| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
We have seen cases where the boot partition is patched, but upon
recovery the partition appears to be corrupted. Open up all
patched files/partitions with O_SYNC, and do not ignore the
errors from fsync/close operations.
Bug: 18170529
Change-Id: I392ad0a321d937c4ad02eaeea9170be384a4744b
|
|
|
|
|
|
|
| |
Some files appear to be missing their sync to disk.
Bug: 18145574
Change-Id: Ic858624a4dd65bbfc54d30f3a13c607078270345
|
|
|
|
|
| |
Bug: 18092022
Change-Id: I6c42038ebeb1cfc1e7ca0d3e12310fdce1b990b0
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the end of the OTA script, we walk through /system, updating
all the permissions on the filesystem, including the UID, GID,
standard UNIX permissions, capabilities, and SELinux labels.
In the case of a symbolic link, however, we want to skip most of
those operations. The UID, GID, UNIX permissions, and capabilities
don't meaningfully apply to symbolic links.
However, that's not true with SELinux labels. The SELinux label on
a symbolic link is important. We need to make sure the label on the
symbolic link is always updated, even if none of the other attributes
are updated.
This change unconditionally updates the SELinux label on the symbolic
link itself. lsetfilecon() is used, so that the link itself is updated,
not what it's pointing to.
In addition, drop the ENOTSUP special case. SELinux has been a
requirement since Android 4.4. Running without filesystem extended
attributes is no longer supported, and we shouldn't even try to handle
non-SELinux updates anymore. (Note: this could be problematic if
these scripts are ever used to produce OTA images for 4.2 devices)
Bug: 18079773
Change-Id: I87f99a1c88fe02bb2914f1884cac23ce1b385f91
|
|
|
|
|
|
|
| |
Bug: 18079773
Bug: 18092222
Change-Id: Ifc3f3e123de729dfbb2f49414b3207afa96268d5
|
|\ |
|
| |
| |
| |
| |
| | |
Bug: 18079773
Change-Id: Ic6fddbcbcb6ddb9e1cbd1698df98387c0033ae15
|
|\ \ |
|
| |/
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Create a new recovery UI option to allow the user to view
/cache/recovery/last_log for their device. This gives enhanced
debugging information which may be necessary when a failed
OTA occurs.
Bug: 18094012
Change-Id: Ic3228de96e9bfc2a0141c7aab4ce392a38140cf3
|
|/
|
|
|
|
|
|
| |
This should help with reentrant OTAs.
Bug: 18079773
Change-Id: I102fd738e3b450483ecd4471384c12e89fc586e2
|
|
|
|
|
|
|
| |
This will help us track down who requested a data wipe.
Bug: 17412160
Change-Id: I1c439fbd29f96b9851810baca9101f683a0f18d8
|
|
|
|
|
|
|
|
| |
Always create the block map for packages on /data; don't only look at
the encryptable/encrypted flags.
Bug: 17395453
Change-Id: Iaa7643a32898328277841e324305b9419a9e071c
|
|\ |
|
| |
| |
| |
| |
| |
| | |
The comment for the DEBUG_ERASE setting is exactly backwards.
Change-Id: I98ab5828365894217fc78976817a131e7d22d5c1
|
|/
|
|
|
|
|
|
| |
Otherwise, overflow problems can occur with images larger than
2G since the offsets will overflow a 32-bit off_t.
Change-Id: I05951a38ebeae83ad2cb938594e8d8adb323e2aa
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
|
|
|
|
|
|
|
| |
Superseded by newer code.
Bug: 16984795
Change-Id: I842299f6a02af7ccf51ef2ca174d813ca53deef1
|
|
|
|
|
|
|
|
|
|
| |
Opening the misc block device in read-write mode runs afoul of
SELinux, which keeps the wipe code from working. Fix. Also change
various things to log to logcat so we can see them happening, for
future debugging.
