Loading libcutils/ashmem-dev.cpp +14 −2 Original line number Diff line number Diff line Loading @@ -114,8 +114,14 @@ static bool __has_memfd_support() { // Check if kernel support exists, otherwise fall back to ashmem. // This code needs to build on old API levels, so we can't use the libc // wrapper. // // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device, // which did not have executable permissions. This also seals the executable // permissions of the buffer (i.e. they cannot be changed by fchmod()). // // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. android::base::unique_fd fd( syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING)); syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno)); return false; Loading Loading @@ -289,7 +295,13 @@ int ashmem_valid(int fd) static int memfd_create_region(const char* name, size_t size) { // This code needs to build on old API levels, so we can't use the libc // wrapper. android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING)); // // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did // not have executable permissions. This also seals the executable // permissions of the buffer (i.e. they cannot be changed by fchmod()). // // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno)); Loading rootdir/init.rc +5 −0 Original line number Diff line number Diff line Loading @@ -1004,6 +1004,11 @@ on post-fs-data exec_start system_aconfigd_mainline_init start system_aconfigd_socket_service # start mainline aconfigd init, after transition, the above system_aconfigd_mainline_init # will be deprecated exec_start mainline_aconfigd_init start mainline_aconfigd_socket_service # Create directories for boot animation. mkdir /data/misc/bootanim 0755 system system Loading trusty/trusty-storage-cf.mk +1 −0 Original line number Diff line number Diff line Loading @@ -22,4 +22,5 @@ PRODUCT_PACKAGES += \ storageproxyd.system \ rpmb_dev.system \ rpmb_dev.test.system \ trusty/utils/rpmb_dev/Android.bp +9 −0 Original line number Diff line number Diff line Loading @@ -58,3 +58,12 @@ cc_binary { "rpmb_dev.wv.system.rc", ], } cc_binary { name: "rpmb_dev.test.system", defaults: ["rpmb_dev.cc_defaults"], system_ext_specific: true, init_rc: [ "rpmb_dev.test.system.rc", ], } trusty/utils/rpmb_dev/rpmb_dev.test.system.rc 0 → 100644 +56 −0 Original line number Diff line number Diff line service trusty_test_vm /apex/com.android.virt/bin/vm run \ /data/local/tmp/TrustyTestVM_UnitTests/trusty-test_vm-config.json disabled user system group system service storageproxyd_test_system /system_ext/bin/storageproxyd.system \ -d VSOCK:${trusty.test_vm.vm_cid}:1 \ -r /dev/socket/rpmb_mock_test_system \ -p /data/secure_storage_test_system \ -t sock disabled class hal user system group system service rpmb_mock_init_test_system /system_ext/bin/rpmb_dev.test.system \ --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA --init --size 2048 disabled user system group system oneshot service rpmb_mock_test_system /system_ext/bin/rpmb_dev.test.system \ --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA \ --sock rpmb_mock_test_system disabled user system group system socket rpmb_mock_test_system stream 660 system system # RPMB Mock on post-fs-data # Create a persistent location for the RPMB data # (work around lack of RPMb block device on CF). # file contexts secure_storage_rpmb_system_file # (only used on Cuttlefish as this is non secure) mkdir /metadata/secure_storage_rpmb_test_system 0770 system system mkdir /mnt/secure_storage_rpmb_test_system 0770 system system symlink /metadata/secure_storage_rpmb_test_system \ /mnt/secure_storage_rpmb_test_system/persist # Create a system persist directory in /metadata # (work around lack of dedicated system persist partition). # file contexts secure_storage_persist_system_file mkdir /metadata/secure_storage_persist_test_system 0770 system system mkdir /mnt/secure_storage_persist_test_system 0770 system system symlink /metadata/secure_storage_persist_test_system \ /mnt/secure_storage_persist_test_system/persist # file contexts secure_storage_system_file mkdir /data/secure_storage_test_system 0770 root system symlink /mnt/secure_storage_persist_test_system/persist \ /data/secure_storage_test_system/persist chown root system /data/secure_storage_test_system/persist # setprop storageproxyd_test_system.trusty_ipc_dev VSOCK:${trusty.test_vm.vm_cid}:1 exec_start rpmb_mock_init_test_system start rpmb_mock_test_system Loading
libcutils/ashmem-dev.cpp +14 −2 Original line number Diff line number Diff line Loading @@ -114,8 +114,14 @@ static bool __has_memfd_support() { // Check if kernel support exists, otherwise fall back to ashmem. // This code needs to build on old API levels, so we can't use the libc // wrapper. // // MFD_NOEXEC_SEAL is used to match the semantics of the ashmem device, // which did not have executable permissions. This also seals the executable // permissions of the buffer (i.e. they cannot be changed by fchmod()). // // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. android::base::unique_fd fd( syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_ALLOW_SEALING)); syscall(__NR_memfd_create, "test_android_memfd", MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create failed: %s, no memfd support.\n", strerror(errno)); return false; Loading Loading @@ -289,7 +295,13 @@ int ashmem_valid(int fd) static int memfd_create_region(const char* name, size_t size) { // This code needs to build on old API levels, so we can't use the libc // wrapper. android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_ALLOW_SEALING)); // // MFD_NOEXEC_SEAL to match the semantics of the ashmem device, which did // not have executable permissions. This also seals the executable // permissions of the buffer (i.e. they cannot be changed by fchmod()). // // MFD_NOEXEC_SEAL implies MFD_ALLOW_SEALING. android::base::unique_fd fd(syscall(__NR_memfd_create, name, MFD_CLOEXEC | MFD_NOEXEC_SEAL)); if (fd == -1) { ALOGE("memfd_create(%s, %zd) failed: %s\n", name, size, strerror(errno)); Loading
rootdir/init.rc +5 −0 Original line number Diff line number Diff line Loading @@ -1004,6 +1004,11 @@ on post-fs-data exec_start system_aconfigd_mainline_init start system_aconfigd_socket_service # start mainline aconfigd init, after transition, the above system_aconfigd_mainline_init # will be deprecated exec_start mainline_aconfigd_init start mainline_aconfigd_socket_service # Create directories for boot animation. mkdir /data/misc/bootanim 0755 system system Loading
trusty/trusty-storage-cf.mk +1 −0 Original line number Diff line number Diff line Loading @@ -22,4 +22,5 @@ PRODUCT_PACKAGES += \ storageproxyd.system \ rpmb_dev.system \ rpmb_dev.test.system \
trusty/utils/rpmb_dev/Android.bp +9 −0 Original line number Diff line number Diff line Loading @@ -58,3 +58,12 @@ cc_binary { "rpmb_dev.wv.system.rc", ], } cc_binary { name: "rpmb_dev.test.system", defaults: ["rpmb_dev.cc_defaults"], system_ext_specific: true, init_rc: [ "rpmb_dev.test.system.rc", ], }
trusty/utils/rpmb_dev/rpmb_dev.test.system.rc 0 → 100644 +56 −0 Original line number Diff line number Diff line service trusty_test_vm /apex/com.android.virt/bin/vm run \ /data/local/tmp/TrustyTestVM_UnitTests/trusty-test_vm-config.json disabled user system group system service storageproxyd_test_system /system_ext/bin/storageproxyd.system \ -d VSOCK:${trusty.test_vm.vm_cid}:1 \ -r /dev/socket/rpmb_mock_test_system \ -p /data/secure_storage_test_system \ -t sock disabled class hal user system group system service rpmb_mock_init_test_system /system_ext/bin/rpmb_dev.test.system \ --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA --init --size 2048 disabled user system group system oneshot service rpmb_mock_test_system /system_ext/bin/rpmb_dev.test.system \ --dev /mnt/secure_storage_rpmb_test_system/persist/RPMB_DATA \ --sock rpmb_mock_test_system disabled user system group system socket rpmb_mock_test_system stream 660 system system # RPMB Mock on post-fs-data # Create a persistent location for the RPMB data # (work around lack of RPMb block device on CF). # file contexts secure_storage_rpmb_system_file # (only used on Cuttlefish as this is non secure) mkdir /metadata/secure_storage_rpmb_test_system 0770 system system mkdir /mnt/secure_storage_rpmb_test_system 0770 system system symlink /metadata/secure_storage_rpmb_test_system \ /mnt/secure_storage_rpmb_test_system/persist # Create a system persist directory in /metadata # (work around lack of dedicated system persist partition). # file contexts secure_storage_persist_system_file mkdir /metadata/secure_storage_persist_test_system 0770 system system mkdir /mnt/secure_storage_persist_test_system 0770 system system symlink /metadata/secure_storage_persist_test_system \ /mnt/secure_storage_persist_test_system/persist # file contexts secure_storage_system_file mkdir /data/secure_storage_test_system 0770 root system symlink /mnt/secure_storage_persist_test_system/persist \ /data/secure_storage_test_system/persist chown root system /data/secure_storage_test_system/persist # setprop storageproxyd_test_system.trusty_ipc_dev VSOCK:${trusty.test_vm.vm_cid}:1 exec_start rpmb_mock_init_test_system start rpmb_mock_test_system
