Id: I6c42038ebeb1cfc1e7ca0d3e12310fdce1b990b0
2014-10-24 14:14:41 -07:00
Nick Kralevich
915d661ccc am 68802416: unconditionally apply SELinux labels to symlinks
* commit '688024169df70336cc128ea8cc929174c53a501e':
  unconditionally apply SELinux labels to symlinks
2014-10-24 17:43:15 +00:00
Nick Kralevich
688024169d unconditionally apply SELinux labels to symlinks
At the end of the OTA script, we walk through /system, updating
all the permissions on the filesystem, including the UID, GID,
standard UNIX permissions, capabilities, and SELinux labels.

In the case of a symbolic link, however, we want to skip most of
those operations. The UID, GID, UNIX permissions, and capabilities
don't meaningfully apply to symbolic links.

However, that's not true with SELinux labels. The SELinux label on
a symbolic link is important. We need to make sure the label on the
symbolic link is always updated, even if none of the other attributes
are updated.

This change unconditionally updates the SELinux label on the symbolic
link itself. lsetfilecon() is used, so that the link itself is updated,
not what it's pointing to.

In addition, drop the ENOTSUP special case. SELinux has been a
requirement since Android 4.4. Running without filesystem extended
attributes is no longer supported, and we shouldn't even try to handle
non-SELinux updates anymore. (Note: this could be problematic if
these scripts are ever used to produce OTA images for 4.2 devices)

Bug: 18079773
Change-Id: I87f99a1c88fe02bb2914f1884cac23ce1b385f91
2014-10-23 20:46:33 -07:00
Michael Runge
da500cecf5 am 168f7778: Allow passing of mount args to mountFn
* commit '168f77787700f0e9f66675beef33c593a777e64e':
  Allow passing of mount args to mountFn
2014-10-23 21:56:52 +00:00
Brian Carlstrom
4da9cdeab9 am 473967d8: Merge "Log to UI any metadata setting errors" into lmp-dev
* commit '473967d87ff9fc7a541c16ebdc56364c285d2862':
  Log to UI any metadata setting errors
2014-10-23 21:56:52 +00:00
Michael Runge
168f777877 Allow passing of mount args to mountFn
Bug: 18079773
Bug: 18092222

Change-Id: Ifc3f3e123de729dfbb2f49414b3207afa96268d5
2014-10-23 18:13:26 +00:00
Brian Carlstrom
473967d87f Merge "Log to UI any metadata setting errors" into lmp-dev 2014-10-23 17:18:13 +00:00
Michael Runge
d4a63426ef Log to UI any metadata setting errors
Bug: 18079773
Change-Id: Ic6fddbcbcb6ddb9e1cbd1698df98387c0033ae15
2014-10-23 10:06:33 -07:00
Michael Runge
3b5c6dca0a am 2f0ef730: Treat already-renamed files as having no problems.
* commit '2f0ef73029fc51c6404121f338b034c8b516652c':
  Treat already-renamed files as having no problems.
2014-10-23 16:34:38 +00:00
Michael Runge
2f0ef73029 Treat already-renamed files as having no problems.
This should help with reentrant OTAs.

Bug: 18079773

Change-Id: I102fd738e3b450483ecd4471384c12e89fc586e2
2014-10-23 00:04:36 +00:00
Doug Zongker
d83e4f1589 support for version 2 of block image diffs
In version 2 of block image diffs, we support a new command to load
data from the image and store it in the "stash table" and then
subsequently use entries in the stash table to fill in missing bits of
source data we're not allowed to read when doing move/bsdiff/imgdiff
commands.

This leads to smaller update packages because we can break cycles in
the ordering of how pieces are updated by storing data away and using
it later, rather than not using the data as input to the patch system
at all.  This comes at the cost of the RAM or scratch disk needed to
store the data.

The implementation is backwards compatible; it can still handle the
existing version 1 of the transfer file format.

Change-Id: I4559bfd76d5403859637aeac832f3a5e9e13b63a
2014-09-25 16:38:14 -07:00
Doug Zongker
40482ea2ae Merge "fix comment in blockimg updater code" into lmp-dev 2014-09-04 15:26:29 +00:00
Doug Zongker
f7bb09dae8 fix comment in blockimg updater code
The comment for the DEBUG_ERASE setting is exactly backwards.

