platform_system_core/init/util.cpp

809 lines
27 KiB
C++
Raw Normal View History

/*
* Copyright (C) 2008 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "util.h"
#include <ctype.h>
#include <errno.h>
#include <fcntl.h>
#include <pwd.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <time.h>
#include <unistd.h>
#include <map>
#include <thread>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/scopeguard.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
#include <cutils/sockets.h>
#include <selinux/android.h>
#ifdef INIT_FULL_SOURCES
#include <android/api-level.h>
#include <sys/system_properties.h>
#include "reboot_utils.h"
#include "selabel.h"
#include "selinux.h"
#else
#include "host_init_stubs.h"
#endif
using android::base::boot_clock;
using android::base::StartsWith;
using namespace std::literals::string_literals;
namespace android {
namespace init {
Allow the use of a custom Android DT directory On platforms that use ACPI instead of Device Tree (DT), such as Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not exist. As a result, Android O is unable to mount /system, etc. at the first stage of init: init: First stage mount skipped (missing/incompatible fstab in device tree) Those platforms may create another directory that mimics the layout of the standard DT directory in procfs, and store early mount configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs using information encoded in the ACPI tables: https://android-review.googlesource.com/442472 https://android-review.googlesource.com/443432 https://android-review.googlesource.com/442393 https://android-review.googlesource.com/442395 Therefore, instead of hardcoding the Android DT path, load it from the kernel command line using a new Android-specific property key ("androidboot.android_dt_dir"). If no such property exists, fall back to the standard procfs path (so no change is needed for DT- aware platforms). Note that init/ and fs_mgr/ each have their own copy of the Android DT path, because they do not share any global state. A future CL should remove the duplication by refactoring. With this CL as well as the above ones, the said warning is gone, but early mount fails. That is a separate bug, though, and will be addressed by another CL. Test: Boot patched sdk_phone_x86-userdebug system image with patched Goldfish 3.18 x86 kernel in patched Android Emulator, verify the "init: First stage mount skipped" warning no longer shows in dmesg. Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415 Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
const std::string kDefaultAndroidDtDir("/proc/device-tree/firmware/android/");
const std::string kDataDirPrefix("/data/");
void (*trigger_shutdown)(const std::string& command) = nullptr;
// DecodeUid() - decodes and returns the given string, which can be either the
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
// numeric or name representation, into the integer uid or gid.
Result<uid_t> DecodeUid(const std::string& name) {
if (isalpha(name[0])) {
passwd* pwd = getpwnam(name.c_str());
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
if (!pwd) return ErrnoError() << "getpwnam failed";
return pwd->pw_uid;
}
errno = 0;
uid_t result = static_cast<uid_t>(strtoul(name.c_str(), 0, 0));
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
if (errno) return ErrnoError() << "strtoul failed";
return result;
}
/*
* CreateSocket - creates a Unix domain socket in ANDROID_SOCKET_DIR
* ("/dev/socket") as dictated in init.rc. This socket is inherited by the
* daemon. We communicate the file descriptor's value via the environment
* variable ANDROID_SOCKET_ENV_PREFIX<name> ("ANDROID_SOCKET_foo").
*/
init: Add option to listen on sockets before starting service. Review note: Original change was a p-o-c by agl in https://r.android.com/2094350 which I think is actually production quality. I'm just taking it over so that he doesn't get spammed by any review comments as that's not a good use of his time. Needed for the hardware entropy daemon (see bug). Original commit message: If one needs to create a service that synchronously starts listening on a socket then there are currently no good options. The traditional UNIX solution is to have the service create the socket and then daemonise. In this situation, init could start the service with `exec_start` and yet not block forever because the service forks and exits. However, when the initial child process exits, init kills the daemon process: > init: Killed 1 additional processes from a oneshot process group for > service 'foo'. This is new behavior, previously child processes > would not be killed in this case. Next, there is a `socket` option for services and (although the documentation didn't nail this down), the socket is created synchronously by `start`. However, init doesn't call `listen` on the socket so, until the service starts listening on the socket itself, clients will get ECONNREFUSED. This this change adds a `+listen` option, similar to `+passcred` which allows a socket service to reliably handle connections. Bug: 243933553 Test: Started prng_seeder from init using the new listen flag Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
2022-05-12 00:32:47 +02:00
Result<int> CreateSocket(const std::string& name, int type, bool passcred, bool should_listen,
mode_t perm, uid_t uid, gid_t gid, const std::string& socketcon) {
if (!socketcon.empty()) {
if (setsockcreatecon(socketcon.c_str()) == -1) {
return ErrnoError() << "setsockcreatecon(\"" << socketcon << "\") failed";
}
}
android::base::unique_fd fd(socket(PF_UNIX, type, 0));
if (fd < 0) {
return ErrnoError() << "Failed to open socket '" << name << "'";
}
if (!socketcon.empty()) setsockcreatecon(nullptr);
struct sockaddr_un addr;
memset(&addr, 0 , sizeof(addr));
addr.sun_family = AF_UNIX;
snprintf(addr.sun_path, sizeof(addr.sun_path), ANDROID_SOCKET_DIR "/%s", name.c_str());
if ((unlink(addr.sun_path) != 0) && (errno != ENOENT)) {
return ErrnoError() << "Failed to unlink old socket '" << name << "'";
}
std::string secontext;
if (SelabelLookupFileContext(addr.sun_path, S_IFSOCK, &secontext) && !secontext.empty()) {
setfscreatecon(secontext.c_str());
}
if (passcred) {
int on = 1;
if (setsockopt(fd.get(), SOL_SOCKET, SO_PASSCRED, &on, sizeof(on))) {
return ErrnoError() << "Failed to set SO_PASSCRED '" << name << "'";
}
}
int ret = bind(fd.get(), (struct sockaddr*)&addr, sizeof(addr));
int savederrno = errno;
if (!secontext.empty()) {
setfscreatecon(nullptr);
}
auto guard = android::base::make_scope_guard([&addr] { unlink(addr.sun_path); });
if (ret) {
errno = savederrno;
return ErrnoError() << "Failed to bind socket '" << name << "'";
}
if (lchown(addr.sun_path, uid, gid)) {
return ErrnoError() << "Failed to lchown socket '" << addr.sun_path << "'";
}
if (fchmodat(AT_FDCWD, addr.sun_path, perm, AT_SYMLINK_NOFOLLOW)) {
return ErrnoError() << "Failed to fchmodat socket '" << addr.sun_path << "'";
}
if (should_listen && listen(fd.get(), /* use OS maximum */ 1 << 30)) {
