diff options
| author | Josh Horwich <jhorwich@google.com> | 2022-06-23 16:40:09 -0700 |
|---|---|---|
| committer | Chromeos LUCI <chromeos-scoped@luci-project-accounts.iam.gserviceaccount.com> | 2022-07-12 20:56:19 +0000 |
| commit | 35f4cb027230e03af30a6206cbea8e638d9dd0d0 (patch) | |
| tree | 5279c68276a0260f21d5609904896d68171626fb | |
| parent | 61f16fca1def81c486c1283f8c0b1325fbdad7bc (diff) | |
| download | vboot-35f4cb027230e03af30a6206cbea8e638d9dd0d0.tar.gz | |
signer: Preserve capabilities on Android system image
Since crrev.com/c/2511121 we no longer use xattrs when using
unsquashfs on the Android system image. A side-effect of this change
is the loss of capabilities for a handful of Android binaries such as
/system/bin/run-as.
This change records the capabilities on the system image and applies
them manually to the output system image.
BUG=b:179170462
BRANCH=None
TEST=unittests
TEST=Locally sign hatch (ARC R) and kevin (ARC P) base images and
verify signed base image's system.raw.img contents
Signed-off-by: Josh Horwich <jhorwich@chromium.org>
Change-Id: Ied824d5ebf7a5139e71341abca810b14e67623e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/3723017
Reviewed-by: Allen Webb <allenwebb@google.com>
Tested-by: Josh Horwich <jhorwich@chromium.org>
Reviewed-by: Prameet Shah <phshah@chromium.org>
Commit-Queue: Josh Horwich <jhorwich@chromium.org>
Reviewed-by: Yury Khmel <khmel@google.com>
Reviewed-by: Yury Khmel <khmel@chromium.org>
| -rwxr-xr-x | scripts/image_signing/sign_android_image.sh | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/scripts/image_signing/sign_android_image.sh b/scripts/image_signing/sign_android_image.sh index 93977479..6b655451 100755 --- a/scripts/image_signing/sign_android_image.sh +++ b/scripts/image_signing/sign_android_image.sh @@ -250,6 +250,48 @@ snapshot_file_properties() { sudo find "${dir}" -exec stat -c '%n:%u:%g:%a' {} + | sort } +# Snapshot capabilities in a directory recursively. +snapshot_capabilities() { + local dir=$1 + sudo find "${dir}" -exec getcap {} + | sort +} + +# Apply capabilities to files in |dir| as specified by |capabilities_list|. +# See b/179170462. +apply_capabilities() { + local dir=$1 + local capabilities_list=$2 + local entry + + while read -ra entry; do + if [[ ${#entry[@]} -lt 2 ]]; then + error "Unexpected output in capabilities_list of '${entry[*]}'" + return 1 + fi + # Output of getcap is either |{file} {capabilities}| or + # |{file} = {capabilities}|, so take the first and last element of each + # line. + info "Setting capabilities ${entry[${#entry[@]}-1]} for ${entry[0]}" + sudo setcap "${entry[${#entry[@]}-1]}" "${entry[0]}" + done < "${capabilities_list}" + + return 0 +} + +# Integrity check that capabilities are unchanged. +capabilities_integrity_check() { + local system_mnt=$1 + local working_dir=$2 + snapshot_capabilities "${system_mnt}" > "${working_dir}/capabilities.new" + local d + if ! d=$(diff "${working_dir}"/capabilities.{orig,new}); then + error "Unexpected change of capabilities, diff \n${d}" + return 1 + fi + + return 0 +} + # Integrity check that image content is unchanged. image_content_integrity_check() { local system_mnt=$1 @@ -336,8 +378,15 @@ sign_android_internal() { local working_dir=$(make_temp_dir) local system_mnt="${working_dir}/mnt" + local system_capabilities_orig="${working_dir}/capabilities.orig" - info "Unpacking squashfs system image to ${system_mnt}" + # Extract with xattrs so we can read and audit capabilities. See b/179170462. + info "Unpacking squashfs system image with xattrs to ${system_mnt}" + sudo "${unsquashfs}" -x -f -no-progress -d "${system_mnt}" "${system_img}" + snapshot_capabilities "${system_mnt}" > "${system_capabilities_orig}" + sudo rm -rf "${system_mnt}" + + info "Unpacking squashfs system image without xattrs to ${system_mnt}" list_image_files "${unsquashfs}" "${system_img}" > \ "${working_dir}/image_file_list.orig" sudo "${unsquashfs}" -no-xattrs -f -no-progress -d "${system_mnt}" "${system_img}" @@ -407,6 +456,14 @@ sign_android_internal() { info "Packages cache ${packages_cache} does not exist. Skip regeneration." fi + # Apply original capabilities to system image and verify correctness. + if ! apply_capabilities "${system_mnt}" "${system_capabilities_orig}"; then + return 1 + fi + if ! capabilities_integrity_check "${system_mnt}" "${working_dir}"; then + return 1 + fi + info "Repacking squashfs image with compression flags '${compression_flags}'" local old_size=$(stat -c '%s' "${system_img}") # Remove old system image to prevent mksquashfs tries to merge both images. |