Allow us to check if check_at_most_once is set for any partitions.
This property should be false for any device with a reasonable amount of
RAM and a modern CPU. Enabling check_at_most_once violates AVB best
practices, it should only be allowed on performance limited devices.
Bug: 253033920
Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes
and that partition.system.verified.check_at_most_once is set.
Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
b/255593675 showed that gsid can fail to allocate scratch on /data on
some device configurations. Before we can locate the root cause,
gracefully fallback to previous "scratch-on-super" logic in case of
error.
Bug: 255593675
Test: Presubmit
Test: manual test
Change-Id: I229ab51f11fa354a6f231c4d083dd6329d6a9579
The only use case of storing COW operations in memory
was to calculate SHA256 sum during Finalize() - However,
we haven't been doing that since day one of libsnapshot_cow library.
This consumes peak memory ~14mb on an incremental OTA which has 700k+
COW operations writes on one partition.
We can rather use this memory for Async operations where we will have
to cache the buffers.
Bug: 254188450
Test: Incremental OTA
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I2165ed95ff26a9dfb465dc3120df61bb02eee27b
The test-blank-ota command is for iterating on changes to snapuserd or
the Virtual A/B boot flow, which is normally very time consuming to
test.
It works by creating a partial OTA outside of update_engine, purely
through SnapshotManager calls. Every partition except system is
preserved. system is "updated" entirely with copy operations. The entire
"OTA" takes about ten seconds.
Tested on cuttlefish, but a physical device should work as long as
physical partitions are flashed to both slots beforehand.
The big limitation is that since update_engine does not run, there is no
merge action on reboot. This can be done manually with "snapshotctl
merge" however.
This type of tool could be easily used in the future for quickly testing
specific bugs or performance ideas in snapuserd.
Bug: N/A
Test: launch_cvd
adb wait-for-device root
adb shell snapshotctl test-blank-ota
adb reboot
adb wait-for-device root
adb shell snapshotctl dump
Change-Id: I5911440cbe14ee909905a0b0fc17da95ba4c5d68
These functions contain complex logic and parse user input. It shall be
valuable to fuzz these functions to prevent regression.
Bug: 254832225
Test: Build and run the fuzzer
Change-Id: I21099c3fc1c226f95a0f8f996bb751030e0c59bc
If the copy blocks are contiguous, add a third
argument which takes the number of blocks
which are contiguous. With this, update engine
can call the API in one shot for all the
contiguous COPY operations.
This is required for batching the I/O
for async writes.
This should still continue to support the existing
API where we pass one COPY block at a time.
Bug: 254188450
Test: Incremental OTA from A->B with new API changes in A
Incremental OTA from A->B with plain VAB
cow_api_test
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I7edc52a152e02de28a44ef1dc2c88b76a28c4109
Move compress() function to a dedicated file.
This is in preparation for variable block size
compression and async writes.
No change in functional logic.
Bug: 254188450
Test: Full OTA Pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I7681e9a4d884eac1ccbf8adeb1fc6bd1a9fedfa6
Move all files related to libsnapshot_cow library to
a seperate directory. Libsnapshot directory is getting
crowded and we will be adding more files to this library
with async writes.
No changes to any logic.
Bug: 254188450
Test: Full OTA on Pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: If84ff730d477c85a8ef57864d2185f2f897cf8e0
This reverts commit c540ab9bf8.
Reason for revert: root cause is fixed
Bug: 253207748
Test: TH run g3-app-compat-main
Change-Id: I44c2535508a5718a823cdd61ad1938bba739c2a0
Similar reasoning as aosp/2255456. ro.product.device could be overridden
by GSI if system.img was replaced with GSI.
Use ro.product.vendor.device, which comes from the vendor.img, to
determine the "device" type.
Bug: 243116800
Test: adb-remount-test on cuttlefish
Change-Id: Ib4a956047ef46d8e4837b27334f8d58162d4fa2a
F2FS doesn't allow remount,rw for RO partition, so that it caused adb remount.