init: Add option to listen on sockets before starting service. Review note: Original change was a p-o-c by agl in https://r.android.com/2094350 which I think is actually production quality. I'm just taking it over so that he doesn't get spammed by any review comments as that's not a good use of his time. Needed for the hardware entropy daemon (see bug). Original commit message: If one needs to create a service that synchronously starts listening on a socket then there are currently no good options. The traditional UNIX solution is to have the service create the socket and then daemonise. In this situation, init could start the service with `exec_start` and yet not block forever because the service forks and exits. However, when the initial child process exits, init kills the daemon process: > init: Killed 1 additional processes from a oneshot process group for > service 'foo'. This is new behavior, previously child processes > would not be killed in this case. Next, there is a `socket` option for services and (although the documentation didn't nail this down), the socket is created synchronously by `start`. However, init doesn't call `listen` on the socket so, until the service starts listening on the socket itself, clients will get ECONNREFUSED. This this change adds a `+listen` option, similar to `+passcred` which allows a socket service to reliably handle connections. Bug: 243933553 Test: Started prng_seeder from init using the new listen flag Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
2022-05-12 00:32:47 +02:00
return ErrnoError() << "Failed to listen on socket '" << addr.sun_path << "'";
}
LOG(INFO) << "Created socket '" << addr.sun_path << "'"
<< ", mode " << std::oct << perm << std::dec
<< ", user " << uid
<< ", group " << gid;
guard.Disable();
return fd.release();
}
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
Result<std::string> ReadFile(const std::string& path) {
android::base::unique_fd fd(
TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_NOFOLLOW | O_CLOEXEC)));
if (fd == -1) {
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return ErrnoError() << "open() failed";
}
// For security reasons, disallow world-writable
// or group-writable files.
struct stat sb;
if (fstat(fd.get(), &sb) == -1) {
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return ErrnoError() << "fstat failed()";
}
if ((sb.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return Error() << "Skipping insecure file";
}
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
std::string content;
if (!android::base::ReadFdToString(fd, &content)) {
return ErrnoError() << "Unable to read file contents";
}
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return content;
}
static int OpenFile(const std::string& path, int flags, mode_t mode) {
std::string secontext;
if (SelabelLookupFileContext(path, mode, &secontext) && !secontext.empty()) {
setfscreatecon(secontext.c_str());
}
int rc = open(path.c_str(), flags, mode);
if (!secontext.empty()) {
int save_errno = errno;
setfscreatecon(nullptr);
errno = save_errno;
}
return rc;
}
Result<void> WriteFile(const std::string& path, const std::string& content) {
android::base::unique_fd fd(TEMP_FAILURE_RETRY(
OpenFile(path, O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC | O_CLOEXEC, 0600)));
if (fd == -1) {
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return ErrnoError() << "open() failed";
}
if (!android::base::WriteStringToFd(content, fd)) {
init: introduce Result<T> for return values and error handling init tries to propagate error information up to build context before logging errors. This is a good thing, however too often init has the overly verbose paradigm for error handling, below: bool CalculateResult(const T& input, U* output, std::string* err) bool CalculateAndUseResult(const T& input, std::string* err) { U output; std::string calculate_result_err; if (!CalculateResult(input, &output, &calculate_result_err)) { *err = "CalculateResult " + input + " failed: " + calculate_result_err; return false; } UseResult(output); return true; } Even more common are functions that return only true/false but also require passing a std::string* err in order to see the error message. This change introduces a Result<T> that is use to either hold a successful return value of type T or to hold an error message as a std::string. If the functional only returns success or a failure with an error message, Result<Success> may be used. The classes Error and ErrnoError are used to indicate a failed Result<T>. A successful Result<T> is constructed implicitly from any type that can be implicitly converted to T or from the constructor arguments for T. This allows you to return a type T directly from a function that returns Result<T>. Error and ErrnoError are used to construct a Result<T> has failed. Each of these classes take an ostream as an input and are implicitly cast to a Result<T> containing that failure. ErrnoError() additionally appends ": " + strerror(errno) to the end of the failure string to aid in interacting with C APIs. The end result is that the above code snippet is turned into the much clearer example below: Result<U> CalculateResult(const T& input); Result<Success> CalculateAndUseResult(const T& input) { auto output = CalculateResult(input); if (!output) { return Error() << "CalculateResult " << input << " failed: " << output.error(); } UseResult(*output); return Success(); } This change also makes this conversion for some of the util.cpp functions that used the old paradigm. Test: boot bullhead, init unit tests Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-03 21:54:07 +02:00
return ErrnoError() << "Unable to write file contents";
}
return {};
}
bool mkdir_recursive(const std::string& path, mode_t mode) {
std::string::size_type slash = 0;
while ((slash = path.find('/', slash + 1)) != std::string::npos) {
auto directory = path.substr(0, slash);
struct stat info;
if (stat(directory.c_str(), &info) != 0) {
auto ret = make_dir(directory, mode);
if (!ret && errno != EEXIST) return false;
}
}
auto ret = make_dir(path, mode);
if (!ret && errno != EEXIST) return false;
return true;
}
int wait_for_file(const char* filename, std::chrono::nanoseconds timeout) {
android::base::Timer t;
while (t.duration() < timeout) {
struct stat sb;
if (stat(filename, &sb) != -1) {
LOG(INFO) << "wait for '" << filename << "' took " << t;
return 0;
}
std::this_thread::sleep_for(10ms);
}
LOG(WARNING) << "wait for '" << filename << "' timed out and took " << t;
return -1;
}
void ImportKernelCmdline(const std::function<void(const std::string&, const std::string&)>& fn) {
std::string cmdline;
android::base::ReadFileToString("/proc/cmdline", &cmdline);
for (const auto& entry : android::base::Split(android::base::Trim(cmdline), " ")) {
std::vector<std::string> pieces = android::base::Split(entry, "=");
if (pieces.size() == 2) {
fn(pieces[0], pieces[1]);
}
}
}
void ImportBootconfig(const std::function<void(const std::string&, const std::string&)>& fn) {
std::string bootconfig;
android::base::ReadFileToString("/proc/bootconfig", &bootconfig);
for (const auto& entry : android::base::Split(bootconfig, "\n")) {
std::vector<std::string> pieces = android::base::Split(entry, "=");
if (pieces.size() == 2) {
// get rid of the extra space between a list of values and remove the quotes.