Change-Id: I98ab5828365894217fc78976817a131e7d22d5c1
2014-09-04 08:10:32 -07:00
Andrew Boie
8328922ff0 use lseek64 instead of lseek
Otherwise, overflow problems can occur with images larger than
2G since the offsets will overflow a 32-bit off_t.

Change-Id: I05951a38ebeae83ad2cb938594e8d8adb323e2aa
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
2014-09-04 07:54:17 -07:00
Doug Zongker
5f875bf577 remove code for original block OTA mechanism
Superseded by newer code.

Bug: 16984795
Change-Id: I842299f6a02af7ccf51ef2ca174d813ca53deef1
2014-08-26 13:54:24 -07:00
Doug Zongker
1d5d6098f4 fix two bugs in block image updater
The computation of file offsets was overflowing for partitions larger
than 2 GB.  The parsing of the transfer file could fail at the end if
the data happened to not be properly null-terminated.

Bug: 16984795
Change-Id: I3ce6eb3e54ab7b55aa9bbed252da5a7eacd3317a
2014-08-21 10:47:24 -07:00
Doug Zongker
bc7ffeda98 installer for new block OTA system
(Cherry-pick back from master.)

Bug: 16984795
Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4
2014-08-19 16:53:39 -07:00
Doug Zongker
2b5f0e0f76 remove spurious parens from error message
These error messages include empty parens after each string
substition.  Ill-advised cut and paste, probably.

Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc
2014-08-06 08:25:03 -07:00
Michael Runge
a91ecc59b2 Auto create parent directories for rename support
Sometimes renames will move a file into a directory
that does not yet exist.  This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.

Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
2014-07-21 17:40:02 -07:00
JP Abgrall
37aedb3faf Support F2FS for the data partition
This adds F2FS support
- for wiping a device
- for the install "format" command.

Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".

Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
2014-06-16 19:07:39 -07:00
Doug Zongker
43772d26a5 advance progress bar during block OTA installations
While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.

Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371
2014-06-09 14:15:22 -07:00
Doug Zongker
c704e06ce5 disable async reboot during package installation
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot.  (Debug
packages can explicitly request that the feature be reenabled.)

Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
2014-05-23 08:52:31 -07:00
Michael Runge
aa1a31e83d Allow lines without = signs.
The new build.prop for Sprout includes lines of the format:
import xxx.prop

These can be safely ignored when reading the property file.

Change-Id: Ia84a138e71461ffe8e591e88143b9787873def29
2014-05-01 18:37:40 -07:00
Mark Salyzyn
679baa06b7 am 4b6de1ba: am 026ebe02: Merge "Recovery 64-bit compile issues"
* commit '4b6de1ba1ce0fff95c18a8abb7ba6e5762006d49':
  Recovery 64-bit compile issues
2014-03-14 21:35:41 +00:00
Mark Salyzyn
4b6de1ba1c am 026ebe02: Merge "Recovery 64-bit compile issues"
* commit '026ebe0214d6c1c9b3ddc22c35e9ac37e5f622bc':
  Recovery 64-bit compile issues
2014-03-14 20:59:56 +00:00
Mark Salyzyn
f3bb31c32f Recovery 64-bit compile issues
Change-Id: I92d5abd1a628feab3b0246924fab7f97ba3b9d34
2014-03-14 13:51:39 -07:00
Doug Zongker
c9d6e4ff51 support don't-care maps when writing the system image
Make package_extract_file() take an optional third argument which is
the pathname (in the package zip) of a map of don't-care regions to
skip over when writing the file.

Modify syspatch() to take source and target don't-care maps and use
them when patching the system partition.

Add the wipe_block_device() function to do a discard of all data on
the partition.

Change-Id: I8c856054edfb6aab2f3e5177f16d9d78add20be4
2014-02-24 16:02:50 -08:00
Doug Zongker
0ac1cbaa76 add flag for GPL license
updater now depends on the GPL'd libraries libsyspatch and libxdelta3,
so be careful when taking code from this directory.

