diff --git a/device.mk b/device.mk index 542abd98..a92a2645 100755 --- a/device.mk +++ b/device.mk @@ -66,7 +66,8 @@ PRODUCT_COPY_FILES += \ $(LOCAL_PATH)/uinput-fpc.idc:system/usr/idc/uinput-fpc.idc \ $(LOCAL_PATH)/init.qcom.devstart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.devstart.sh \ $(LOCAL_PATH)/init.qcom.ipastart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.ipastart.sh \ - $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh + $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh \ + $(LOCAL_PATH)/init.ramoops.sh:$(TARGET_COPY_OUT_SYSTEM)/bin/init.ramoops.sh ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT))) PRODUCT_COPY_FILES += \ diff --git a/init.hardware.rc b/init.hardware.rc index 753de16a..f832d5a1 100644 --- a/init.hardware.rc +++ b/init.hardware.rc @@ -226,6 +226,12 @@ on post-fs # Wait qseecomd started wait_for_prop sys.listeners.registered true +on property:sys.user.0.ce_available=true + mkdir /data/misc_ce/0/ramoops + start ramoops_sh + +on property:sys.ramoops.decrypted=true + mount pstore pstore /sys/fs/pstore on property:sys.listeners.registered=true # load IPA FWs @@ -455,6 +461,13 @@ on boot # default country code setprop ro.boot.wificountrycode 00 + # Encrypted ramoops + umount /sys/fs/pstore + chmod 770 /dev/access-ramoops + chown system system /dev/access-ramoops + chmod 770 /dev/access-metadata + chown system system /dev/access-metadata + # Make the ftm4 command node writeable from dumpstate chown system system /sys/devices/virtual/input/ftm4_touch/cmd @@ -768,3 +781,11 @@ service insmod_sh /vendor/bin/init.insmod.sh group root system disabled oneshot + +service ramoops_sh /system/bin/init.ramoops.sh + class main + user root + group root system + disabled + oneshot + diff --git a/init.ramoops.sh b/init.ramoops.sh new file mode 100644 index 00000000..3457c219 --- /dev/null +++ b/init.ramoops.sh @@ -0,0 +1,20 @@ +#!/system/bin/sh + +# Decrypt the keys and write them to the kernel +ramoops -D + +if [ $? -eq 0 ]; then + # Pivot (and decrypt) and remount pstore + echo 1 > /sys/devices/virtual/ramoops/pstore/use_alt + setprop sys.ramoops.decrypted true +else + setprop sys.ramoops.decrypted Error-$? +fi + +# Generate keys (if none exist), and load the keys to carveout +if [[ $(getprop ro.hardware) == "walleye" ]]; then + ramoops -g -l -c +else + ramoops -g -l +fi + diff --git a/sepolicy/private/device.te b/sepolicy/private/device.te new file mode 100644 index 00000000..ae7cadd7 --- /dev/null +++ b/sepolicy/private/device.te @@ -0,0 +1 @@ +type ramoops_device, dev_type; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index ef74127c..6b77a415 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -1,6 +1,11 @@ -/system/bin/e2fsdroid u:object_r:e2fs_exec:s0 -/system/bin/mke2fs u:object_r:e2fs_exec:s0 -/sys/fs/ext4/features(/.*)? u:object_r:sysfs_fs_ext4_features:s0 -/system/bin/folio_daemon u:object_r:folio_daemon_exec:s0 -/data/misc/elabel(/.*)? u:object_r:elabel_data_file:s0 -/system/bin/init\.elabel\.sh u:object_r:init_elabel_exec:s0 +/system/bin/e2fsdroid u:object_r:e2fs_exec:s0 +/system/bin/mke2fs u:object_r:e2fs_exec:s0 +/sys/fs/ext4/features(/.*)? u:object_r:sysfs_fs_ext4_features:s0 +/system/bin/folio_daemon u:object_r:folio_daemon_exec:s0 +/data/misc/elabel(/.*)? u:object_r:elabel_data_file:s0 +/system/bin/init\.elabel\.sh u:object_r:init_elabel_exec:s0 +/system/bin/ramoops u:object_r:ramoops_exec:s0 +/system/bin/init\.ramoops\.sh u:object_r:ramoops_exec:s0 +/dev/access-metadata u:object_r:ramoops_device:s0 +/dev/access-ramoops u:object_r:ramoops_device:s0 +/data/misc_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_data_file:s0 diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts new file mode 100644 index 00000000..9c5764a5 --- /dev/null +++ b/sepolicy/private/genfs_contexts @@ -0,0 +1,4 @@ +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_iv u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_tag u:object_r:sysfs_pstore:s0 +genfscon sysfs /devices/virtual/ramoops/pstore/use_alt u:object_r:sysfs_pstore:s0 diff --git a/sepolicy/private/property.te b/sepolicy/private/property.te index a9519ecd..7f881451 100644 --- a/sepolicy/private/property.te +++ b/sepolicy/private/property.te @@ -1,2 +1,3 @@ # TODO: delete this once it's in common sepolicy. type netd_stable_secret_prop, property_type; +type ramoops_prop, property_type; diff --git a/sepolicy/private/property_contexts b/sepolicy/private/property_contexts index 901beedc..36e06787 100644 --- a/sepolicy/private/property_contexts +++ b/sepolicy/private/property_contexts @@ -1,2 +1,3 @@ # TODO: delete this once it's in common sepolicy. persist.netd.stable_secret u:object_r:netd_stable_secret_prop:s0 +sys.ramoops.decrypted u:object_r:ramoops_prop:s0 diff --git a/sepolicy/private/ramoops.te b/sepolicy/private/ramoops.te new file mode 100644 index 00000000..57161d95 --- /dev/null +++ b/sepolicy/private/ramoops.te @@ -0,0 +1,20 @@ +type ramoops, domain, coredomain; +type ramoops_data_file, file_type, data_file_type; +type ramoops_exec, exec_type, file_type; + +init_daemon_domain(ramoops); + +# kmod=crypto-gcm(aes) +dontaudit ramoops kernel:system module_request; + +allow ramoops ramoops_exec:file rx_file_perms; +allow ramoops shell_exec:file rx_file_perms; +allow ramoops toolbox_exec:file rx_file_perms; + +# Set the sys.ramoops.decrypted property +set_prop(ramoops, ramoops_prop); + +allow ramoops sysfs_pstore:file rw_file_perms; +allow ramoops ramoops_device:chr_file rw_file_perms; +allow ramoops ramoops_data_file:file create_file_perms; +allow ramoops ramoops_data_file:dir rw_dir_perms; diff --git a/sepolicy/public/file.te b/sepolicy/public/file.te index cc8ee0af..ad98df70 100644 --- a/sepolicy/public/file.te +++ b/sepolicy/public/file.te @@ -1 +1,2 @@ type elabel_data_file, file_type, data_file_type; +type sysfs_pstore, sysfs_type, fs_type;