std::string value = android::base::StringReplace(pieces[1], "\", \"", ",", true);
value.erase(std::remove(value.begin(), value.end(), '"'), value.end());
fn(android::base::Trim(pieces[0]), android::base::Trim(value));
}
}
}
bool make_dir(const std::string& path, mode_t mode) {
std::string secontext;
if (SelabelLookupFileContext(path, mode, &secontext) && !secontext.empty()) {
setfscreatecon(secontext.c_str());
}
int rc = mkdir(path.c_str(), mode);
if (!secontext.empty()) {
int save_errno = errno;
setfscreatecon(nullptr);
errno = save_errno;
}
return rc == 0;
}
/*
* Returns true is pathname is a directory
*/
bool is_dir(const char* pathname) {
struct stat info;
if (stat(pathname, &info) == -1) {
return false;
}
return S_ISDIR(info.st_mode);
}
Result<std::string> ExpandProps(const std::string& src) {
const char* src_ptr = src.c_str();
std::string dst;
/* - variables can either be $x.y or ${x.y}, in case they are only part
* of the string.
* - will accept $$ as a literal $.
* - no nested property expansion, i.e. ${foo.${bar}} is not supported,
* bad things will happen
* - ${x.y:-default} will return default value if property empty.
*/
while (*src_ptr) {
const char* c;
c = strchr(src_ptr, '$');
if (!c) {
dst.append(src_ptr);
return dst;
}
dst.append(src_ptr, c);
c++;
if (*c == '$') {
dst.push_back(*(c++));
src_ptr = c;
continue;
} else if (*c == '\0') {
return dst;
}
std::string prop_name;
std::string def_val;
if (*c == '{') {
c++;
const char* end = strchr(c, '}');
if (!end) {
// failed to find closing brace, abort.
return Error() << "unexpected end of string in '" << src << "', looking for }";
}
prop_name = std::string(c, end);
c = end + 1;
size_t def = prop_name.find(":-");
if (def < prop_name.size()) {
def_val = prop_name.substr(def + 2);
prop_name = prop_name.substr(0, def);
}
} else {
prop_name = c;
if (SelinuxGetVendorAndroidVersion() >= __ANDROID_API_R__) {
return Error() << "using deprecated syntax for specifying property '" << c
<< "', use ${name} instead";
} else {
LOG(ERROR) << "using deprecated syntax for specifying property '" << c
<< "', use ${name} instead";
}
c += prop_name.size();
}
if (prop_name.empty()) {
return Error() << "invalid zero-length property name in '" << src << "'";
}
std::string prop_val = android::base::GetProperty(prop_name, "");
if (prop_val.empty()) {
if (def_val.empty()) {
return Error() << "property '" << prop_name << "' doesn't exist while expanding '"
<< src << "'";
}
prop_val = def_val;
}
dst.append(prop_val);
src_ptr = c;
}
return dst;
}
Replace the "coldboot" timeout with a property. Also rename init's existing boot-time related properties so they're all "ro.*" properties. Example result: # Three properties showing when init started... [ro.boottime.init]: [5294587604] # ...how long it waited for ueventd... [ro.boottime.init.cold_boot_wait]: [646956470] # ...and how long SELinux initialization took... [ro.boottime.init.selinux]: [45742921] # Plus one property for each service, showing when it first started. [ro.boottime.InputEventFind]: [10278767840] [ro.boottime.adbd]: [8359267180] [ro.boottime.atfwd]: [10338554773] [ro.boottime.audioserver]: [10298157478] [ro.boottime.bootanim]: [9323670089] [ro.boottime.cameraserver]: [10299402321] [ro.boottime.cnd]: [10335931856] [ro.boottime.debuggerd]: [7001352774] [ro.boottime.debuggerd64]: [7002261785] [ro.boottime.drm]: [10301082113] [ro.boottime.fingerprintd]: [10331443314] [ro.boottime.flash-nanohub-fw]: [6995265534] [ro.boottime.gatekeeperd]: [10340355242] [ro.boottime.healthd]: [7856893380] [ro.boottime.hwservicemanager]: [7856051088] [ro.boottime.imscmservice]: [10290530758] [ro.boottime.imsdatadaemon]: [10358136702] [ro.boottime.imsqmidaemon]: [10289084872] [ro.boottime.installd]: [10303296020] [ro.boottime.irsc_util]: [10279807632] [ro.boottime.keystore]: [10305034093] [ro.boottime.lmkd]: [7863506714] [ro.boottime.loc_launcher]: [10324525241] [ro.boottime.logd]: [6526221633] [ro.boottime.logd-reinit]: [7850662702] [ro.boottime.mcfg-sh]: [10337268315] [ro.boottime.media]: [10312152687] [ro.boottime.mediacodec]: [10306852530] [ro.boottime.mediadrm]: [10308707999] [ro.boottime.mediaextractor]: [10310681177] [ro.boottime.msm_irqbalance]: [7862451974] [ro.boottime.netd]: [10313523104] [ro.boottime.netmgrd]: [10285009351] [ro.boottime.oem_qmi_server]: [10293329092] [ro.boottime.per_mgr]: [7857915776] [ro.boottime.per_proxy]: [8335121605] [ro.boottime.perfd]: [10283443101] [ro.boottime.qcamerasvr]: [10329644772] [ro.boottime.qmuxd]: [10282346643] [ro.boottime.qseecomd]: [6855708593] [ro.boottime.qti]: [10286196851] [ro.boottime.ril-daemon]: [10314933677] [ro.boottime.rmt_storage]: [7859105047] [ro.boottime.servicemanager]: [7864555881] [ro.boottime.ss_ramdump]: [8337634938] [ro.boottime.ssr_setup]: [8336268324] [ro.boottime.surfaceflinger]: [7866921402] [ro.boottime.thermal-engine]: [10281249924] [ro.boottime.time_daemon]: [10322006542] [ro.boottime.ueventd]: [5618663938] [ro.boottime.vold]: [7003493920] [ro.boottime.wificond]: [10316641073] [ro.boottime.wpa_supplicant]: [18959816881] [ro.boottime.zygote]: [10295295029] [ro.boottime.zygote_secondary]: [10296637269] Bug: http://b/31800756 Test: boots Change-Id: I094cce0c1bab9406d950ca94212689dc2e15dba5
2016-11-29 20:20:58 +01:00
Allow the use of a custom Android DT directory On platforms that use ACPI instead of Device Tree (DT), such as Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not exist. As a result, Android O is unable to mount /system, etc. at the first stage of init: init: First stage mount skipped (missing/incompatible fstab in device tree) Those platforms may create another directory that mimics the layout of the standard DT directory in procfs, and store early mount configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs using information encoded in the ACPI tables: https://android-review.googlesource.com/442472 https://android-review.googlesource.com/443432 https://android-review.googlesource.com/442393 https://android-review.googlesource.com/442395 Therefore, instead of hardcoding the Android DT path, load it from the kernel command line using a new Android-specific property key ("androidboot.android_dt_dir"). If no such property exists, fall back to the standard procfs path (so no change is needed for DT- aware platforms). Note that init/ and fs_mgr/ each have their own copy of the Android DT path, because they do not share any global state. A future CL should remove the duplication by refactoring. With this CL as well as the above ones, the said warning is gone, but early mount fails. That is a separate bug, though, and will be addressed by another CL. Test: Boot patched sdk_phone_x86-userdebug system image with patched Goldfish 3.18 x86 kernel in patched Android Emulator, verify the "init: First stage mount skipped" warning no longer shows in dmesg. Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415 Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