Change-Id: Ib6f8c50ce7052912b9d81ff96d095f778bf9a3d0
2014-02-20 10:15:44 -08:00
Doug Zongker
f2ff0a2097 Merge "clean up some warnings when building recovery" 2014-02-18 17:48:19 +00:00
Doug Zongker
3eb681d1de remove remaining libminelf references
Change-Id: Id38b08607829bccc031693cc03e60e849903b6f8
2014-02-13 15:49:35 -08:00
Doug Zongker
0d32f259cd clean up some warnings when building recovery
Change-Id: I1541534ee6978ddf8d548433986679ce9507d508
2014-02-13 15:34:18 -08:00
Doug Zongker
a1bc148c7c remove 'retouch' ASLR support
Older versions of android supported an ASLR system where binaries were
randomly twiddled at OTA install time.  Remove support for this; we
now use the ASLR support in the linux kernel.

Change-Id: I8348eb0d6424692668dc1a00e2416fbef6c158a2
2014-02-13 15:18:19 -08:00
Doug Zongker
52b4036eb8 add syspatch support to updater
Add the syspatch() function, which can apply xdelta3+xz patches using
the libsyspatch library.

Change-Id: Idc1921e449020923bcaf425a1983bec0833e47ed
2014-02-13 14:15:26 -08:00
Doug Zongker
99916f0496 do verification and extraction on memory, not files
Changes minzip and recovery's file signature verification to work on
memory regions, rather than files.

For packages which are regular files, install.cpp now mmap()s them
into memory and then passes the mapped memory to the verifier and to
the minzip library.

Support for files which are raw block maps (which will be used when we
have packages written to encrypted data partitions) is present but
largely untested so far.

Bug: 12188746
Change-Id: I12cc3e809834745a489dd9d4ceb558cbccdc3f71
2014-01-16 13:29:28 -08:00
Michael Runge
15f5fe1bcd am f9dd42de: Merge "Don\'t abort on read_file if the file is missing." into klp-dev
* commit 'f9dd42de6034ab09f9fa649ed1fbea25bc05e598':
  Don't abort on read_file if the file is missing.
2013-12-26 15:33:28 -08:00
Michael Runge
6eed224771 Don't abort on read_file if the file is missing.
Change-Id: I85726bf736203d602428114145c3b98692580656
2013-12-13 17:13:11 -08:00
Doug Zongker
d327c63af6 am c87bab10: add the functions for multi-stage packages to updater
* commit 'c87bab101893e8322b49d7c8600e3367b20ab50a':
  add the functions for multi-stage packages to updater
2013-11-27 10:57:44 -08:00
Doug Zongker
c87bab1018 add the functions for multi-stage packages to updater
In order to support multi-stage recovery packages, we add the
set_stage() and get_stage() functions, which store a short string
somewhere it can be accessed across invocations of recovery.  We also
add reboot_now() which updater can invoke to immediately reboot the
device, without doing normal recovery cleanup.  (It can also choose
whether to boot off the boot or recovery partition.)

If the stage string is of the form "#/#", recovery's UI will be
augmented with a simple indicator of what stage you're in, so it
doesn't look like a reboot loop.

Change-Id: I62f7ff0bc802b549c9bcf3cc154a6bad99f94603
2013-11-26 15:46:57 -08:00
Michael Runge
40dfc474c4 am c64e76c7: Merge "Enable incremental builder to find files that moved, and try to process them via patch + rename, instead of delete + add." into klp-dev
* commit 'c64e76c75088b951f61a7f7bacf8af6eccd2ccfa':
  Enable incremental builder to find files that moved, and try to process them via patch + rename, instead of delete + add.
2013-11-07 15:00:42 -08:00
Michael Runge
ce7ca7165b Enable incremental builder to find files that moved, and
try to process them via patch + rename, instead of
delete + add.

b/11437930

Change-Id: I984349fbc9a8dac4379e00c0d66fc7d22c4eb834
2013-11-07 12:29:14 -08:00
Nick Kralevich
46ab1b6138 updater: Delete dead code
set_perm and set_perm_recursive are no longer used. Delete.

(cherry picked from commit 08ef9a9570)

Change-Id: I1bcc90ae19af9df4f0705496c5876987159f75ac
2013-09-17 10:20:45 -07:00
Nick Kralevich
e461251e2c Don't apply permission changes to symlink.
Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: I57cb14af59682c5f25f1e091564548bdbf20f74e
2013-09-10 15:34:19 -07:00
Nick Kralevich
5dbdef0e5b updater: introduce and set_metadata and set_metadata_recursive
Introduce two new updater functions:

* set_metadata
* set_metadata_recursive

Long term, these functions are intended to be more flexible replacements
for the following methods:

* set_perm
* set_perm_recursive

Usage:

  set_metadata("filename", "key1", "value1", "key2", "value2", ...)
  set_metadata_recursive("dirname", "key1", "value1", "key2", "value2", ...)

