2009-03-04 04:32:55 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2008 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2017-04-07 01:30:22 +02:00
|
|
|
#include "util.h"
|
|
|
|
|
2016-10-27 16:45:34 +02:00
|
|
|
#include <ctype.h>
|
|
|
|
#include <errno.h>
|
|
|
|
#include <fcntl.h>
|
|
|
|
#include <pwd.h>
|
2019-10-08 03:16:23 +02:00
|
|
|
#include <signal.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
#include <stdarg.h>
|
|
|
|
#include <stdio.h>
|
2017-04-07 01:30:22 +02:00
|
|
|
#include <stdlib.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
#include <string.h>
|
2016-10-27 16:45:34 +02:00
|
|
|
#include <sys/socket.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
#include <sys/un.h>
|
2017-04-07 01:30:22 +02:00
|
|
|
#include <time.h>
|
|
|
|
#include <unistd.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2022-07-22 01:05:13 +02:00
|
|
|
#include <map>
|
2016-11-15 02:08:47 +01:00
|
|
|
#include <thread>
|
|
|
|
|
2015-12-05 07:00:26 +01:00
|
|
|
#include <android-base/file.h>
|
2016-06-25 00:12:21 +02:00
|
|
|
#include <android-base/logging.h>
|
2018-05-25 03:00:39 +02:00
|
|
|
#include <android-base/properties.h>
|
2019-07-09 22:33:36 +02:00
|
|
|
#include <android-base/scopeguard.h>
|
2015-12-05 07:00:26 +01:00
|
|
|
#include <android-base/strings.h>
|
2016-11-07 19:16:53 +01:00
|
|
|
#include <android-base/unique_fd.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
#include <cutils/sockets.h>
|
2017-04-07 01:30:22 +02:00
|
|
|
#include <selinux/android.h>
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2020-02-20 19:50:00 +01:00
|
|
|
#ifdef INIT_FULL_SOURCES
|
2019-07-31 22:59:15 +02:00
|
|
|
#include <android/api-level.h>
|
2019-07-30 18:34:41 +02:00
|
|
|
#include <sys/system_properties.h>
|
2019-07-31 22:59:15 +02:00
|
|
|
|
2019-05-28 19:19:44 +02:00
|
|
|
#include "reboot_utils.h"
|
2019-05-29 00:58:35 +02:00
|
|
|
#include "selabel.h"
|
2019-07-31 22:59:15 +02:00
|
|
|
#include "selinux.h"
|
2018-02-14 01:50:08 +01:00
|
|
|
#else
|
|
|
|
#include "host_init_stubs.h"
|
|
|
|
#endif
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2017-03-24 19:43:02 +01:00
|
|
|
using android::base::boot_clock;
|
2019-07-30 18:34:41 +02:00
|
|
|
using android::base::StartsWith;
|
2017-05-05 02:40:33 +02:00
|
|
|
using namespace std::literals::string_literals;
|
2017-03-24 19:43:02 +01:00
|
|
|
|
2017-06-22 21:53:17 +02:00
|
|
|
namespace android {
|
|
|
|
namespace init {
|
|
|
|
|
Allow the use of a custom Android DT directory
On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:
init: First stage mount skipped (missing/incompatible fstab in
device tree)
Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:
https://android-review.googlesource.com/442472
https://android-review.googlesource.com/443432
https://android-review.googlesource.com/442393
https://android-review.googlesource.com/442395
Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).
Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.
With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.
Test: Boot patched sdk_phone_x86-userdebug system image with patched
Goldfish 3.18 x86 kernel in patched Android Emulator, verify
the "init: First stage mount skipped" warning no longer shows
in dmesg.
Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
|
|
|
const std::string kDefaultAndroidDtDir("/proc/device-tree/firmware/android/");
|
|
|
|
|
2022-05-13 21:40:09 +02:00
|
|
|
const std::string kDataDirPrefix("/data/");
|
|
|
|
|
2019-11-13 01:21:20 +01:00
|
|
|
void (*trigger_shutdown)(const std::string& command) = nullptr;
|
|
|
|
|
2017-05-05 02:40:33 +02:00
|
|
|
// DecodeUid() - decodes and returns the given string, which can be either the
|
2017-08-03 21:54:07 +02:00
|
|
|
// numeric or name representation, into the integer uid or gid.
|
|
|
|
Result<uid_t> DecodeUid(const std::string& name) {
|
2017-05-05 02:40:33 +02:00
|
|
|
if (isalpha(name[0])) {
|
|
|
|
passwd* pwd = getpwnam(name.c_str());
|
2017-08-03 21:54:07 +02:00
|
|
|
if (!pwd) return ErrnoError() << "getpwnam failed";
|
|
|
|
|
|
|
|
return pwd->pw_uid;
|
2016-04-07 04:18:50 +02:00
|
|
|
}
|
2009-03-04 04:32:55 +01:00
|
|
|
|
|
|
|
errno = 0;
|
2017-05-05 02:40:33 +02:00
|
|
|
uid_t result = static_cast<uid_t>(strtoul(name.c_str(), 0, 0));
|
2017-08-03 21:54:07 +02:00
|
|
|
if (errno) return ErrnoError() << "strtoul failed";
|
|
|
|
|
|
|
|
return result;
|
2009-03-04 04:32:55 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2017-05-05 23:44:35 +02:00
|
|
|
* CreateSocket - creates a Unix domain socket in ANDROID_SOCKET_DIR
|
2009-03-04 04:32:55 +01:00
|
|
|
* ("/dev/socket") as dictated in init.rc. This socket is inherited by the
|
|
|
|
* daemon. We communicate the file descriptor's value via the environment
|
|
|
|
* variable ANDROID_SOCKET_ENV_PREFIX<name> ("ANDROID_SOCKET_foo").
|
|
|
|
*/
|
init: Add option to listen on sockets before starting service.