static std::string init_android_dt_dir() {
// Use the standard procfs-based path by default
std::string android_dt_dir = kDefaultAndroidDtDir;
// The platform may specify a custom Android DT path in kernel cmdline
ImportKernelCmdline([&](const std::string& key, const std::string& value) {
if (key == "androidboot.android_dt_dir") {
android_dt_dir = value;
}
});
// ..Or bootconfig
if (android_dt_dir == kDefaultAndroidDtDir) {
ImportBootconfig([&](const std::string& key, const std::string& value) {
if (key == "androidboot.android_dt_dir") {
android_dt_dir = value;
}
});
}
Allow the use of a custom Android DT directory On platforms that use ACPI instead of Device Tree (DT), such as Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not exist. As a result, Android O is unable to mount /system, etc. at the first stage of init: init: First stage mount skipped (missing/incompatible fstab in device tree) Those platforms may create another directory that mimics the layout of the standard DT directory in procfs, and store early mount configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs using information encoded in the ACPI tables: https://android-review.googlesource.com/442472 https://android-review.googlesource.com/443432 https://android-review.googlesource.com/442393 https://android-review.googlesource.com/442395 Therefore, instead of hardcoding the Android DT path, load it from the kernel command line using a new Android-specific property key ("androidboot.android_dt_dir"). If no such property exists, fall back to the standard procfs path (so no change is needed for DT- aware platforms). Note that init/ and fs_mgr/ each have their own copy of the Android DT path, because they do not share any global state. A future CL should remove the duplication by refactoring. With this CL as well as the above ones, the said warning is gone, but early mount fails. That is a separate bug, though, and will be addressed by another CL. Test: Boot patched sdk_phone_x86-userdebug system image with patched Goldfish 3.18 x86 kernel in patched Android Emulator, verify the "init: First stage mount skipped" warning no longer shows in dmesg. Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415 Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
LOG(INFO) << "Using Android DT directory " << android_dt_dir;
return android_dt_dir;
}
// FIXME: The same logic is duplicated in system/core/fs_mgr/
const std::string& get_android_dt_dir() {
// Set once and saves time for subsequent calls to this function
static const std::string kAndroidDtDir = init_android_dt_dir();
return kAndroidDtDir;
}
// Reads the content of device tree file under the platform's Android DT directory.
// Returns true if the read is success, false otherwise.
bool read_android_dt_file(const std::string& sub_path, std::string* dt_content) {
Allow the use of a custom Android DT directory On platforms that use ACPI instead of Device Tree (DT), such as Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not exist. As a result, Android O is unable to mount /system, etc. at the first stage of init: init: First stage mount skipped (missing/incompatible fstab in device tree) Those platforms may create another directory that mimics the layout of the standard DT directory in procfs, and store early mount configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs using information encoded in the ACPI tables: https://android-review.googlesource.com/442472 https://android-review.googlesource.com/443432 https://android-review.googlesource.com/442393 https://android-review.googlesource.com/442395 Therefore, instead of hardcoding the Android DT path, load it from the kernel command line using a new Android-specific property key ("androidboot.android_dt_dir"). If no such property exists, fall back to the standard procfs path (so no change is needed for DT- aware platforms). Note that init/ and fs_mgr/ each have their own copy of the Android DT path, because they do not share any global state. A future CL should remove the duplication by refactoring. With this CL as well as the above ones, the said warning is gone, but early mount fails. That is a separate bug, though, and will be addressed by another CL. Test: Boot patched sdk_phone_x86-userdebug system image with patched Goldfish 3.18 x86 kernel in patched Android Emulator, verify the "init: First stage mount skipped" warning no longer shows in dmesg. Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415 Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
const std::string file_name = get_android_dt_dir() + sub_path;
if (android::base::ReadFileToString(file_name, dt_content)) {
if (!dt_content->empty()) {
dt_content->pop_back(); // Trims the trailing '\0' out.
return true;
}
}
return false;
}
bool is_android_dt_value_expected(const std::string& sub_path, const std::string& expected_content) {
std::string dt_content;
if (read_android_dt_file(sub_path, &dt_content)) {
if (dt_content == expected_content) {
return true;
}
}
return false;
}
bool IsLegalPropertyName(const std::string& name) {
size_t namelen = name.size();
if (namelen < 1) return false;
if (name[0] == '.') return false;
if (name[namelen - 1] == '.') return false;
/* Only allow alphanumeric, plus '.', '-', '@', ':', or '_' */
/* Don't allow ".." to appear in a property name */
for (size_t i = 0; i < namelen; i++) {
if (name[i] == '.') {
// i=0 is guaranteed to never have a dot. See above.
if (name[i - 1] == '.') return false;
continue;
}
if (name[i] == '_' || name[i] == '-' || name[i] == '@' || name[i] == ':') continue;
if (name[i] >= 'a' && name[i] <= 'z') continue;
if (name[i] >= 'A' && name[i] <= 'Z') continue;
if (name[i] >= '0' && name[i] <= '9') continue;
return false;
}
return true;
}
Result<void> IsLegalPropertyValue(const std::string& name, const std::string& value) {
if (value.size() >= PROP_VALUE_MAX && !StartsWith(name, "ro.")) {
return Error() << "Property value too long";
}
if (mbstowcs(nullptr, value.data(), 0) == static_cast<std::size_t>(-1)) {
return Error() << "Value is not a UTF8 encoded string";
}
return {};
}
init: fix mkdir to reliably detect top-level /data directories To determine the default encryption action, the mkdir command checks whether the given path is a top-level directory of /data. However, it assumed a path without any duplicate slashes or trailing slash(es). While everyone *should* be providing paths without unnecessary slashes, it is not guaranteed, as paths with unnecessary slashes still work correctly for all other parts of the mkdir command, including the SELinux label lookup and the actual directory creation. In particular, the /data/fonts directory is being created using 'mkdir /data/fonts/'. The effect is that the mkdir command thinks that /data/fonts/ is *not* a top-level directory of /data, so it defaults to no encryption action. Fortunately, the full command happens to use "encryption=Require", so we dodged a bullet there, though the warning "Inferred action different from explicit one" is still triggered. There are a few approaches we could take here, including even just fixing the /data/fonts/ command specifically, but I think the best solution is to have mkdir clean its path at the very beginning. This retains the Linux path semantics that people expect, while avoiding surprises in path processing afterwards. This CL implements that. Note, this CL intentionally changes the behavior of, and thus would break, any existing cases where mkdir is used to create a top-level /data directory using a path with unnecessary slashes and without using an explicit encryption action. There are no known cases where this already occurs, however. No cases exist in platform code, and vendor init scripts shouldn't be creating top-level /data directories anyway. Test: atest CtsInitTestCases Test: Booted and verified that a trailing slash is no longer present in the log message "Verified that /data/fonts/ has the encryption policy ...". Also verified that the message "Inferred action different ..." is no longer present just above it. Bug: 232554803 Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
// Remove unnecessary slashes so that any later checks (e.g., the check for
// whether the path is a top-level directory in /data) don't get confused.
std::string CleanDirPath(const std::string& path) {
std::string result;
result.reserve(path.length());
// Collapse duplicate slashes, e.g. //data//foo// => /data/foo/
for (char c : path) {
if (c != '/' || result.empty() || result.back() != '/') {
result += c;
}
}
// Remove trailing slash, e.g. /data/foo/ => /data/foo
if (result.length() > 1 && result.back() == '/') {
result.pop_back();
}
return result;
}
Result<MkdirOptions> ParseMkdir(const std::vector<std::string>& args) {
init: fix mkdir to reliably detect top-level /data directories To determine the default encryption action, the mkdir command checks whether the given path is a top-level directory of /data. However, it assumed a path without any duplicate slashes or trailing slash(es). While everyone *should* be providing paths without unnecessary slashes, it is not guaranteed, as paths with unnecessary slashes still work correctly for all other parts of the mkdir command, including the SELinux label lookup and the actual directory creation. In particular, the /data/fonts directory is being created using 'mkdir /data/fonts/'. The effect is that the mkdir command thinks that /data/fonts/ is *not* a top-level directory of /data, so it defaults to no encryption action. Fortunately, the full command happens to use "encryption=Require", so we dodged a bullet there, though the warning "Inferred action different from explicit one" is still triggered. There are a few approaches we could take here, including even just fixing the /data/fonts/ command specifically, but I think the best solution is to have mkdir clean its path at the very beginning. This retains the Linux path semantics that people expect, while avoiding surprises in path processing afterwards. This CL implements that. Note, this CL intentionally changes the behavior of, and thus would break, any existing cases where mkdir is used to create a top-level /data directory using a path with unnecessary slashes and without using an explicit encryption action. There are no known cases where this already occurs, however. No cases exist in platform code, and vendor init scripts shouldn't be creating top-level /data directories anyway. Test: atest CtsInitTestCases Test: Booted and verified that a trailing slash is no longer present in the log message "Verified that /data/fonts/ has the encryption policy ...". Also verified that the message "Inferred action different ..." is no longer present just above it. Bug: 232554803 Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
std::string path = CleanDirPath(args[1]);
const bool is_toplevel_data_dir =
StartsWith(path, kDataDirPrefix) &&
path.find_first_of('/', kDataDirPrefix.size()) == std::string::npos;
FscryptAction fscrypt_action =
is_toplevel_data_dir ? FscryptAction::kRequire : FscryptAction::kNone;
mode_t mode = 0755;
Result<uid_t> uid = -1;
Result<gid_t> gid = -1;
std::string ref_option = "ref";
bool set_option_encryption = false;
bool set_option_key = false;
for (size_t i = 2; i < args.size(); i++) {
switch (i) {
case 2:
mode = std::strtoul(args[2].c_str(), 0, 8);
break;
case 3:
uid = DecodeUid(args[3]);
if (!uid.ok()) {
return Error()
<< "Unable to decode UID for '" << args[3] << "': " << uid.error();
}
break;
case 4:
gid = DecodeUid(args[4]);
if (!gid.ok()) {
return Error()
<< "Unable to decode GID for '" << args[4] << "': " << gid.error();
}
break;
default:
auto parts = android::base::Split(args[i], "=");
if (parts.size() != 2) {
return Error() << "Can't parse option: '" << args[i] << "'";
}
auto optname = parts[0];
auto optval = parts[1];
if (optname == "encryption") {
if (set_option_encryption) {
return Error() << "Duplicated option: '" << optname << "'";
}
if (optval == "Require") {
fscrypt_action = FscryptAction::kRequire;
} else if (optval == "None") {
fscrypt_action = FscryptAction::kNone;
} else if (optval == "Attempt") {
fscrypt_action = FscryptAction::kAttempt;
} else if (optval == "DeleteIfNecessary") {
fscrypt_action = FscryptAction::kDeleteIfNecessary;
} else {
return Error() << "Unknown encryption option: '" << optval << "'";
}
set_option_encryption = true;
} else if (optname == "key") {
if (set_option_key) {
return Error() << "Duplicated option: '" << optname << "'";
}
if (optval == "ref" || optval == "per_boot_ref") {
ref_option = optval;
} else {
return Error() << "Unknown key option: '" << optval << "'";
}
set_option_key = true;
} else {
return Error() << "Unknown option: '" << args[i] << "'";
}
}
}
if (set_option_key && fscrypt_action == FscryptAction::kNone) {
return Error() << "Key option set but encryption action is none";
}
if (is_toplevel_data_dir) {
if (!set_option_encryption) {