Bug: 16715412
Change-Id: Ia14066f0a371cd605fcb544547b58a41acca70b9
|
|
|
|
|
|
|
|
|
| |
The computation of file offsets was overflowing for partitions larger
than 2 GB. The parsing of the transfer file could fail at the end if
the data happened to not be properly null-terminated.
Bug: 16984795
Change-Id: I3ce6eb3e54ab7b55aa9bbed252da5a7eacd3317a
|
|
|
|
|
|
|
| |
(Cherry-pick back from master.)
Bug: 16984795
Change-Id: Ifa3d8345c5e2a0be86fb28faa080ca82592a96b4
|
|
|
|
|
|
|
|
|
|
|
| |
Something is leaving behind wipe commands in the BCB area of the /misc
partition. We don't know what is doing that. It should always be
safe to zero out that area from uncrypt, though (because if uncrypt is
running then it's got the command we want in the recovery command file
rather than the BCB).
Bug: 16715412
Change-Id: Iad01124287f13b80ff71d6371db6371f43c43211
|
|
|
|
|
| |
Bug: 17029174, 17015157
Change-Id: I1d24f3402875dfb972daa6daef0f385baeff84e9
|
|
|
|
|
| |
Bug: 17015157
Change-Id: I3c4bdcf4f11d44b617bb731a48413e3707044d1c
|
|\ |
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We need to wipe the challenges on this partition
if OEM unlock is enabled, as this is a signal that
the user has opted out of factory reset protection.
go/factory-reset
Bug: 16633064
Change-Id: Icb8f1433bf99ca57813f5b72d5a3dd15fa94a263
|
| |
| |
| |
| |
| |
| |
| |
| | |
These error messages include empty parens after each string
substition. Ill-advised cut and paste, probably.
Bug: 16467401
Change-Id: Ib623172d6228354afdcc2e33442cc53a07f0ecbc
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fix wrong argument order.
Fix for 32 vs 64 bit.
(reported by htc)
Change-Id: Ie37a280bed2848199bcc075500e1326e371cd326
|
|/
|
|
|
|
|
| |
If recovery is invoked with a package somewhere other than /data,
leave it alone.
Change-Id: Ief358b53df467ae24a65e30e7a631da59bf13683
|
|
|
|
|
|
|
|
|
| |
Sometimes renames will move a file into a directory
that does not yet exist. This will create the
parent directories, using the same symlink logic,
to ensure that there is a valid destination.
Change-Id: Iaa005a12ce800c39f4db20f7c25a2a68cb40a52d
|
|
|
|
|
|
|
|
|
| |
Make a fuse filesystem that sits on top of the selected package file
on the sdcard, so we can verify that the file contents don't change
while being read and avoid copying the file to /tmp (that is, RAM)
before verifying and installing it.
Change-Id: Ifd982aa68bfe469eda5f839042648654bf7386a1
|
|
|
|
|
|
|
|
|
| |
Split the adb-specific portions (fetching a block from the adb host
and closing the connections) out from the rest of the FUSE filesystem
code, so that we can reuse the fuse stuff for installing off sdcards
as well.
Change-Id: I0ba385fd35999c5f5cad27842bc82024a264dd14
|
|
|
|
|
|
|
|
|
| |
Drop support for sideloading OTA packages of the cache partition (a
half-solution that's long since been deprecated by "adb sideload").
Refactor the code to sideload OTA packages from SD cards: remove the
installation code from the file browser.
Change-Id: Id0dff6b27c4a5837546f174f50e2e1d0379c43db
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a new method of sideloading over ADB that does not require
the entire package to be held in RAM (useful for low-RAM devices and
devices using block OTA where we'd rather have more RAM available for
binary patching).
We communicate with the host using a new adb service called
"sideload-host", which makes the host act as a server, sending us
different parts of the package file on request.
We create a FUSE filesystem that creates a virtual file
"/sideload/package.zip" that is backed by the ADB connection -- users
see a normal file, but when they read from the file we're actually
fetching the data from the adb host. This file is then passed to the
verification and installation systems like any other.
