The non-A/B package installation is subject to TOC/TOU flaw if the
attacker can switch the package in the middle of installation. And the
most pratical case is to store the package on an external device, e.g. a
sdcard, and swap the device in the middle.
To prevent that, we can adopt the same protection as used in sideloading
a package with FUSE. Specifically, when we install the package with FUSE,
we read the entire package to cryptographically verify its signature.
The hash for each transfer block is recorded in the memory (TOC), and
the subsequent reads (TOU) will be rejected upon dectecting a mismatch.
This CL forces the package installation with FUSE when the package stays
on a removable media.
Bug: 136498130
Test: Run bin/recovery --update_package with various paths;
and packages are installed from FUSE as expected
Test: recovery_component_test - all passing
Merged-In: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Change-Id: Ibc9b095036a2fa624e8edf6c347ed4f12aef072f
Build libinstall as a shared library. Also drop the dependency on the
global variables in common.h.
Test: unit tests pass, sideload an OTA
Change-Id: I30a20047768ce00689fc0e7851c1c5d712a365a0
This is another implementation of the Package class. And we will later
need it when reading the package from FUSE.
Bug: 127071893
Test: unit tests pass, sideload a file package on sailfish
Change-Id: I3de5d5ef60b29c8b73517d6de3498459d7d95975
This reverts commit 9ce1d14ef6.
Reason for revert: AOSP is fixed with new vendor image
Change-Id: Ie5a9748acdae22a2b9862cb2ecedda7031f77264
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Because set_sched_policy is moved into libprocessgroup an additional
dependency is requred for recovery_component_test to build.
Exempt-From-Owner-Approval: janitorial
Bug: 111307099
Test: builds, boots
Merged-In: I7cf75e473ee1e2837940606c71d15be26db0c3f2
Change-Id: I7cf75e473ee1e2837940606c71d15be26db0c3f2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Bug: http://b/119560349
Bug: http://b/112277682
Currently, any binary links in a PGO-enabled static library also needs
to opt into PGO. With b/119560349, this should be done automatically by
the build system. Until then, use the non-PGO version of libhwbinder in
recovery_component_test.
Test: m ANDROID_PGO_INSTRUMENT=all
Change-Id: Ic6e44c1cb6d6f13e60e11a46fd7e5ef54238942b
dependency."
This reverts commit 26b86bb1dc.
Reason for revert: Dependencies which broke tests due to exclusion from
LOCAL_JNI_SHARED_LIBS have been added.
Change-Id: I364acfe8bd0526fb26f69cc29fb3545fc3e79764
This reverts commit a71c10b464.
Reason for revert: This breaks framework tests and blocks presubmit
Change-Id: Iae94878889c1e71e2da5336fe75af88dfd3bfcfa
Now it's less beneficial to inject I/O faults since we don't see many of
them. Remove the library that mocks I/O failures. And switch to android::base
I/O when possible.
Bug: 113032079
Test: unit tests pass
Change-Id: I9f2a92b7ba80f4da6ff9e2abc27f2680138f942c
This file was somehow missed when converting from Android.mk to
Android.bp. This CL addresses the issue by picking up all the .cpp files
in the test source dir.
Test: Run recovery_{unit,component}_test on marlin. Check the reported
number of tests (94 for unit test and 157 for component test).
Change-Id: I50435b07fcb8602ef7b3f7e7d3a69e10b6a5932d
Also separate libupdater_defaults out to be shareable.
It turns out the `data` property in `cc_test` doesn't follow symlinks as
LOCAL_TEST_DATA does in Android.mk. This CL creates a filegroup in
top-level Android.bp in order to pick up the testdata for ResourcesTest.
Test: `mmma -j bootable/recovery` with aosp_marlin-userdebug
Test: Run recovery_{unit,component,manual}_test on marlin.
Test: Run recovery_host_test.
Change-Id: I4532ab25aeb83c0b0baa8051d5fe34ba7b910a35