Init: Load fsverity keys earlier
Keys may be required for apex updates (post-installs), so load them before starting apexd. Bug: 125474642 Test: m Test: manual Change-Id: I32ddb6ae6854334e8ee7e195173ecfaed565d783
This commit is contained in:
Andreas Gampe
parent
0e5b74deff
commit
e8565ac94a
1 changed files with 7 additions and 6 deletions
|
|
@ -418,6 +418,13 @@ on post-fs-data
|
|||
mkdir /data/bootchart 0755 shell shell
|
||||
bootchart start
|
||||
|
||||
# Load fsverity keys. This needs to happen before apexd, as post-install of
|
||||
# APEXes may rely on keys.
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
|
||||
# Prevent future key links to fsverity keyring
|
||||
exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
|
||||
|
||||
# Make sure that apexd is started in the default namespace
|
||||
enter_default_mount_ns
|
||||
|
||||
|
|
@ -585,12 +592,6 @@ on post-fs-data
|
|||
# Set SELinux security contexts on upgrade or policy update.
|
||||
restorecon --recursive --skip-ce /data
|
||||
|
||||
# load fsverity keys
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric product_cert /product/etc/security/cacerts_fsverity .fs-verity
|
||||
exec -- /system/bin/mini-keyctl dadd asymmetric vendor_cert /vendor/etc/security/cacerts_fsverity .fs-verity
|
||||
# Prevent future key links to fsverity keyring
|
||||
exec -- /system/bin/mini-keyctl restrict_keyring .fs-verity
|
||||
|
||||
# Check any timezone data in /data is newer than the copy in the runtime module, delete if not.
|
||||
exec - system system -- /system/bin/tzdatacheck /apex/com.android.runtime/etc/tz /data/misc/zoneinfo
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue