Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4ba548d8 authored by Jiyong Park's avatar Jiyong Park
Browse files

mount /apex during first_stage init 

/apex is not mounted via init.rc but directly by the first_stage init
before the mount namespaces are configured.

This allows us to change the propagation type for /apex mount point to
private to isolate APEX activatesions across post- and pre-apexd
processes.

Bug: 125549215
Test: m; device boots to the UI

Change-Id: I10e056cd30d64cb702b6c237acd8dab326162884
parent bc637210

init/first_stage_init.cpp

+4 −0
Original line number Diff line number Diff line
@@ -155,6 +155,10 @@ int FirstStageMain(int argc, char** argv) { 
    // part of the product partition, e.g. because they are mounted read-write.

    CHECKCALL(mkdir("/mnt/product", 0755));



    // /apex is used to mount APEXes

    CHECKCALL(mount("tmpfs", "/apex", "tmpfs", MS_NOEXEC | MS_NOSUID | MS_NODEV,

                    "mode=0755,uid=0,gid=0"));



#undef CHECKCALL



    // Now that tmpfs is mounted on /dev and we have /dev/kmsg, we can actually

init/selinux.cpp

+2 −0
Original line number Diff line number Diff line
@@ -459,6 +459,8 @@ void SelinuxRestoreContext() { 


    selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);

    selinux_android_restorecon("/dev/device-mapper", 0);



    selinux_android_restorecon("/apex", 0);

}



int SelinuxKlogCallback(int type, const char* fmt, ...) {

rootdir/init.rc

+0 −6
Original line number Diff line number Diff line
@@ -278,12 +278,6 @@ on init 
    write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}

    chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}



    # Setup APEX mount point and its security context

    mount tmpfs tmpfs /apex nodev noexec nosuid

    chmod 0755 /apex

    chown root root /apex

    restorecon /apex



    # Start logd before any other services run to ensure we capture all of their logs.

    start logd