Loading init/Android.bp +22 −1 Original line number Diff line number Diff line Loading @@ -89,7 +89,19 @@ init_host_sources = [ "host_init_verifier.cpp", ] cc_defaults { soong_config_module_type { name: "libinit_cc_defaults", module_type: "cc_defaults", config_namespace: "ANDROID", bool_variables: [ "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", ], properties: [ "cflags", ], } libinit_cc_defaults { name: "init_defaults", sanitize: { misc_undefined: ["signed-integer-overflow"], Loading @@ -109,6 +121,7 @@ cc_defaults { "-DDUMP_ON_UMOUNT_FAILURE=0", "-DSHUTDOWN_ZERO_TIMEOUT=0", "-DINIT_FULL_SOURCES", "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0", ], product_variables: { debuggable: { Loading Loading @@ -137,6 +150,14 @@ cc_defaults { cppflags: ["-DUSER_MODE_LINUX"], }, }, soong_config_variables: { PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { cflags: [ "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1", ], }, }, static_libs: [ "libavb", "libc++fs", Loading init/first_stage_init.cpp +13 −6 Original line number Diff line number Diff line Loading @@ -330,15 +330,22 @@ int FirstStageMain(int argc, char** argv) { // If "/force_debuggable" is present, the second-stage init will use a userdebug // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked. if (access("/force_debuggable", F_OK) == 0) { constexpr const char adb_debug_prop_src[] = "/adb_debug.prop"; constexpr const char userdebug_plat_sepolicy_cil_src[] = "/userdebug_plat_sepolicy.cil"; std::error_code ec; // to invoke the overloaded copy_file() that won't throw. if (!fs::copy_file("/adb_debug.prop", kDebugRamdiskProp, ec) || !fs::copy_file("/userdebug_plat_sepolicy.cil", kDebugRamdiskSEPolicy, ec)) { LOG(ERROR) << "Failed to setup debug ramdisk"; } else { if (access(adb_debug_prop_src, F_OK) == 0 && !fs::copy_file(adb_debug_prop_src, kDebugRamdiskProp, ec)) { LOG(WARNING) << "Can't copy " << adb_debug_prop_src << " to " << kDebugRamdiskProp << ": " << ec.message(); } if (access(userdebug_plat_sepolicy_cil_src, F_OK) == 0 && !fs::copy_file(userdebug_plat_sepolicy_cil_src, kDebugRamdiskSEPolicy, ec)) { LOG(WARNING) << "Can't copy " << userdebug_plat_sepolicy_cil_src << " to " << kDebugRamdiskSEPolicy << ": " << ec.message(); } // setenv for second-stage init to read above kDebugRamdisk* files. setenv("INIT_FORCE_DEBUGGABLE", "true", 1); } } if (ForceNormalBoot(cmdline, bootconfig)) { mkdir("/first_stage_ramdisk", 0755); Loading init/selinux.cpp +23 −7 Original line number Diff line number Diff line Loading @@ -295,6 +295,25 @@ bool IsSplitPolicyDevice() { return access(plat_policy_cil_file, R_OK) != -1; } std::optional<const char*> GetUserdebugPlatformPolicyFile() { // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) { const std::vector<const char*> debug_policy_candidates = { #if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1 "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil", #endif kDebugRamdiskSEPolicy, }; for (const char* debug_policy : debug_policy_candidates) { if (access(debug_policy, F_OK) == 0) { return debug_policy; } } } return std::nullopt; } struct PolicyFile { unique_fd fd; std::string path; Loading @@ -310,13 +329,10 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // secilc is invoked to compile the above three policy files into a single monolithic policy // file. This file is then loaded into the kernel. // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); bool use_userdebug_policy = ((force_debuggable_env && "true"s == force_debuggable_env) && AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0); const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile(); const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value(); if (use_userdebug_policy) { LOG(WARNING) << "Using userdebug system sepolicy"; LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy; } // Load precompiled policy from vendor image, if a matching policy is found there. The policy Loading Loading @@ -413,7 +429,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // clang-format off std::vector<const char*> compile_args { "/system/bin/secilc", use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file, use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file, "-m", "-M", "true", "-G", "-N", "-c", version_as_string.c_str(), plat_mapping_file.c_str(), Loading Loading