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
2022-05-12 00:32:47 +02:00
|
|
|
Result<int> CreateSocket(const std::string& name, int type, bool passcred, bool should_listen,
|
|
|
|
mode_t perm, uid_t uid, gid_t gid, const std::string& socketcon) {
|
2019-07-09 22:33:36 +02:00
|
|
|
if (!socketcon.empty()) {
|
|
|
|
if (setsockcreatecon(socketcon.c_str()) == -1) {
|
|
|
|
return ErrnoError() << "setsockcreatecon(\"" << socketcon << "\") failed";
|
2015-11-24 01:26:42 +01:00
|
|
|
}
|
|
|
|
}
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-11-07 19:16:53 +01:00
|
|
|
android::base::unique_fd fd(socket(PF_UNIX, type, 0));
|
2009-03-04 04:32:55 +01:00
|
|
|
if (fd < 0) {
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to open socket '" << name << "'";
|
2009-03-04 04:32:55 +01:00
|
|
|
}
|
|
|
|
|
2019-07-09 22:33:36 +02:00
|
|
|
if (!socketcon.empty()) setsockcreatecon(nullptr);
|
2013-05-13 18:37:04 +02:00
|
|
|
|
2016-11-07 19:16:53 +01:00
|
|
|
struct sockaddr_un addr;
|
2009-03-04 04:32:55 +01:00
|
|
|
memset(&addr, 0 , sizeof(addr));
|
|
|
|
addr.sun_family = AF_UNIX;
|
2019-07-09 22:33:36 +02:00
|
|
|
snprintf(addr.sun_path, sizeof(addr.sun_path), ANDROID_SOCKET_DIR "/%s", name.c_str());
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-11-07 19:16:53 +01:00
|
|
|
if ((unlink(addr.sun_path) != 0) && (errno != ENOENT)) {
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to unlink old socket '" << name << "'";
|
2009-03-04 04:32:55 +01:00
|
|
|
}
|
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
std::string secontext;
|
|
|
|
if (SelabelLookupFileContext(addr.sun_path, S_IFSOCK, &secontext) && !secontext.empty()) {
|
|
|
|
setfscreatecon(secontext.c_str());
|
2012-01-13 14:48:47 +01:00
|
|
|
}
|
|
|
|
|
2017-05-05 23:44:35 +02:00
|
|
|
if (passcred) {
|
|
|
|
int on = 1;
|
2022-12-03 03:48:15 +01:00
|
|
|
if (setsockopt(fd.get(), SOL_SOCKET, SO_PASSCRED, &on, sizeof(on))) {
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to set SO_PASSCRED '" << name << "'";
|
2017-05-05 23:44:35 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-12-03 03:48:15 +01:00
|
|
|
int ret = bind(fd.get(), (struct sockaddr*)&addr, sizeof(addr));
|
2016-11-07 19:16:53 +01:00
|
|
|
int savederrno = errno;
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
if (!secontext.empty()) {
|
|
|
|
setfscreatecon(nullptr);
|
|
|
|
}
|
2012-01-13 14:48:47 +01:00
|
|
|
|
2019-07-09 22:33:36 +02:00
|
|
|
auto guard = android::base::make_scope_guard([&addr] { unlink(addr.sun_path); });
|
|
|
|
|
2016-02-25 00:50:52 +01:00
|
|
|
if (ret) {
|
2016-11-07 19:16:53 +01:00
|
|
|
errno = savederrno;
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to bind socket '" << name << "'";
|
2016-02-25 00:50:52 +01:00
|
|
|
}
|
|
|
|
|
2016-11-07 19:16:53 +01:00
|
|
|
if (lchown(addr.sun_path, uid, gid)) {
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to lchown socket '" << addr.sun_path << "'";
|
2016-02-25 00:50:52 +01:00
|
|
|
}
|
2016-11-07 19:16:53 +01:00
|
|
|
if (fchmodat(AT_FDCWD, addr.sun_path, perm, AT_SYMLINK_NOFOLLOW)) {
|
2019-07-09 22:33:36 +02:00
|
|
|
return ErrnoError() << "Failed to fchmodat socket '" << addr.sun_path << "'";
|
2016-02-25 00:50:52 +01:00
|
|
|
}
|
2022-12-03 03:48:15 +01:00
|
|
|
if (should_listen && listen(fd.get(), /* use OS maximum */ 1 << 30)) {
|
init: Add option to listen on sockets before starting service.
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
2022-05-12 00:32:47 +02:00
|
|
|
return ErrnoError() << "Failed to listen on socket '" << addr.sun_path << "'";
|
|
|
|
}
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2016-06-25 00:12:21 +02:00
|
|
|
LOG(INFO) << "Created socket '" << addr.sun_path << "'"
|
|
|
|
<< ", mode " << std::oct << perm << std::dec
|
|
|
|
<< ", user " << uid
|
|
|
|
<< ", group " << gid;
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2019-07-09 22:33:36 +02:00
|
|
|
guard.Disable();
|
2016-11-07 19:16:53 +01:00
|
|
|
return fd.release();
|
2009-03-04 04:32:55 +01:00
|
|
|
}
|
|
|
|
|
2017-08-03 21:54:07 +02:00
|
|
|
Result<std::string> ReadFile(const std::string& path) {
|
2017-04-01 00:47:33 +02:00
|
|
|
android::base::unique_fd fd(
|
|
|
|
TEMP_FAILURE_RETRY(open(path.c_str(), O_RDONLY | O_NOFOLLOW | O_CLOEXEC)));
|
2015-02-06 21:19:48 +01:00
|
|
|
if (fd == -1) {
|
2017-08-03 21:54:07 +02:00
|
|
|
return ErrnoError() << "open() failed";
|
2015-02-06 21:19:48 +01:00
|
|
|
}
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2015-02-06 21:19:48 +01:00
|
|
|
// For security reasons, disallow world-writable
|
|
|
|
// or group-writable files.
|
|
|
|
struct stat sb;
|
2022-12-03 03:48:15 +01:00
|
|
|
if (fstat(fd.get(), &sb) == -1) {
|
2017-08-03 21:54:07 +02:00
|
|
|
return ErrnoError() << "fstat failed()";
|
2012-01-18 19:39:01 +01:00
|
|
|
}
|
|
|
|
if ((sb.st_mode & (S_IWGRP | S_IWOTH)) != 0) {
|
2017-08-03 21:54:07 +02:00
|
|
|
return Error() << "Skipping insecure file";
|
2012-01-18 19:39:01 +01:00
|
|
|
}
|
|
|
|
|
2017-08-03 21:54:07 +02:00
|
|
|
std::string content;
|
|
|
|
if (!android::base::ReadFdToString(fd, &content)) {
|
|
|
|
return ErrnoError() << "Unable to read file contents";
|
2017-05-05 03:17:33 +02:00
|
|
|
}
|
2017-08-03 21:54:07 +02:00
|
|
|
return content;
|
2015-02-06 21:19:48 +01:00
|
|
|
}
|
2009-03-04 04:32:55 +01:00
|
|
|
|
2017-11-27 23:45:26 +01:00
|
|
|
static int OpenFile(const std::string& path, int flags, mode_t mode) {
|
|
|
|
std::string secontext;
|
|
|
|
if (SelabelLookupFileContext(path, mode, &secontext) && !secontext.empty()) {
|
|
|
|
setfscreatecon(secontext.c_str());
|
|
|
|
}
|
|
|
|
|
|
|
|
int rc = open(path.c_str(), flags, mode);
|
|
|
|
|
|
|
|
if (!secontext.empty()) {
|
|
|
|
int save_errno = errno;
|
|
|
|
setfscreatecon(nullptr);
|
|
|
|
errno = save_errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
return rc;
|
|
|
|
}
|
|
|
|
|
2019-06-10 20:08:01 +02:00
|
|
|
Result<void> WriteFile(const std::string& path, const std::string& content) {
|
2016-12-28 09:06:19 +01:00
|
|
|
android::base::unique_fd fd(TEMP_FAILURE_RETRY(
|
2017-11-27 23:45:26 +01:00
|
|
|
OpenFile(path, O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC | O_CLOEXEC, 0600)));
|
2015-02-06 21:19:48 +01:00
|
|
|
if (fd == -1) {
|
2017-08-03 21:54:07 +02:00
|
|
|
return ErrnoError() << "open() failed";
|
2015-04-25 23:10:03 +02:00
|
|
|
}
|
2017-05-05 03:17:33 +02:00
|
|
|
if (!android::base::WriteStringToFd(content, fd)) {
|
2017-08-03 21:54:07 +02:00
|
|
|
return ErrnoError() << "Unable to write file contents";
|
2015-02-06 21:19:48 +01:00
|
|
|
}
|
2019-06-10 20:08:01 +02:00
|
|
|
return {};
|
2009-03-04 04:32:55 +01:00
|
|
|
}
|
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
bool mkdir_recursive(const std::string& path, mode_t mode) {
|
2017-04-12 23:27:51 +02:00
|
|
|
std::string::size_type slash = 0;
|
|
|
|
while ((slash = path.find('/', slash + 1)) != std::string::npos) {
|
|
|
|
auto directory = path.substr(0, slash);
|
|
|
|
struct stat info;
|
|
|
|
if (stat(directory.c_str(), &info) != 0) {
|
2017-08-10 21:22:44 +02:00
|
|
|
auto ret = make_dir(directory, mode);
|
|
|
|
if (!ret && errno != EEXIST) return false;
|
2010-04-09 01:16:20 +02:00
|
|
|
}
|
|
|
|
}
|
2017-08-10 21:22:44 +02:00
|
|
|
auto ret = make_dir(path, mode);
|
|
|
|
if (!ret && errno != EEXIST) return false;
|
|
|
|
return true;
|
2010-04-09 01:16:20 +02:00
|
|
|
}
|
|
|
|
|
2016-11-11 02:43:47 +01:00
|
|
|
int wait_for_file(const char* filename, std::chrono::nanoseconds timeout) {
|
2017-08-22 21:07:37 +02:00
|
|
|
android::base::Timer t;
|
|
|
|
while (t.duration() < timeout) {
|
2016-11-11 02:43:47 +01:00
|
|
|
struct stat sb;
|
2017-08-22 21:07:37 +02:00
|
|
|
if (stat(filename, &sb) != -1) {
|
|
|
|
LOG(INFO) << "wait for '" << filename << "' took " << t;
|
|
|
|
return 0;
|
|
|
|
}
|
2016-11-15 02:08:47 +01:00
|
|
|
std::this_thread::sleep_for(10ms);
|
2016-11-11 02:43:47 +01:00
|
|
|
}
|
2017-08-22 21:07:37 +02:00
|
|
|
LOG(WARNING) << "wait for '" << filename << "' timed out and took " << t;
|
2016-11-11 02:43:47 +01:00
|
|
|
return -1;
|
2010-04-20 02:10:24 +02:00
|
|
|
}
|
2010-04-21 21:04:20 +02:00
|
|
|
|
2019-08-20 00:21:25 +02:00
|
|
|
void ImportKernelCmdline(const std::function<void(const std::string&, const std::string&)>& fn) {
|
2015-05-07 04:19:24 +02:00
|
|
|
std::string cmdline;
|
|
|
|
android::base::ReadFileToString("/proc/cmdline", &cmdline);
|
2011-09-28 18:55:31 +02:00
|
|
|
|
2015-05-07 04:19:24 +02:00
|
|
|
for (const auto& entry : android::base::Split(android::base::Trim(cmdline), " ")) {
|
|
|
|
std::vector<std::string> pieces = android::base::Split(entry, "=");
|
|
|
|
if (pieces.size() == 2) {
|
2019-08-20 00:21:25 +02:00
|
|
|
fn(pieces[0], pieces[1]);
|
2015-05-07 04:19:24 +02:00
|
|
|
}
|
2011-09-28 18:55:31 +02:00
|
|
|
}
|
|
|
|
}
|
2012-06-11 19:37:39 +02:00
|
|
|
|
2020-12-16 01:14:37 +01:00
|
|
|
void ImportBootconfig(const std::function<void(const std::string&, const std::string&)>& fn) {
|
|
|
|
std::string bootconfig;
|
|
|
|
android::base::ReadFileToString("/proc/bootconfig", &bootconfig);
|
|
|
|
|
|
|
|
for (const auto& entry : android::base::Split(bootconfig, "\n")) {
|
|
|
|
std::vector<std::string> pieces = android::base::Split(entry, "=");
|
|
|
|
if (pieces.size() == 2) {
|
init: remove extra space in list of bootconfig values
If a bootconfig argument has a list of values, it has a space between
them in /proc/bootconfig.
Example:
BOARD_BOOTCONFIG := parameter=value1,value2,value3
In /proc/bootconfig, it looks like:
parameter = "value1", "value2", "value3"
Before this CL, that example would end up with the value string of:
"value1, value2, value3"
To keep consistent behavior with kernel cmdline the value string should be:
"value1,value2,value3"
Test: Boot cuttlefish with test bootconfig params and verify ro.boot.*
Bug: 192257482
Change-Id: Iccdec451f53330162fa2c9ad2b7c2630f32b4168
2021-07-08 01:34:06 +02:00
|
|
|
// get rid of the extra space between a list of values and remove the quotes.
|
|
|
|
std::string value = android::base::StringReplace(pieces[1], "\", \"", ",", true);
|
|
|
|
value.erase(std::remove(value.begin(), value.end(), '"'), value.end());
|
|
|
|
fn(android::base::Trim(pieces[0]), android::base::Trim(value));
|
2020-12-16 01:14:37 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
bool make_dir(const std::string& path, mode_t mode) {
|
|
|
|
std::string secontext;
|
|
|
|
if (SelabelLookupFileContext(path, mode, &secontext) && !secontext.empty()) {
|
|
|
|
setfscreatecon(secontext.c_str());
|
2012-06-11 19:37:39 +02:00
|
|
|
}
|
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
int rc = mkdir(path.c_str(), mode);
|
2012-06-11 19:37:39 +02:00
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
if (!secontext.empty()) {
|
2012-06-11 19:37:39 +02:00
|
|
|
int save_errno = errno;
|
2017-08-10 21:22:44 +02:00
|
|
|
setfscreatecon(nullptr);
|
2012-06-11 19:37:39 +02:00
|
|
|
errno = save_errno;
|
|
|
|
}
|
2012-10-17 08:07:05 +02:00
|
|
|
|
2017-08-10 21:22:44 +02:00
|
|
|
return rc == 0;
|
2012-06-11 19:37:39 +02:00
|
|
|
}
|
|
|
|
|
2015-07-25 01:57:14 +02:00
|
|
|
/*
|
|
|
|
* Returns true is pathname is a directory
|
|
|
|
*/
|
|
|
|
bool is_dir(const char* pathname) {
|
|
|
|
struct stat info;
|
|
|
|
if (stat(pathname, &info) == -1) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return S_ISDIR(info.st_mode);
|
|
|
|
}
|
2015-08-26 20:43:36 +02:00
|
|
|
|
2019-07-31 22:59:15 +02:00
|
|
|
Result<std::string> ExpandProps(const std::string& src) {
|
2015-08-26 20:43:36 +02:00
|
|
|
const char* src_ptr = src.c_str();
|
|
|
|
|
2019-07-31 22:59:15 +02:00
|
|
|
std::string dst;
|
2015-08-26 20:43:36 +02:00
|
|
|
|
|
|
|
/* - variables can either be $x.y or ${x.y}, in case they are only part
|
|
|
|
* of the string.
|
|
|
|
* - will accept $$ as a literal $.
|
|
|
|
* - no nested property expansion, i.e. ${foo.${bar}} is not supported,
|
|
|
|
* bad things will happen
|
2016-06-07 17:49:01 +02:00
|
|
|
* - ${x.y:-default} will return default value if property empty.