Fix it.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: Ia4410d08e8be344d79292c16a335a7e5be7a48bb
According to https://www.slideshare.net/nan1nan1/eat-my-data ,
rename() without an fsync() is not safe, and cannot guarantee data
integrity in case of powerloss of OS failure.
Test: partner verification, th
Bug: 238702018
Change-Id: I5809770062ed7bfa47df81de418a2d8f7cbc6620
check whether the scratch partition is writable.
Delate fs_mgr_dir_is_writable, as it may cause remount to fail.
Steps to reproduce:
1.adb root
2.adb remount
3.adb reboot
4.adb remount
5.push files to the system partition until the scratch partition is full
6.check that the Available of /mnt/scratch is zero through the df command
7.reboot
8.adb root
9.adb remount
Now, overlayfs failed to mount.
But I want to continue to view the files that were previously pushed to
the system partition.
Mounting of overlayfs should not be blocked when there is not enough space.
It seems reasonable to use fs_mgr_rw_access(work) to check whether
the partition is writable.
We should allow mount even if scratch is full, because this allows
the user to delete previously pushed files to free up space.
Bug: 240635368
Change-Id: I726ccd064cfabfab29789e7c690ea8cb574a6344
Signed-off-by: yi.sun <yi.sun@unisoc.com>
The new sequence of operation would be:
1: Load sepolicy - Daemon will continue to be alive and serve any I/O request
2: After sepolicy loading is complete - Switch the device-mapper tables.
3: Kill the block device daemon launched in the first-stage init.
4: Re-launch the daemon with the correct selinux labels set.
5: Enforce the sepolicy
Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
* Remove AVB 1.0 (fec).
* Assert device is bootloader unlocked in main().
* Since error is already logged to stderr and logd, there is no need to
return an opaque enum value as error code. Just return 1 if main()
encounters any error.
Bug: 241688845
Test: Presubmit
Test: adb-remount-test
Change-Id: I06df6f92a3d4adaca77061920736056c9051c112
Deprecate physical scratch path, support only dynamic partition scratch
and scratch on /cache.
Bug: 243116800
Test: adb-remount-test
Change-Id: I8b5e08a38e323139b56b169865dcaf1a6620cf20
Make the control flow less chaotic and rename to cpp style function
name.
Bug: 243116800
Test: adb-remount-test
Change-Id: Iccfe06f9cb9659b7b0bad085250422e298cc4f27
Since update-engine already has this profile set,
it is better to have similar profile for the daemon
so that threads don't run at high priority.
Additionally, lower the nice value for worker
threads.
No change in the OTA install time observed.
Bug: 237490659
Test: Full OTA on Pixel
Change-Id: I53ec8c647eb781965792683b04621e6fec5eb5f2
Signed-off-by: Akilesh Kailash <akailash@google.com>
* Categorize functions in fs_mgr_overlayfs.h into three classes:
- Type 1: common and non-critical utilities.
- Type 2: internal routines for facilitating remount.
- Type 3: external entry points for users of fs_mgr_overlayfs, like
fs_mgr_overlayfs_mount_all().
* Move type 1 to common utils header fs_mgr_priv.h & fs_mgr.cpp.
* Move type 2 to new private header fs_mgr_priv_overlayfs.h.
* Keep type 3 in fs_mgr_overlayfs.h.
* Move set-verity-state.cpp under fs_mgr so it can include
fs_mgr_priv_overlayfs.h. File is reformatted as a result. We should
eventually merge and dedup set-verity-state and fs_mgr_remount.
* Add myself to OWNERS for remount-related maintenance work.
Bug: 241179247
Bug: 241688845
Test: Full build -user and -userdebug build.
Test: Presubmit
Test: Treehugger run v2/android-gki/adb_remount
Change-Id: Id5fd0e2b12c693939d712a586dd553cc4d8bfeb1
* remount don't check errno after calling fs_mgr_overlayfs_mount_all()
as we don't report error status through errno anymore.