init: fix mkdir to reliably detect top-level /data directories To determine the default encryption action, the mkdir command checks whether the given path is a top-level directory of /data. However, it assumed a path without any duplicate slashes or trailing slash(es). While everyone *should* be providing paths without unnecessary slashes, it is not guaranteed, as paths with unnecessary slashes still work correctly for all other parts of the mkdir command, including the SELinux label lookup and the actual directory creation. In particular, the /data/fonts directory is being created using 'mkdir /data/fonts/'. The effect is that the mkdir command thinks that /data/fonts/ is *not* a top-level directory of /data, so it defaults to no encryption action. Fortunately, the full command happens to use "encryption=Require", so we dodged a bullet there, though the warning "Inferred action different from explicit one" is still triggered. There are a few approaches we could take here, including even just fixing the /data/fonts/ command specifically, but I think the best solution is to have mkdir clean its path at the very beginning. This retains the Linux path semantics that people expect, while avoiding surprises in path processing afterwards. This CL implements that. Note, this CL intentionally changes the behavior of, and thus would break, any existing cases where mkdir is used to create a top-level /data directory using a path with unnecessary slashes and without using an explicit encryption action. There are no known cases where this already occurs, however. No cases exist in platform code, and vendor init scripts shouldn't be creating top-level /data directories anyway. Test: atest CtsInitTestCases Test: Booted and verified that a trailing slash is no longer present in the log message "Verified that /data/fonts/ has the encryption policy ...". Also verified that the message "Inferred action different ..." is no longer present just above it. Bug: 232554803 Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
LOG(WARNING) << "Top-level directory needs encryption action, eg mkdir " << path
<< " <mode> <uid> <gid> encryption=Require";
}
if (fscrypt_action == FscryptAction::kNone) {
init: fix mkdir to reliably detect top-level /data directories To determine the default encryption action, the mkdir command checks whether the given path is a top-level directory of /data. However, it assumed a path without any duplicate slashes or trailing slash(es). While everyone *should* be providing paths without unnecessary slashes, it is not guaranteed, as paths with unnecessary slashes still work correctly for all other parts of the mkdir command, including the SELinux label lookup and the actual directory creation. In particular, the /data/fonts directory is being created using 'mkdir /data/fonts/'. The effect is that the mkdir command thinks that /data/fonts/ is *not* a top-level directory of /data, so it defaults to no encryption action. Fortunately, the full command happens to use "encryption=Require", so we dodged a bullet there, though the warning "Inferred action different from explicit one" is still triggered. There are a few approaches we could take here, including even just fixing the /data/fonts/ command specifically, but I think the best solution is to have mkdir clean its path at the very beginning. This retains the Linux path semantics that people expect, while avoiding surprises in path processing afterwards. This CL implements that. Note, this CL intentionally changes the behavior of, and thus would break, any existing cases where mkdir is used to create a top-level /data directory using a path with unnecessary slashes and without using an explicit encryption action. There are no known cases where this already occurs, however. No cases exist in platform code, and vendor init scripts shouldn't be creating top-level /data directories anyway. Test: atest CtsInitTestCases Test: Booted and verified that a trailing slash is no longer present in the log message "Verified that /data/fonts/ has the encryption policy ...". Also verified that the message "Inferred action different ..." is no longer present just above it. Bug: 232554803 Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
LOG(INFO) << "Not setting encryption policy on: " << path;
}
}
init: fix mkdir to reliably detect top-level /data directories To determine the default encryption action, the mkdir command checks whether the given path is a top-level directory of /data. However, it assumed a path without any duplicate slashes or trailing slash(es). While everyone *should* be providing paths without unnecessary slashes, it is not guaranteed, as paths with unnecessary slashes still work correctly for all other parts of the mkdir command, including the SELinux label lookup and the actual directory creation. In particular, the /data/fonts directory is being created using 'mkdir /data/fonts/'. The effect is that the mkdir command thinks that /data/fonts/ is *not* a top-level directory of /data, so it defaults to no encryption action. Fortunately, the full command happens to use "encryption=Require", so we dodged a bullet there, though the warning "Inferred action different from explicit one" is still triggered. There are a few approaches we could take here, including even just fixing the /data/fonts/ command specifically, but I think the best solution is to have mkdir clean its path at the very beginning. This retains the Linux path semantics that people expect, while avoiding surprises in path processing afterwards. This CL implements that. Note, this CL intentionally changes the behavior of, and thus would break, any existing cases where mkdir is used to create a top-level /data directory using a path with unnecessary slashes and without using an explicit encryption action. There are no known cases where this already occurs, however. No cases exist in platform code, and vendor init scripts shouldn't be creating top-level /data directories anyway. Test: atest CtsInitTestCases Test: Booted and verified that a trailing slash is no longer present in the log message "Verified that /data/fonts/ has the encryption policy ...". Also verified that the message "Inferred action different ..." is no longer present just above it. Bug: 232554803 Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
return MkdirOptions{path, mode, *uid, *gid, fscrypt_action, ref_option};
}
Add ro.boot.fstab_suffix and modify mount_all to use it Currently the ReadDefaultFstab function, which calls GetFstabPath, makes some assumptions about what the fstab will be called and where it is located. This is being used by vold to set up userdata encryption and for gsid, and is even used in the default boot control HAL, so it has become quite baked. The original way for a board to specify things to mount was to use the "mount_all /path/to/fstab" command in init.rc. However, due to the above functionality, the path after mount_all is no longer very useful, as it cannot differ from the inferred path, or userdata encryption and other features will be broken. On Cuttlefish, we have an interest in being able to test alternative userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and currently the only way to achieve this is to either a) modify the ro.hardware or ro.hardware.platform properties, which breaks a bunch of things like default HAL filenames, or regenerate our odm.img or vendor.img filesystems. We can't simply install another fstab and point to it with "mount_all". This change allows the fstab path to be omitted from "mount_all", and adds another property which overrides the existing checks for fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying ${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix} to be checked first. Bug: 142424832 Test: booted cuttlefish with 'mount_all ${ro.hardware} --late' Test: booted cuttlefish with 'mount_all --late' Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs Test: partially booted cuttlefish with 'mount_all ${ro.hardware}' Test: partially booted cuttlefish with 'mount_all' Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
Result<MountAllOptions> ParseMountAll(const std::vector<std::string>& args) {
bool compat_mode = false;
bool import_rc = false;
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
if (args.size() <= 1) {
return Error() << "mount_all requires at least 1 argument";
}
compat_mode = true;
import_rc = true;
}
std::size_t first_option_arg = args.size();
enum mount_mode mode = MOUNT_MODE_DEFAULT;
// If we are <= Q, then stop looking for non-fstab arguments at slot 2.