Description:

set_metadata() and set_metadata_recursive() set the attributes on a file/directory
according to the key/value pairs provided. Today, the following keys are
supported:

* uid
* gid
* mode (set_perm_extd only)
* fmode (set_perm_extd_recursive only)
* dmode (set_perm_extd_recursive only)
* selabel
* capabilities

Unknown keys are logged as warnings, but are not fatal errors.

Examples:

* set_metadata("/system/bin/netcfg", "selabel", "u:object_r:system_file:s0");

This sets the SELinux label of /system/bin/netcfg to u:object_r:system_file:s0.
No other changes occur.

* set_metadata("/system/bin/netcfg", "uid", 0, "gid", 3003, "mode", 02750, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);

This sets /system/bin/netcfg to uid=0, gid=3003, mode=02750,
selinux label=u:object_r:system_file:s0, and clears the capabilities
associated with the file.

* set_metadata_recursive("/system", "uid", 0, "gid", 0, "fmode", 0644, "dmode", 0755, "selabel", "u:object_r:system_file:s0", "capabilities", 0x0);

All files and directories under /system are set to uid=0, gid=0,
and selinux label=u:object_r:system_file:s0. Directories are set to
mode=0755.  Files are set to mode=0644 and all capabilities are cleared.

Bug: 10183961
Bug: 10186213
Bug: 8985290
Change-Id: Ifdcf186a7ed45265511dc493c4036e1ac5e3d0af
2013-09-10 10:24:24 -07:00
Nick Kralevich
3328e3bc81 Revert "Update OTA installer to understand SELinux filesystem labels"
This reverts commit 627eb30f73.

Bug: 10183961
Bug: 10186213
2013-09-09 10:47:14 -07:00
Nick Kralevich
627eb30f73 Update OTA installer to understand SELinux filesystem labels
Modify the OTA installer to understand SELinux filesystem labels.

We do this by introducing new set_perm2 / set_perm2_recursive
calls, which understand SELinux filesystem labels. These filesystem
labels are applied at the same time that we apply the
UID / GID / permission changes.

For compatibility, we preserve the behavior of the existing
set_perm / set_perm_recursive calls.

If the destination kernel doesn't support security labels, don't
fail. SELinux isn't enabled on all kernels.

Bug: 8985290
Change-Id: I99800499f01784199e4918a82e3e2db1089cf25b
2013-07-18 15:21:12 -07:00
Doug Zongker
fafc85b4ad recovery: move log output to stdout
Recovery currently has a random mix of messages printed to stdout and
messages printed to stderr, which can make logs hard to read.  Move
everything to stdout.

Change-Id: Ie33bd4a9e1272e731302569cdec918e0534c48a6
2013-07-09 12:50:24 -07:00
Doug Zongker
c7a6858dc9 Merge "verifier: update to support certificates using SHA-256" 2013-04-11 22:02:46 +00:00
Doug Zongker
bac7fba027 verifier: update to support certificates using SHA-256
Change-Id: Ifd5a29d459acf101311fa1c220f728c3d0ac2e4e
2013-04-10 11:32:17 -07:00
Ying Wang
4e21482d97 Add liblog
Bug: 8580410
Change-Id: Ie60dade81c06589cb0daee431611ded34adef8e6
2013-04-09 21:41:29 -07:00
Kenny Root
cd74108cda resolved conflicts for merge of 78afed1c to jb-mr1-dev-plus-aosp
Change-Id: I861e3a6aa07c448909b2ae54618bba178bd6e457
2012-10-16 17:44:21 -07:00
Kenny Root
7eb7567aa3 Remove HAVE_SELINUX guards
Change-Id: Ia96201f20f7838d7d9e8926208977d3f8318ced4
2012-10-16 12:57:26 -07:00
Doug Zongker
a3ccba6d31 add bonus data feature to imgdiff/imgpatch/applypatch
The bonus data option lets you give an additional blob of uncompressed
data to be used when constructing a patch for chunk #1 of an image.
The same blob must be available at patch time, and can be passed to
the command-line applypatch tool (this feature is not accessible from
edify scripts).