|
2015-08-26 20:43:36 +02:00
|
|
|
*/
|
|
|
|
while (*src_ptr) {
|
|
|
|
const char* c;
|
|
|
|
|
|
|
|
c = strchr(src_ptr, '$');
|
|
|
|
if (!c) {
|
2019-07-31 22:59:15 +02:00
|
|
|
dst.append(src_ptr);
|
|
|
|
return dst;
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
|
|
|
|
2019-07-31 22:59:15 +02:00
|
|
|
dst.append(src_ptr, c);
|
2015-08-26 20:43:36 +02:00
|
|
|
c++;
|
|
|
|
|
|
|
|
if (*c == '$') {
|
2019-07-31 22:59:15 +02:00
|
|
|
dst.push_back(*(c++));
|
2015-08-26 20:43:36 +02:00
|
|
|
src_ptr = c;
|
|
|
|
continue;
|
|
|
|
} else if (*c == '\0') {
|
2019-07-31 22:59:15 +02:00
|
|
|
return dst;
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
std::string prop_name;
|
2016-06-07 17:49:01 +02:00
|
|
|
std::string def_val;
|
2015-08-26 20:43:36 +02:00
|
|
|
if (*c == '{') {
|
|
|
|
c++;
|
|
|
|
const char* end = strchr(c, '}');
|
|
|
|
if (!end) {
|
|
|
|
// failed to find closing brace, abort.
|
2019-07-31 22:59:15 +02:00
|
|
|
return Error() << "unexpected end of string in '" << src << "', looking for }";
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
|
|
|
prop_name = std::string(c, end);
|
|
|
|
c = end + 1;
|
2016-06-07 17:49:01 +02:00
|
|
|
size_t def = prop_name.find(":-");
|
|
|
|
if (def < prop_name.size()) {
|
|
|
|
def_val = prop_name.substr(def + 2);
|
|
|
|
prop_name = prop_name.substr(0, def);
|
|
|
|
}
|
2015-08-26 20:43:36 +02:00
|
|
|
} else {
|
|
|
|
prop_name = c;
|
2019-07-31 22:59:15 +02:00
|
|
|
if (SelinuxGetVendorAndroidVersion() >= __ANDROID_API_R__) {
|
|
|
|
return Error() << "using deprecated syntax for specifying property '" << c
|
|
|
|
<< "', use ${name} instead";
|
|
|
|
} else {
|
|
|
|
LOG(ERROR) << "using deprecated syntax for specifying property '" << c
|
|
|
|
<< "', use ${name} instead";
|
|
|
|
}
|
2015-08-26 20:43:36 +02:00
|
|
|
c += prop_name.size();
|
|
|
|
}
|
|
|
|
|
|
|
|
if (prop_name.empty()) {
|
2019-07-31 22:59:15 +02:00
|
|
|
return Error() << "invalid zero-length property name in '" << src << "'";
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
|
|
|
|
2017-03-29 01:40:41 +02:00
|
|
|
std::string prop_val = android::base::GetProperty(prop_name, "");
|
2015-08-26 20:43:36 +02:00
|
|
|
if (prop_val.empty()) {
|
2016-06-07 17:49:01 +02:00
|
|
|
if (def_val.empty()) {
|
2019-07-31 22:59:15 +02:00
|
|
|
return Error() << "property '" << prop_name << "' doesn't exist while expanding '"
|
|
|
|
<< src << "'";
|
2016-06-07 17:49:01 +02:00
|
|
|
}
|
|
|
|
prop_val = def_val;
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
|
|
|
|
2019-07-31 22:59:15 +02:00
|
|
|
dst.append(prop_val);
|
2015-08-26 20:43:36 +02:00
|
|
|
src_ptr = c;
|
|
|
|
}
|
|
|
|
|
2019-07-31 22:59:15 +02:00
|
|
|
return dst;
|
2015-08-26 20:43:36 +02:00
|
|
|
}
|
2016-11-29 20:20:58 +01:00
|
|
|
|
Allow the use of a custom Android DT directory
On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:
init: First stage mount skipped (missing/incompatible fstab in
device tree)
Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:
https://android-review.googlesource.com/442472
https://android-review.googlesource.com/443432
https://android-review.googlesource.com/442393
https://android-review.googlesource.com/442395
Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).
Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.
With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.
Test: Boot patched sdk_phone_x86-userdebug system image with patched
Goldfish 3.18 x86 kernel in patched Android Emulator, verify
the "init: First stage mount skipped" warning no longer shows
in dmesg.
Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
|
|
|
static std::string init_android_dt_dir() {
|
|
|
|
// Use the standard procfs-based path by default
|
|
|
|
std::string android_dt_dir = kDefaultAndroidDtDir;
|
|
|
|
// The platform may specify a custom Android DT path in kernel cmdline
|
2019-08-20 00:21:25 +02:00
|
|
|
ImportKernelCmdline([&](const std::string& key, const std::string& value) {
|
|
|
|
if (key == "androidboot.android_dt_dir") {
|
|
|
|
android_dt_dir = value;
|
|
|
|
}
|
|
|
|
});
|
2021-03-09 20:01:10 +01:00
|
|
|
// ..Or bootconfig
|
|
|
|
if (android_dt_dir == kDefaultAndroidDtDir) {
|
|
|
|
ImportBootconfig([&](const std::string& key, const std::string& value) {
|
|
|
|
if (key == "androidboot.android_dt_dir") {
|
|
|
|
android_dt_dir = value;
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
Allow the use of a custom Android DT directory
On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:
init: First stage mount skipped (missing/incompatible fstab in
device tree)
Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:
https://android-review.googlesource.com/442472
https://android-review.googlesource.com/443432
https://android-review.googlesource.com/442393
https://android-review.googlesource.com/442395
Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).
Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.
With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.
Test: Boot patched sdk_phone_x86-userdebug system image with patched
Goldfish 3.18 x86 kernel in patched Android Emulator, verify
the "init: First stage mount skipped" warning no longer shows
in dmesg.
Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
|
|
|
LOG(INFO) << "Using Android DT directory " << android_dt_dir;
|
|
|
|
return android_dt_dir;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FIXME: The same logic is duplicated in system/core/fs_mgr/
|
|
|
|
const std::string& get_android_dt_dir() {
|
|
|
|
// Set once and saves time for subsequent calls to this function
|
|
|
|
static const std::string kAndroidDtDir = init_android_dt_dir();
|
|
|
|
return kAndroidDtDir;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Reads the content of device tree file under the platform's Android DT directory.
|
2017-04-17 16:17:09 +02:00
|
|
|
// Returns true if the read is success, false otherwise.
|
|
|
|
bool read_android_dt_file(const std::string& sub_path, std::string* dt_content) {
|
Allow the use of a custom Android DT directory
On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:
init: First stage mount skipped (missing/incompatible fstab in
device tree)
Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:
https://android-review.googlesource.com/442472
https://android-review.googlesource.com/443432
https://android-review.googlesource.com/442393
https://android-review.googlesource.com/442395
Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).
Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.
With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.
Test: Boot patched sdk_phone_x86-userdebug system image with patched
Goldfish 3.18 x86 kernel in patched Android Emulator, verify
the "init: First stage mount skipped" warning no longer shows
in dmesg.
Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-26 11:54:08 +02:00
|
|
|
const std::string file_name = get_android_dt_dir() + sub_path;
|
2017-04-17 16:17:09 +02:00
|
|
|
if (android::base::ReadFileToString(file_name, dt_content)) {
|
|
|
|
if (!dt_content->empty()) {
|
|
|
|
dt_content->pop_back(); // Trims the trailing '\0' out.
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool is_android_dt_value_expected(const std::string& sub_path, const std::string& expected_content) {
|
|
|
|
std::string dt_content;
|
|
|
|
if (read_android_dt_file(sub_path, &dt_content)) {
|
|
|
|
if (dt_content == expected_content) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2017-06-22 21:53:17 +02:00
|
|
|
|
2018-02-14 01:50:08 +01:00
|
|
|
bool IsLegalPropertyName(const std::string& name) {
|
|
|
|
size_t namelen = name.size();
|
|
|
|
|
|
|
|
if (namelen < 1) return false;
|
|
|
|
if (name[0] == '.') return false;
|
|
|
|
if (name[namelen - 1] == '.') return false;
|
|
|
|
|
|
|
|
/* Only allow alphanumeric, plus '.', '-', '@', ':', or '_' */
|
|
|
|
/* Don't allow ".." to appear in a property name */
|
|
|
|
for (size_t i = 0; i < namelen; i++) {
|
|
|
|
if (name[i] == '.') {
|
|
|
|
// i=0 is guaranteed to never have a dot. See above.
|
|
|
|
if (name[i - 1] == '.') return false;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (name[i] == '_' || name[i] == '-' || name[i] == '@' || name[i] == ':') continue;
|
|
|
|
if (name[i] >= 'a' && name[i] <= 'z') continue;
|
|
|
|
if (name[i] >= 'A' && name[i] <= 'Z') continue;
|
|
|
|
if (name[i] >= '0' && name[i] <= '9') continue;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:34:41 +02:00
|
|
|
Result<void> IsLegalPropertyValue(const std::string& name, const std::string& value) {
|
|
|
|
if (value.size() >= PROP_VALUE_MAX && !StartsWith(name, "ro.")) {
|
|
|
|
return Error() << "Property value too long";
|
|
|
|
}
|
|
|
|
|
|
|
|
if (mbstowcs(nullptr, value.data(), 0) == static_cast<std::size_t>(-1)) {
|
|
|
|
return Error() << "Value is not a UTF8 encoded string";
|
|
|
|
}
|
|
|
|
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
|
init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
|
|
|
// Remove unnecessary slashes so that any later checks (e.g., the check for
|
|
|
|
// whether the path is a top-level directory in /data) don't get confused.