* fs_mgr_overlayfs_mount_all() returns false if any failure.
* fs_mgr_overlayfs_mount_all() returns true if no overlayfs to mount or
all overlayfs are either already mounted or mounted successfully.
Bug: 241179247
Bug: 248295731
Test: Treehugger
Change-Id: Ia9c7ac686f6538a9f5da7efc4cda6f28aff056f6
F2FS gives EINVAL when trying to mount zoned device with atgc. This patch
allows to keep the single fstab to support legacy and zoned devices at the
same time.
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I47a667443e7e60cb6729553b2ca24026e21fd90d
This removes all remaining save/restores of errno in
fs_mgr_overlayfs.cpp.
Bug: 241179247
Test: adb-remount-test.sh
Change-Id: I8bae6eb2752fe9460763455e88f9b82ad57c10e4
This patch eliminates errno as part of the return contract for
fs_mgr_overlayfs_teardown().
The non-standard use of implicit errno makes it extremely difficult to
reason about how these functions can fail. As it turns out,
fs_mgr_overlayfs_teardown has been consistently failing for a long time,
but in a place where errno isn't set, which meant "enable-verity" never
saw the failure.
The failure was originating from umount2(MNT_DETACH) which guaranteed
that DeleteBackingImage would fail with EBUSY, and DeleteBackingImage is
a binder call that doesn't set errno.
This patch switches to umount() and returns a "busy" status if the
unmount fails with EBUSY. In this case it will also disable the scratch
partition. There is a long-standing existing bug where, for non-VAB
devices, it will delete the underlying scratch partition off super. This
is pretty risky with MNT_DETACH, but that path is left unchanged here.
Some duplicated code in set-verity-state was refactored as well, since
the return value of fs_mgr_overlayfs_teardown is now more complex.
Bug: 241179247
Test: adb-remount-test.sh
Change-Id: I2ca75332b75a302622ba9b86d122a6f2accdda3e
This patch fixes a few lingering issues in vts_libsnapshot_test.
The most important fix is a crash in snapuserd when handler deletion
races with the merge monitor thread. Since tests issue lots of
snapshot-related requests in rapid succession, this was easy to hit in
presubmit, and resulted in a null-pointer deref.
SnapuserdClient's CloseConnection does the same thing as the destructor,
but leaves SnapuserdClient in an unusable state. This method is removed
in favor of RAII.
Fix a bug in SnapshotManager where CloseConnection could be called
without zapping snapuserd_client_.
Fix a bug where POLLHUP was checked before calling recv().
Add test name logging so presubmit failures can be diagnosed via logcat
dumps.
Bug: N/A
Test: vts_libsnapshot_test on cuttlefish
Change-Id: I8f22a45e537c24a3c6d327ac47bf8b1352108706
mount_with_alternatives() supports mounting any of the
consecutive fstab entries. Some log messages shouldn't
be treated as error so changing log level to INFO instead.
Bug: 245468764
Test: TreeHugger
Change-Id: I94a18d4cf91ee5bb58cf5ba5f853a0e6599071d1
* changes:
adb-remount-test: Refactor test cleanup
adb-remount-test: Replace libc.so test with build.prop test
adb-remount-test: Check override_creds only if overlayfs is used
adb-remount-test: Print log timestamp & auto-detect color
* Call adb_wait in adb_reboot, as virtually all adb_reboot callsites are
immediately followed by adb_wait.
* Remove |data| option from skip_administrative_mounts. The |data|
option doesn't really work anyway, because vold & init creates
bewildering heirarchy of /data bind-mounts, so it's not feasible to
filter /data by mountpoints. It's more sensible to filter by the /data
device node name, which should be done by the caller.
* Untangle skip_administrative_mounts and skip_unrelated_mounts.
I don't know why we need two separate functions that do similar
things. Just merge them together.
Bug: 243116800
Test: adb-remount-test
Change-Id: I847f0b8cc2a952bb4c8656a43da783f312670061