This will be used to reduce the size of recovery-from-boot patches by
storing parts of the recovery ramdisk (the UI images) on the system
partition.

Change-Id: Iac1959cdf7f5e4582f8d434e83456e483b64c02c
2012-08-20 15:28:02 -07:00
Joe Onorato
5585025814 am 3733d218: Merge changes I664f8dc7,I4154db06,I5e1df90f
* commit '3733d2185bbcedd9ef626907f1f32628986cc0f5':
  Use the static version of libsparse
  Multiple modules with the same name are going away.
  host modules don't need LOCAL_MODULE_TAGS
2012-08-17 00:11:55 -07:00
Doug Zongker
a23075fb0e fix the symlink() command to create directories if needed
Full OTAs currently fail if the build contains a directory containing
only symlinks, because nothing creates that directory.  Change the
symlink() command to create any ancestor directories that don't exist.
They're created as owner root perms 0700 because we assume that in
practice subsequent set_perm_recursive() calls will fix up their
ownership and permissions.

Change-Id: I4681cbc85863d9778e36b924f0532b2b3ef14310
2012-08-06 16:35:18 -07:00
Joe Onorato
4eeb379886 Use the static version of libsparse
Change-Id: I664f8dc7939f8f902e4775eaaf6476fcd4ab8ed2
2012-07-23 19:14:30 -07:00
Joe Onorato
6396e70d3f Multiple modules with the same name are going away.
Change-Id: I4154db066865d6031caa3c2c3b94064b2f28076e
2012-07-21 15:41:15 -07:00
Colin Cross
cde94f309c Link against libsparse
libext4_utils requires libsparse, link against it as well.

Change-Id: I4d6aec0e5edcf1ed42118b7b77adcded2858d3dd
2012-07-17 17:59:47 -07:00
Ying Wang
ea17e320b0 am 6d60667d: Merge "Use a dependency file to replace the list file."
* commit '6d60667de6b8e6bd8a54fb4031901e2935743308':
  Use a dependency file to replace the list file.
2012-06-11 16:30:26 -07:00
Ying Wang
eef790de66 Use a dependency file to replace the list file.
instead of creating the list file whenever loading the Android.mk

Change-Id: I78e4820754399dff3993a863eede8b75da9f6d29
2012-06-11 14:53:08 -07:00
Kenny Root
1e4469a786 am 78911bdf: am 2a4ab824: Merge "Change the format command to always take the mount point as an argument."
* commit '78911bdf4f9dfff6583f3f8150a3257212ceea13':
  Change the format command to always take the mount point as an argument.
2012-04-06 18:05:56 -07:00
Stephen Smalley
516e4e2372 Change the format command to always take the mount point as an argument.
Requires I5a63fd61a7e74d386d0803946d06bcf2fa8a857e

Change-Id: Ica5fb73d6f2ffb981b74d1896538988dbc4d9b24
2012-04-03 13:35:11 -04:00
Kenny Root
41dda82d84 resolved conflicts for merge of 0b1fee1b to master
Change-Id: I2e8298ff5988a96754f56f80a5186c9605ad9928
2012-03-30 21:26:01 -07:00
Stephen Smalley
779701db51 Extend recovery and updater to support setting file security contexts.
Extend minzip, recovery, and updater to set the security context on
files based on the file_contexts configuration included in the package.

Change-Id: Ied379f266a16c64f2b4dca15dc39b98fcce16f29
2012-03-30 09:32:46 -04:00
Doug Zongker
acd73ed156 fail edify script if set_perm() or symlink() fails
It's surprising if these fail, so abort the whole edify script to
catch any problems early.

Bug: 2284848
Change-Id: Ia2a0b60e7f086fc590b242616028905a229c9e05
2012-03-22 14:33:53 -07:00
Doug Zongker
35a35a6766 remove retouching code from updater
Removes the retouch_binaries and undo_retouch_binaries from updater;
newly generated OTA packages should not call them any more.

Note that applypatch retains the ability to unretouch a file as it
reads it.  This will be needed as long as we want to support OTAs from
devices that were installed with retouching.