// Otherwise, stop looking at slot 1 (as the fstab path argument is optional >= R).
for (std::size_t na = args.size() - 1; na > (compat_mode ? 1 : 0); --na) {
if (args[na] == "--early") {
first_option_arg = na;
mode = MOUNT_MODE_EARLY;
} else if (args[na] == "--late") {
first_option_arg = na;
mode = MOUNT_MODE_LATE;
import_rc = false;
}
}
std::string fstab_path;
if (first_option_arg > 1) {
fstab_path = args[1];
} else if (compat_mode) {
return Error() << "mount_all argument 1 must be the fstab path";
}
std::vector<std::string> rc_paths;
for (std::size_t na = 2; na < first_option_arg; ++na) {
rc_paths.push_back(args[na]);
}
return MountAllOptions{rc_paths, fstab_path, mode, import_rc};
}
Result<std::pair<int, std::vector<std::string>>> ParseRestorecon(
const std::vector<std::string>& args) {
struct flag_type {
const char* name;
int value;
};
static const flag_type flags[] = {
{"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
{"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
{"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
{0, 0}};
int flag = 0;
std::vector<std::string> paths;
bool in_flags = true;
for (size_t i = 1; i < args.size(); ++i) {
if (android::base::StartsWith(args[i], "--")) {
if (!in_flags) {
return Error() << "flags must precede paths";
}
bool found = false;
for (size_t j = 0; flags[j].name; ++j) {
if (args[i] == flags[j].name) {
flag |= flags[j].value;
found = true;
break;
}
}
if (!found) {
return Error() << "bad flag " << args[i];
}
} else {
in_flags = false;
paths.emplace_back(args[i]);
}
}
return std::pair(flag, paths);
}
Result<std::string> ParseSwaponAll(const std::vector<std::string>& args) {
if (args.size() <= 1) {
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
return Error() << "swapon_all requires at least 1 argument";
}
return {};
}
return args[1];
}
Add ro.boot.fstab_suffix and modify mount_all to use it Currently the ReadDefaultFstab function, which calls GetFstabPath, makes some assumptions about what the fstab will be called and where it is located. This is being used by vold to set up userdata encryption and for gsid, and is even used in the default boot control HAL, so it has become quite baked. The original way for a board to specify things to mount was to use the "mount_all /path/to/fstab" command in init.rc. However, due to the above functionality, the path after mount_all is no longer very useful, as it cannot differ from the inferred path, or userdata encryption and other features will be broken. On Cuttlefish, we have an interest in being able to test alternative userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and currently the only way to achieve this is to either a) modify the ro.hardware or ro.hardware.platform properties, which breaks a bunch of things like default HAL filenames, or regenerate our odm.img or vendor.img filesystems. We can't simply install another fstab and point to it with "mount_all". This change allows the fstab path to be omitted from "mount_all", and adds another property which overrides the existing checks for fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying ${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix} to be checked first. Bug: 142424832 Test: booted cuttlefish with 'mount_all ${ro.hardware} --late' Test: booted cuttlefish with 'mount_all --late' Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs Test: partially booted cuttlefish with 'mount_all ${ro.hardware}' Test: partially booted cuttlefish with 'mount_all' Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
Result<std::string> ParseUmountAll(const std::vector<std::string>& args) {
if (args.size() <= 1) {
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
Add ro.boot.fstab_suffix and modify mount_all to use it Currently the ReadDefaultFstab function, which calls GetFstabPath, makes some assumptions about what the fstab will be called and where it is located. This is being used by vold to set up userdata encryption and for gsid, and is even used in the default boot control HAL, so it has become quite baked. The original way for a board to specify things to mount was to use the "mount_all /path/to/fstab" command in init.rc. However, due to the above functionality, the path after mount_all is no longer very useful, as it cannot differ from the inferred path, or userdata encryption and other features will be broken. On Cuttlefish, we have an interest in being able to test alternative userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and currently the only way to achieve this is to either a) modify the ro.hardware or ro.hardware.platform properties, which breaks a bunch of things like default HAL filenames, or regenerate our odm.img or vendor.img filesystems. We can't simply install another fstab and point to it with "mount_all". This change allows the fstab path to be omitted from "mount_all", and adds another property which overrides the existing checks for fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying ${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix} to be checked first. Bug: 142424832 Test: booted cuttlefish with 'mount_all ${ro.hardware} --late' Test: booted cuttlefish with 'mount_all --late' Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs Test: partially booted cuttlefish with 'mount_all ${ro.hardware}' Test: partially booted cuttlefish with 'mount_all' Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
return Error() << "umount_all requires at least 1 argument";
}
return {};
Add ro.boot.fstab_suffix and modify mount_all to use it Currently the ReadDefaultFstab function, which calls GetFstabPath, makes some assumptions about what the fstab will be called and where it is located. This is being used by vold to set up userdata encryption and for gsid, and is even used in the default boot control HAL, so it has become quite baked. The original way for a board to specify things to mount was to use the "mount_all /path/to/fstab" command in init.rc. However, due to the above functionality, the path after mount_all is no longer very useful, as it cannot differ from the inferred path, or userdata encryption and other features will be broken. On Cuttlefish, we have an interest in being able to test alternative userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and currently the only way to achieve this is to either a) modify the ro.hardware or ro.hardware.platform properties, which breaks a bunch of things like default HAL filenames, or regenerate our odm.img or vendor.img filesystems. We can't simply install another fstab and point to it with "mount_all". This change allows the fstab path to be omitted from "mount_all", and adds another property which overrides the existing checks for fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying ${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix} to be checked first. Bug: 142424832 Test: booted cuttlefish with 'mount_all ${ro.hardware} --late' Test: booted cuttlefish with 'mount_all --late' Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs Test: partially booted cuttlefish with 'mount_all ${ro.hardware}' Test: partially booted cuttlefish with 'mount_all' Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
}
return args[1];
}
static void InitAborter(const char* abort_message) {
// When init forks, it continues to use this aborter for LOG(FATAL), but we want children to
// simply abort instead of trying to reboot the system.
if (getpid() != 1) {
android::base::DefaultAborter(abort_message);
return;
}
InitFatalReboot(SIGABRT);
}
// The kernel opens /dev/console and uses that fd for stdin/stdout/stderr if there is a serial
// console enabled and no initramfs, otherwise it does not provide any fds for stdin/stdout/stderr.