|
|
|
|
std::string CleanDirPath(const std::string& path) {
|
|
|
|
std::string result;
|
|
|
|
result.reserve(path.length());
|
|
|
|
// Collapse duplicate slashes, e.g. //data//foo// => /data/foo/
|
|
|
|
for (char c : path) {
|
|
|
|
if (c != '/' || result.empty() || result.back() != '/') {
|
|
|
|
result += c;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// Remove trailing slash, e.g. /data/foo/ => /data/foo
|
|
|
|
if (result.length() > 1 && result.back() == '/') {
|
|
|
|
result.pop_back();
|
|
|
|
}
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
2019-10-28 15:55:03 +01:00
|
|
|
Result<MkdirOptions> ParseMkdir(const std::vector<std::string>& args) {
|
init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
|
|
|
std::string path = CleanDirPath(args[1]);
|
2022-05-13 21:40:09 +02:00
|
|
|
const bool is_toplevel_data_dir =
|
|
|
|
StartsWith(path, kDataDirPrefix) &&
|
|
|
|
path.find_first_of('/', kDataDirPrefix.size()) == std::string::npos;
|
|
|
|
FscryptAction fscrypt_action =
|
|
|
|
is_toplevel_data_dir ? FscryptAction::kRequire : FscryptAction::kNone;
|
2019-10-28 15:55:03 +01:00
|
|
|
mode_t mode = 0755;
|
|
|
|
Result<uid_t> uid = -1;
|
|
|
|
Result<gid_t> gid = -1;
|
|
|
|
std::string ref_option = "ref";
|
|
|
|
bool set_option_encryption = false;
|
|
|
|
bool set_option_key = false;
|
|
|
|
|
|
|
|
for (size_t i = 2; i < args.size(); i++) {
|
|
|
|
switch (i) {
|
|
|
|
case 2:
|
|
|
|
mode = std::strtoul(args[2].c_str(), 0, 8);
|
|
|
|
break;
|
|
|
|
case 3:
|
|
|
|
uid = DecodeUid(args[3]);
|
2020-02-05 19:49:33 +01:00
|
|
|
if (!uid.ok()) {
|
2019-10-28 15:55:03 +01:00
|
|
|
return Error()
|
|
|
|
<< "Unable to decode UID for '" << args[3] << "': " << uid.error();
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case 4:
|
|
|
|
gid = DecodeUid(args[4]);
|
2020-02-05 19:49:33 +01:00
|
|
|
if (!gid.ok()) {
|
2019-10-28 15:55:03 +01:00
|
|
|
return Error()
|
|
|
|
<< "Unable to decode GID for '" << args[4] << "': " << gid.error();
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
auto parts = android::base::Split(args[i], "=");
|
|
|
|
if (parts.size() != 2) {
|
|
|
|
return Error() << "Can't parse option: '" << args[i] << "'";
|
|
|
|
}
|
|
|
|
auto optname = parts[0];
|
|
|
|
auto optval = parts[1];
|
|
|
|
if (optname == "encryption") {
|
|
|
|
if (set_option_encryption) {
|
|
|
|
return Error() << "Duplicated option: '" << optname << "'";
|
|
|
|
}
|
|
|
|
if (optval == "Require") {
|
|
|
|
fscrypt_action = FscryptAction::kRequire;
|
|
|
|
} else if (optval == "None") {
|
|
|
|
fscrypt_action = FscryptAction::kNone;
|
|
|
|
} else if (optval == "Attempt") {
|
|
|
|
fscrypt_action = FscryptAction::kAttempt;
|
|
|
|
} else if (optval == "DeleteIfNecessary") {
|
|
|
|
fscrypt_action = FscryptAction::kDeleteIfNecessary;
|
|
|
|
} else {
|
|
|
|
return Error() << "Unknown encryption option: '" << optval << "'";
|
|
|
|
}
|
|
|
|
set_option_encryption = true;
|
|
|
|
} else if (optname == "key") {
|
|
|
|
if (set_option_key) {
|
|
|
|
return Error() << "Duplicated option: '" << optname << "'";
|
|
|
|
}
|
|
|
|
if (optval == "ref" || optval == "per_boot_ref") {
|
|
|
|
ref_option = optval;
|
|
|
|
} else {
|
|
|
|
return Error() << "Unknown key option: '" << optval << "'";
|
|
|
|
}
|
|
|
|
set_option_key = true;
|
|
|
|
} else {
|
|
|
|
return Error() << "Unknown option: '" << args[i] << "'";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (set_option_key && fscrypt_action == FscryptAction::kNone) {
|
|
|
|
return Error() << "Key option set but encryption action is none";
|
|
|
|
}
|
2022-05-13 21:40:09 +02:00
|
|
|
if (is_toplevel_data_dir) {
|
2019-10-28 15:55:03 +01:00
|
|
|
if (!set_option_encryption) {
|
init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
|
|
|
LOG(WARNING) << "Top-level directory needs encryption action, eg mkdir " << path
|
2019-10-28 15:55:03 +01:00
|
|
|
<< " <mode> <uid> <gid> encryption=Require";
|
|
|
|
}
|
|
|
|
if (fscrypt_action == FscryptAction::kNone) {
|
init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
|
|
|
LOG(INFO) << "Not setting encryption policy on: " << path;
|
2019-10-28 15:55:03 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 21:11:42 +02:00
|
|
|
return MkdirOptions{path, mode, *uid, *gid, fscrypt_action, ref_option};
|
2019-10-28 15:55:03 +01:00
|
|
|
}
|
|
|
|
|
Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
|
|
|
Result<MountAllOptions> ParseMountAll(const std::vector<std::string>& args) {
|
|
|
|
bool compat_mode = false;
|
|
|
|
bool import_rc = false;
|
|
|
|
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
|
|
|
|
if (args.size() <= 1) {
|
|
|
|
return Error() << "mount_all requires at least 1 argument";
|
|
|
|
}
|
|
|
|
compat_mode = true;
|
|
|
|
import_rc = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
std::size_t first_option_arg = args.size();
|
|
|
|
enum mount_mode mode = MOUNT_MODE_DEFAULT;
|
|
|
|
|
|
|
|
// If we are <= Q, then stop looking for non-fstab arguments at slot 2.
|
|
|
|
// Otherwise, stop looking at slot 1 (as the fstab path argument is optional >= R).