Change-Id: Ib3f6baeae90c84ba85983f626d821ab7e436ceb2
2012-02-28 12:30:13 -08:00
Stephen Smalley
1a11449495 Add libselinux to LOCAL_STATIC_LIBRARIES wherever libext4_utils is used.
libext4_utils now calls libselinux in order to determine the
file security context to set on files when creating ext4 images.

Change-Id: I09fb9d563d22ee106bf100eacd4cd9c6300b1152
2012-01-24 15:16:31 -05:00
Doug Zongker
daefc1d442 C++ class for device-specific code
Replace the device-specific functions with a class.  Move some of the
key handling (for log visibility toggling and rebooting) into the UI
class.  Fix up the key handling so there is less crosstalk between the
immediate keys and the queued keys (an increasing annoyance on
button-limited devices).

Change-Id: I698f6fd21c67a1e55429312a0484b6c393cad46f
2011-10-31 15:51:07 -07:00
Doug Zongker
d0181b8fcd allow recovery packages to wipe cache
updater now has a function "wipe_cache();" which causes recovery to
wipe the cache partition after the successful installation of the
package.  Move log copying around a bit so logs and the last_install
flag file are copied to cache after it's wiped.

Bug: 5314244
Change-Id: Id35a9eb6dcd626c8f3a3a0076074f462ed3d44bd
2011-10-19 11:26:18 -07:00
Michael Ward
6242a8bc9b Support multiple recovery updater extensions.
Change-Id: I787c086223b674050c0a12fc575add9badb471af
2011-07-14 15:12:20 -07:00
Doug Zongker
179b2d9895 make write_raw_image able to take a blob
write_raw_image() can now take either a blob or a filename as the
source.  The blob format eliminates the need for a temp file.

Change-Id: I0c6effec53d47862040efcec75e64b7c951cdcf7
2011-04-12 16:48:49 -07:00
Ken Sumrall
8f132ed870 Reserve the last 16 Kbytes of /data for the crypto footer.
When formatting /data, if it's an ext4 filesystem, reserve the
last 16 Kbytes for the crypto footer.

Change-Id: I7b401d851ee87732e5da5860df0287a1c331c5b7
2011-01-19 17:12:47 -08:00
Colin Cross
264f549b7d Update arguments to make_ext4fs
Change-Id: Id96e98da76b3091987b01651f980797b1d6b49d8
2010-12-29 14:18:26 -08:00
Doug Zongker
dc49ce453e add missing sparseness parameter
Change-Id: Ie6e309b127e80cd6475f1deaa5dbadf9f5cc2746
2010-09-15 18:05:10 -07:00
Doug Zongker
a66c32ab1d resolved conflicts for merge of 9f89b0e4 to master
Change-Id: Id458df96fd56830fdb35397e95a80274761ecff5
2010-09-15 17:40:14 -07:00
Doug Zongker
6b1ff61f62 am 858f0a76: am 8e5e4dad: close update package before installing; allow remount
Merge commit '858f0a763d0f736eb721f54257b6164886bfcbfc'

* commit '858f0a763d0f736eb721f54257b6164886bfcbfc':
  close update package before installing; allow remount
2010-09-15 16:32:52 -07:00
Doug Zongker
56c5105bd7 support for ext4/EMMC filesystems in updater binary
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.

Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
2010-09-15 11:10:02 -07:00
Doug Zongker
8e5e4dada7 close update package before installing; allow remount
Close the update package before invoking the binary, to allow the
installer to unmount /cache if it wants to.  Add a function to allow
remounting of a mount as read-only.

Change-Id: Idfcc96c3da66083295177f729263560be58034e4
2010-09-14 21:26:38 -07:00
Ken Sumrall
8101125ee5 Changes to work with updated make_ext4fs tool that supports creating sparse images.
An extra parameter was added to the make_ext4fs() function, we these tools need
to be updated to match.

Change-Id: Id640a7f2b03153eb333b00337f0f991ff5332349
2010-08-13 19:22:47 -07:00
Hristo Bojinov
db314d69f0 Working ASLR implementation
Separate files for retouch functionality are in minelf/*

ASLR for shared libraries is controlled by "-a" in ota_from_target_files.
Binary files are self-contained. Retouch logic can recover from crashes.

