From bda0554bb2b7827602834ea94430b58274bbbd09 Mon Sep 17 00:00:00 2001 From: Tobias Thierer Date: Wed, 11 Sep 2019 18:22:10 +0100 Subject: [PATCH] init.rc: Move /system/bin/boringssl_self_test{32,64} call to early-init. This should ensure that the self tests run before any other binaries that load libcrypto and which would otherwise run into SELinux denials trying to create the marker file /dev/boringssl/selftest/[hash] The invocation of the self test binaries from the Conscrypt apex requires the apex to be mounted so it remains at a later point in the boot process. Bug: 137267623 Test: Treehugger Change-Id: I34266d6e9d2f394fffa8a2c7725479b5770d119c --- rootdir/init.rc | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/rootdir/init.rc b/rootdir/init.rc index d12096df8..b99c149c3 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -52,6 +52,20 @@ on early-init # the libraries are available to the processes started after this statement. exec_start apexd-bootstrap + # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. + mkdir /dev/boringssl 0755 root root + mkdir /dev/boringssl/selftest 0755 root root + +# Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610 +on early-init && property:ro.product.cpu.abilist32=* + exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test32 +on early-init && property:ro.product.cpu.abilist64=* + exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test64 +on property:apexd.status=ready && property:ro.product.cpu.abilist64=* + exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test64 +on property:apexd.status=ready && property:ro.product.cpu.abilist32=* + exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test32 + on init sysclktz 0 @@ -127,10 +141,6 @@ on init mkdir /mnt/expand 0771 system system mkdir /mnt/appfuse 0711 root root - # These must already exist by the time boringssl_self_test32 / boringssl_self_test64 run. - mkdir /dev/boringssl 0755 root root - mkdir /dev/boringssl/selftest 0755 root root - # Storage views to support runtime permissions mkdir /mnt/runtime 0700 root root mkdir /mnt/runtime/default 0755 root root @@ -315,16 +325,6 @@ on init start hwservicemanager start vndservicemanager -# Run boringssl self test for each ABI so that later processes can skip it. http://b/139348610 -on init && property:ro.product.cpu.abilist32=* - exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test32 -on init && property:ro.product.cpu.abilist64=* - exec_reboot_on_failure boringssl-self-check-failed /system/bin/boringssl_self_test64 -on property:apexd.status=ready && property:ro.product.cpu.abilist64=* - exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test64 -on property:apexd.status=ready && property:ro.product.cpu.abilist32=* - exec_reboot_on_failure boringssl-self-check-failed /apex/com.android.conscrypt/bin/boringssl_self_test32 - # Healthd can trigger a full boot from charger mode by signaling this # property when the power button is held. on property:sys.boot_from_charger_mode=1