To prevent a malicious adb host implementation from serving different
data to the verification and installation phases of sideloading, the
FUSE filesystem verifies that the contents of the file don't change
between reads -- every time we fetch a block from the host we compare
its hash to the previous hash for that block (if it was read before)
and cause the read to fail if it changes.
One necessary change is that the minadbd started by recovery in
sideload mode no longer drops its root privileges (they're needed to
mount the FUSE filesystem). We rely on SELinux enforcement to
restrict the set of things that can be accessed.
Change-Id: Ida7dbd3b04c1d4e27a2779d88c1da0c7c81fb114
|
|\
| |
| |
| |
| | |
* commit '3e0fc39ec27c0ed96ffd2a617f1841fe3bf3c8f6':
Fix recovery mode.
|
| |\
| | |
| | |
| | |
| | | |
* commit '974fe112ae6df95ca6d49688d6e3e459d87e16de':
Fix recovery mode.
|
| | |\ |
|
| | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Duplicate changes made to init.rc for https://android-review.googlesource.com/98852
in the init.rc used for recovery mode.
Bug 15849856
Change-Id: Ia376ddf6373a28718653f7fb1435bf7ecb33d813
|
| | |
| | |
| | |
| | |
| | |
| | | |
Set panic_on_oops=1 to reboot if the kernel panics.
Change-Id: Id9e8689a570229db2ea2a3d72b52784f8a1ed107
|
| | |
| | |
| | |
| | |
| | |
| | | |
Instead of LOCAL_ADDITIONAL_DEPENDENCIES.
Bug: 15702524
Change-Id: Ic152ae60354bf09eccdb9a85dcd04f0f076a6422
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds F2FS support
- for wiping a device
- for the install "format" command.
Note: crypto data in "footer" with a default/negative length
is not supported, unlike with "ext4".
Change-Id: I8d141a0d4d14df9fe84d3b131484e9696fcd8870
Signed-off-by: JP Abgrall <jpa@google.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clear framebuffer at init.
[toddpoynor@google.com: forward port]
Change-Id: Ie98c7724cd974dcacef3e3559a6fe492864a5e72
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
While executing syspatch and package_extract_file() calls with don't
care maps (both of which are used to rewrite the system image in
incremental and full block OTAs, respectively), pass a progress
callback in and use it to update the visible progress bar.
Change-Id: I1d3742d167c1bb2130571eb5103b7795c65ff371
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
* commit 'dff8afe1b21c6ffe09269434f9f8f0d166e1a848':
restore holo UI in recovery -- DO NOT MERGE
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Since we don't have quantum assets for recovery yet, go back to the
holo appearance (dark background, blue glowing progress bar) for
lmp-preview.
Change-Id: Id4d3f23e0a6251a12aa42f3793cff347f38b4243
|
|\ \ \ \ |
|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Return to the recovery to the holo appearance.
Bug: 15424396
Change-Id: Id4d3f23e0a6251a12aa42f3793cff347f38b4243
|
|\ \ \ \ \
| |/ / / /
|/| | / /
| | |/ /
| |/| |
| | | |
| | | | |
status"
* commit '54a6117935fe7470d23f7a538aeec9d6b139791b':
recovery: initialize keys press tracking status
|
| |\ \ \
| | | |/
| | |/|
| | | |
| | | | |
* commit 'cfd4b2864534f062a01730d81b2cd7e054087e8f':
recovery: initialize keys press tracking status
|
| | |\ \ |
|
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Checks for keys pressed return random results because of an uninitialized data
structure.
Change-Id: Ic8b3d453d62347921aa893403079b374c16a092e
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The default recovery UI will reboot the device when the power key is
pressed 7 times in a row, regardless of what recovery is doing.
Disable this feature during package installation, to minimize the
chance of corrupting the device due to a mid-install reboot. (Debug
packages can explicitly request that the feature be reenabled.)
Change-Id: I20f3ec240ecd344615d452005ff26d8dd7775acf
|