// SetStdioToDevNull() is used to close these existing fds if they exist and replace them with
// /dev/null regardless.
//
// In the case that these fds are provided by the kernel, the exec of second stage init causes an
// SELinux denial as it does not have access to /dev/console. In the case that they are not
// provided, exec of any further process is potentially dangerous as the first fd's opened by that
// process will take the stdin/stdout/stderr fileno's, which can cause issues if printf(), etc is
// then used by that process.
//
// Lastly, simply calling SetStdioToDevNull() in first stage init is not enough, since first
// stage init still runs in kernel context, future child processes will not have permissions to
// access any fds that it opens, including the one opened below for /dev/null. Therefore,
// SetStdioToDevNull() must be called again in second stage init.
void SetStdioToDevNull(char** argv) {
// Make stdin/stdout/stderr all point to /dev/null.
int fd = open("/dev/null", O_RDWR); // NOLINT(android-cloexec-open)
if (fd == -1) {
int saved_errno = errno;
android::base::InitLogging(argv, &android::base::KernelLogger, InitAborter);
errno = saved_errno;
PLOG(FATAL) << "Couldn't open /dev/null";
}
dup2(fd, STDIN_FILENO);
dup2(fd, STDOUT_FILENO);
dup2(fd, STDERR_FILENO);
if (fd > STDERR_FILENO) close(fd);
}
void InitKernelLogging(char** argv) {
SetFatalRebootTarget();
android::base::InitLogging(argv, &android::base::KernelLogger, InitAborter);
}
Proper mount namespace configuration for bionic This CL fixes the design problem of the previous mechanism for providing the bootstrap bionic and the runtime bionic to the same path. Previously, bootstrap bionic was self-bind-mounted; i.e. /system/bin/libc.so is bind-mounted to itself. And the runtime bionic was bind-mounted on top of the bootstrap bionic. This has not only caused problems like `adb sync` not working(b/122737045), but also is quite difficult to understand due to the double-and-self mounting. This is the new design: Most importantly, these four are all distinct: 1) bootstrap bionic (/system/lib/bootstrap/libc.so) 2) runtime bionic (/apex/com.android.runtime/lib/bionic/libc.so) 3) mount point for 1) and 2) (/bionic/lib/libc.so) 4) symlink for 3) (/system/lib/libc.so -> /bionic/lib/libc.so) Inside the mount namespace of the pre-apexd processes, 1) is bind-mounted to 3). Likewise, inside the mount namespace of the post-apexd processes, 2) is bind-mounted to 3). In other words, there is no self-mount, and no double-mount. Another change is that mount points are under /bionic and the legacy paths become symlinks to the mount points. This is to make sure that there is no bind mounts under /system, which is breaking some apps. Finally, code for creating mount namespaces, mounting bionic, etc are refactored to mount_namespace.cpp Bug: 120266448 Bug: 123275379 Test: m, device boots, adb sync/push/pull works, especially with following paths: /bionic/lib64/libc.so /bionic/bin/linker64 /system/lib64/bootstrap/libc.so /system/bin/bootstrap/linker64 Change-Id: Icdfbdcc1efca540ac854d4df79e07ee61fca559f
2019-01-16 15:00:59 +01:00
bool IsRecoveryMode() {
return access("/system/bin/recovery", F_OK) == 0;
}
// Check if default mount namespace is ready to be used with APEX modules
static bool is_default_mount_namespace_ready = false;
bool IsDefaultMountNamespaceReady() {
return is_default_mount_namespace_ready;
}
void SetDefaultMountNamespaceReady() {
is_default_mount_namespace_ready = true;
}
bool IsMicrodroid() {
static bool is_microdroid = android::base::GetProperty("ro.hardware", "") == "microdroid";
return is_microdroid;
}
bool Has32BitAbi() {
static bool has = !android::base::GetProperty("ro.product.cpu.abilist32", "").empty();
return has;
}
std::string GetApexNameFromFileName(const std::string& path) {
static const std::string kApexDir = "/apex/";
if (StartsWith(path, kApexDir)) {
auto begin = kApexDir.size();
auto end = path.find('/', begin);
return path.substr(begin, end - begin);
}
return "";
}
std::vector<std::string> FilterVersionedConfigs(const std::vector<std::string>& configs,
int active_sdk) {
std::vector<std::string> filtered_configs;
std::map<std::string, std::pair<std::string, int>> script_map;
for (const auto& c : configs) {
int sdk = 0;
const std::vector<std::string> parts = android::base::Split(c, ".");
std::string base;
if (parts.size() < 2) {
continue;
}
// parts[size()-1], aka the suffix, should be "rc" or "#rc"
// any other pattern gets discarded
const auto& suffix = parts[parts.size() - 1];
if (suffix == "rc") {
sdk = 0;
} else {
char trailer[9] = {0};
int r = sscanf(suffix.c_str(), "%d%8s", &sdk, trailer);
if (r != 2) {
continue;
}
if (strlen(trailer) > 2 || strcmp(trailer, "rc") != 0) {
continue;
}
}
if (sdk < 0 || sdk > active_sdk) {
continue;
}
base = parts[0];
for (unsigned int i = 1; i < parts.size() - 1; i++) {
base = base + "." + parts[i];
}
// is this preferred over what we already have
auto it = script_map.find(base);
if (it == script_map.end() || it->second.second < sdk) {
script_map[base] = std::make_pair(c, sdk);
}
}
for (const auto& m : script_map) {
filtered_configs.push_back(m.second.first);
}
return filtered_configs;
}
} // namespace init
} // namespace android