Signed-off-by: Hristo Bojinov <hristo@google.com>
Change-Id: I76c596abf4febd68c14f9d807ac62e8751e0b1bd
2010-08-02 14:17:33 -07:00
Ying Wang
b4277c25c6 Mute unwanted error message
This CL removes the following line from the top of build logs:
"diff: out/target/product/*/obj/PACKAGING/updater_extensions_intermediates/register.inc.list: No such file or directory"

Change-Id: I79c15a69a0b1b0da0e45620b45a7a0fea5625250
2010-07-20 17:31:04 -07:00
Doug Zongker
3d177d055c support for ext4/EMMC filesystems in updater binary
Make the mount and format functions take extra parameters describing
the filesystem type and add support for mounting and formatting ext4
filesystems on EMMC.

Change recovery to consistently use stdout for status messages instead
of mixing stdout and stderr.
2010-07-01 15:42:28 -07:00
Doug Zongker
c4351c7910 refactor applypatch and friends
Change the applypatch function to take meaningful arguments instead of
argc and argv.  Move all the parsing of arguments into main.c (for the
standalone binary) and into install.c (for the updater function).
applypatch() takes patches as Value objects, so we can pass in blobs
extracted from the package without ever writing them to temp files.

The patching code is changed to read the patch from memory instead of
a file.

A bunch of compiler warnings (mostly about signed vs unsigned types)
are fixed.

Support for the IMGDIFF1 format is dropped.  (We've been generating
IMGDIFF2 packages for some time now.)

Change-Id: I217563c500012750f27110db821928a06211323f
2010-02-22 15:30:33 -08:00
Doug Zongker
512536a54a relocate applypatch; add type system and new functions to edify
- Move applypatch to this package (from build).

- Add a rudimentary type system to edify:  instead of just returning a
  char*, functions now return a Value*, which is a struct that can
  carry different types of value (currently just STRING and BLOB).
  Convert all functions to this new scheme.

- Change the one-argument form of package_extract_file to return a
  Value of the new BLOB type.

- Add read_file() to load a local file and return a blob, and
  sha1_check() to test a blob (or string) against a set of possible
  sha1s.  read_file() uses the file-loading code from applypatch so it
  can read MTD partitions as well.

This is the start of better integration between applypatch and the
rest of edify.

b/2361316 - VZW Issue PP628: Continuous reset to Droid logo:
            framework-res.apk update failed (CR LIBtt59130)

Change-Id: Ibd038074749a4d515de1f115c498c6c589ee91e5
2010-02-18 14:22:12 -08:00
Doug Zongker
e08991e02a bump updater API version to 3; deprecate firmware update command
Remove support for the HTC-specific "firmware" update command and the
corresponding edify function write_firmware_update().  This
functionality is now done by an edify extension library that lives in
vendor/htc.

Change-Id: I80858951ff10ed8dfff98aefb796bef009e05efb
2010-02-03 09:20:07 -08:00
Doug Zongker
6aece33b3f add a one-argument version of package_extract_file
Add a version of package_extract_file that returns the file data as
its return value (to be consumed by some other edify function that
expects to receive a bunch of binary data as an argument).  Lets us
avoid having two copies of a big file in memory (extracting it into
/tmp, which is a ramdisk, and then having something load it into
memory) when doing things like radio updates.

Change-Id: Ie26ece5fbae457eb0ddcd8a13d74d78a769fbc70
2010-02-01 14:40:12 -08:00
Doug Zongker
60babf8ba7 delete files before symlinking; log error messages
The symlink() function should remove existing files before creating
symlinks, so scripts are idempotent.  Log messages when various system
calls fail (but don't make the whole script fail).
2009-09-18 15:11:24 -07:00
Doug Zongker
a3f89eabb7 add a run_program() function to edify
Handy for producing debugging OTA packages (eg, running sqlite3 or
whatever in recovery).
2009-09-10 14:20:53 -07:00
Android (Google) Code Review
fc382dfc75 am d8f7c9b8: Merge change 5545 into donut
Merge commit 'd8f7c9b85e25fab93fef2221a84b60edc2e7b837'