init/Android.bp +22 −1 Original line number Diff line number Diff line Loading @@ -89,7 +89,19 @@ init_host_sources = [ "host_init_verifier.cpp", ] cc_defaults { soong_config_module_type { name: "libinit_cc_defaults", module_type: "cc_defaults", config_namespace: "ANDROID", bool_variables: [ "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", ], properties: [ "cflags", ], } libinit_cc_defaults { name: "init_defaults", sanitize: { misc_undefined: ["signed-integer-overflow"], Loading @@ -109,6 +121,7 @@ cc_defaults { "-DDUMP_ON_UMOUNT_FAILURE=0", "-DSHUTDOWN_ZERO_TIMEOUT=0", "-DINIT_FULL_SOURCES", "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0", ], product_variables: { debuggable: { Loading Loading @@ -137,6 +150,14 @@ cc_defaults { cppflags: ["-DUSER_MODE_LINUX"], }, }, soong_config_variables: { PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { cflags: [ "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1", ], }, }, static_libs: [ "libavb", "libc++fs", Loading
init/first_stage_init.cpp +13 −6 Original line number Diff line number Diff line Loading @@ -330,15 +330,22 @@ int FirstStageMain(int argc, char** argv) { // If "/force_debuggable" is present, the second-stage init will use a userdebug // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked. if (access("/force_debuggable", F_OK) == 0) { constexpr const char adb_debug_prop_src[] = "/adb_debug.prop"; constexpr const char userdebug_plat_sepolicy_cil_src[] = "/userdebug_plat_sepolicy.cil"; std::error_code ec; // to invoke the overloaded copy_file() that won't throw. if (!fs::copy_file("/adb_debug.prop", kDebugRamdiskProp, ec) || !fs::copy_file("/userdebug_plat_sepolicy.cil", kDebugRamdiskSEPolicy, ec)) { LOG(ERROR) << "Failed to setup debug ramdisk"; } else { if (access(adb_debug_prop_src, F_OK) == 0 && !fs::copy_file(adb_debug_prop_src, kDebugRamdiskProp, ec)) { LOG(WARNING) << "Can't copy " << adb_debug_prop_src << " to " << kDebugRamdiskProp << ": " << ec.message(); } if (access(userdebug_plat_sepolicy_cil_src, F_OK) == 0 && !fs::copy_file(userdebug_plat_sepolicy_cil_src, kDebugRamdiskSEPolicy, ec)) { LOG(WARNING) << "Can't copy " << userdebug_plat_sepolicy_cil_src << " to " << kDebugRamdiskSEPolicy << ": " << ec.message(); } // setenv for second-stage init to read above kDebugRamdisk* files. setenv("INIT_FORCE_DEBUGGABLE", "true", 1); } } if (ForceNormalBoot(cmdline, bootconfig)) { mkdir("/first_stage_ramdisk", 0755); Loading
init/selinux.cpp +23 −7 Original line number Diff line number Diff line Loading @@ -295,6 +295,25 @@ bool IsSplitPolicyDevice() { return access(plat_policy_cil_file, R_OK) != -1; } std::optional<const char*> GetUserdebugPlatformPolicyFile() { // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) { const std::vector<const char*> debug_policy_candidates = { #if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1 "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil", #endif kDebugRamdiskSEPolicy, }; for (const char* debug_policy : debug_policy_candidates) { if (access(debug_policy, F_OK) == 0) { return debug_policy; } } } return std::nullopt; } struct PolicyFile { unique_fd fd; std::string path; Loading @@ -310,13 +329,10 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // secilc is invoked to compile the above three policy files into a single monolithic policy // file. This file is then loaded into the kernel. // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); bool use_userdebug_policy = ((force_debuggable_env && "true"s == force_debuggable_env) && AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0); const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile(); const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value(); if (use_userdebug_policy) { LOG(WARNING) << "Using userdebug system sepolicy"; LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy; } // Load precompiled policy from vendor image, if a matching policy is found there. The policy Loading Loading @@ -413,7 +429,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // clang-format off std::vector<const char*> compile_args { "/system/bin/secilc", use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file, use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file, "-m", "-M", "true", "-G", "-N", "-c", version_as_string.c_str(), plat_mapping_file.c_str(), Loading