* commit 'd8f7c9b85e25fab93fef2221a84b60edc2e7b837':
  remove updater from the user system image
2009-06-29 16:39:15 -07:00
Android (Google) Code Review
d8f7c9b85e Merge change 5545 into donut
* changes:
  remove updater from the user system image
2009-06-26 14:42:37 -07:00
Doug Zongker
ad3db099d5 remove updater from the user system image
updater (which is only needed in OTA packages) is getting included in
/system/bin, where it just takes up (quite a bit of) space.  Use the
hack of including it only in eng builds so it's not there for user
builds.
2009-06-26 13:38:55 -07:00
Doug Zongker
898ef399d3 am 0bbfe3d9: fix off-by-one error in set_perm()
Merge commit '0bbfe3d901885c1f0ab006e8d4cc1029c44a7376'

* commit '0bbfe3d901885c1f0ab006e8d4cc1029c44a7376':
  fix off-by-one error in set_perm()
2009-06-25 14:34:03 -07:00
Doug Zongker
0bbfe3d901 fix off-by-one error in set_perm()
We were inadvertently skipping over the first filename in the list of
arguments.
2009-06-25 13:37:31 -07:00
Doug Zongker
4275c3cfc8 am fbf3c10e: improve updater progress bar
Merge commit 'fbf3c10e45c20f8fe6bd1ac49ffe220035b9c454'

* commit 'fbf3c10e45c20f8fe6bd1ac49ffe220035b9c454':
  improve updater progress bar
2009-06-24 17:39:16 -07:00
Doug Zongker
fbf3c10e45 improve updater progress bar
Let recovery accept set_progress commands to control progress over the
'current segment' of the bar.  Add a set_progress() builtin to the
updater binary.
2009-06-24 09:36:20 -07:00
Doug Zongker
2b0fdc6571 add device extension mechanism to updater
Allow devices (in BoardConfig.mk) to define additional static
libraries to be linked in to updater, to make device-specific
functions available in edify scripts.  Modify the updater makefile to
arrange for device libraries to register their edify functions.
2009-06-22 14:00:44 -07:00
Doug Zongker
47cace9836 add file_getprop() to updater
Add a function to read a property from a ".prop"-formatted file
(key=value pairs, one per line, ignore # comment lines and blank
lines).  Move ErrorAbort to the core of edify; it's not specific to
updater now that errors aren't stored in the app cookie.
2009-06-18 10:11:50 -07:00
Doug Zongker
fb2e3af3f9 let the "firmware" command take the file straight from the package
To do a firmware-install-on-reboot, the update binary tells recovery
what file to install before rebooting.  Let this file be specified as
"PACKAGE:<foo>" to indicate taking the file out of the OTA package,
avoiding an extra copy to /tmp.  Bump the API version number to
reflect this change.
2009-06-17 18:12:16 -07:00
Doug Zongker
d9c9d10d9d fixes to edify and updater script
A few more changes to edify:

  - fix write_raw_image(); my last change neglected to close the write
    context, so the written image was corrupt.

  - each expression tracks the span of the source code from which it
    was compiled, so that assert()'s error message can include the
    source of the expression that failed.

  - the 'cookie' argument to each Function is replaced with a State
    object, which contains the cookie, the source script (for use with
    the above spans), and the current error message (replacing the
    global variables that were used for this purpose).

  - in the recovery image, a new command "ui_print" can be sent back
    through the command pipe to cause text to appear on the screen.
    Add a new ui_print() function to print things from scripts.
    Rename existing "print" function to "stdout".
2009-06-12 14:05:03 -07:00
Doug Zongker
8edb00c990 edify extensions for OTA package installation, part 2
Adds more edify functions for OTAs:

  is_mounted getprop apply_patch apply_patch_check apply_patch_space
  write_raw_image write_firmware_image package_extract_file

This allows us to install radios, hboots, boot images, and install
incremental OTA packages.

Fixes a couple of dumb bugs in edify itself:

  - we were doubling the size of the function table each time it was
    *not* full, rather than each time it was full

  - "no such function" errors weren't visible to the parser, so they
    didn't prevent execution of the script.
2009-06-12 09:40:37 -07:00
Doug Zongker
9931f7f3c1 edify extensions for OTA package installation, part 1
Adds the following edify functions:

  mount unmount format show_progress delete delete_recursive
  package_extract symlink set_perm set_perm_recursive

This set is enough to extract and install the system part of a (full)
OTA package.

Adds the updater binary that extracts an edify script from the OTA
package and then executes it.  Minor changes to the edify core (adds a
sleep() builtin for debugging, adds "." to the set of characters that
can appear in an unquoted string).
2009-06-11 16:25:29 -07:00