|
|
|
|
for (std::size_t na = args.size() - 1; na > (compat_mode ? 1 : 0); --na) {
|
|
|
|
if (args[na] == "--early") {
|
|
|
|
first_option_arg = na;
|
|
|
|
mode = MOUNT_MODE_EARLY;
|
|
|
|
} else if (args[na] == "--late") {
|
|
|
|
first_option_arg = na;
|
|
|
|
mode = MOUNT_MODE_LATE;
|
|
|
|
import_rc = false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
std::string fstab_path;
|
|
|
|
if (first_option_arg > 1) {
|
|
|
|
fstab_path = args[1];
|
|
|
|
} else if (compat_mode) {
|
|
|
|
return Error() << "mount_all argument 1 must be the fstab path";
|
|
|
|
}
|
|
|
|
|
|
|
|
std::vector<std::string> rc_paths;
|
|
|
|
for (std::size_t na = 2; na < first_option_arg; ++na) {
|
|
|
|
rc_paths.push_back(args[na]);
|
|
|
|
}
|
|
|
|
|
|
|
|
return MountAllOptions{rc_paths, fstab_path, mode, import_rc};
|
|
|
|
}
|
|
|
|
|
2019-07-30 18:34:41 +02:00
|
|
|
Result<std::pair<int, std::vector<std::string>>> ParseRestorecon(
|
|
|
|
const std::vector<std::string>& args) {
|
|
|
|
struct flag_type {
|
|
|
|
const char* name;
|
|
|
|
int value;
|
|
|
|
};
|
|
|
|
static const flag_type flags[] = {
|
|
|
|
{"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
|
|
|
|
{"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
|
|
|
|
{"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
|
|
|
|
{0, 0}};
|
|
|
|
|
|
|
|
int flag = 0;
|
|
|
|
std::vector<std::string> paths;
|
|
|
|
|
|
|
|
bool in_flags = true;
|
|
|
|
for (size_t i = 1; i < args.size(); ++i) {
|
|
|
|
if (android::base::StartsWith(args[i], "--")) {
|
|
|
|
if (!in_flags) {
|
|
|
|
return Error() << "flags must precede paths";
|
|
|
|
}
|
|
|
|
bool found = false;
|
|
|
|
for (size_t j = 0; flags[j].name; ++j) {
|
|
|
|
if (args[i] == flags[j].name) {
|
|
|
|
flag |= flags[j].value;
|
|
|
|
found = true;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (!found) {
|
|
|
|
return Error() << "bad flag " << args[i];
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
in_flags = false;
|
|
|
|
paths.emplace_back(args[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return std::pair(flag, paths);
|
|
|
|
}
|
|
|
|
|
2020-06-08 20:04:53 +02:00
|
|
|
Result<std::string> ParseSwaponAll(const std::vector<std::string>& args) {
|
|
|
|
if (args.size() <= 1) {
|
|
|
|
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
|
|
|
|
return Error() << "swapon_all requires at least 1 argument";
|
|
|
|
}
|
|
|
|
return {};
|
|
|
|
}
|
|
|
|
return args[1];
|
|
|
|
}
|
|
|
|
|
Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
|
|
|
Result<std::string> ParseUmountAll(const std::vector<std::string>& args) {
|
2020-06-08 20:04:53 +02:00
|
|
|
if (args.size() <= 1) {
|
|
|
|
if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
|
Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
|
|
|
return Error() << "umount_all requires at least 1 argument";
|
|
|
|
}
|
2020-06-08 20:04:53 +02:00
|
|
|
return {};
|
Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 01:24:00 +02:00
|
|
|
}
|
|
|
|
return args[1];
|
|
|
|
}
|
|
|
|
|
2019-05-28 19:19:44 +02:00
|
|
|
static void InitAborter(const char* abort_message) {
|
|
|
|
// When init forks, it continues to use this aborter for LOG(FATAL), but we want children to
|
|
|
|
// simply abort instead of trying to reboot the system.
|
|
|
|
if (getpid() != 1) {
|
|
|
|
android::base::DefaultAborter(abort_message);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2019-10-08 03:16:23 +02:00
|
|
|
InitFatalReboot(SIGABRT);
|
2019-05-28 19:19:44 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// The kernel opens /dev/console and uses that fd for stdin/stdout/stderr if there is a serial
|
|
|
|
// console enabled and no initramfs, otherwise it does not provide any fds for stdin/stdout/stderr.
|
|
|
|
// SetStdioToDevNull() is used to close these existing fds if they exist and replace them with
|
|
|
|
// /dev/null regardless.
|
|
|
|
//
|
|
|
|
// In the case that these fds are provided by the kernel, the exec of second stage init causes an
|
|
|
|
// SELinux denial as it does not have access to /dev/console. In the case that they are not
|
|
|
|
// provided, exec of any further process is potentially dangerous as the first fd's opened by that
|
|
|
|
// process will take the stdin/stdout/stderr fileno's, which can cause issues if printf(), etc is
|
|
|
|
// then used by that process.
|
|
|
|
//
|
|
|
|
// Lastly, simply calling SetStdioToDevNull() in first stage init is not enough, since first
|
|
|
|
// stage init still runs in kernel context, future child processes will not have permissions to
|
|
|
|
// access any fds that it opens, including the one opened below for /dev/null. Therefore,
|
|
|
|
// SetStdioToDevNull() must be called again in second stage init.
|
|
|
|
void SetStdioToDevNull(char** argv) {
|
init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-04 22:14:14 +02:00
|
|
|
// Make stdin/stdout/stderr all point to /dev/null.
|
2019-07-09 00:09:36 +02:00
|
|
|
int fd = open("/dev/null", O_RDWR); // NOLINT(android-cloexec-open)
|
init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-04 22:14:14 +02:00
|
|
|
if (fd == -1) {
|
|
|
|
int saved_errno = errno;
|
2019-05-28 19:19:44 +02:00
|
|
|
android::base::InitLogging(argv, &android::base::KernelLogger, InitAborter);
|
init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-04 22:14:14 +02:00
|
|
|
errno = saved_errno;
|
|
|
|
PLOG(FATAL) << "Couldn't open /dev/null";
|
|
|
|
}
|
2019-05-28 19:19:44 +02:00
|
|
|
dup2(fd, STDIN_FILENO);
|
|
|
|
dup2(fd, STDOUT_FILENO);
|
|
|
|
dup2(fd, STDERR_FILENO);
|
|
|
|
if (fd > STDERR_FILENO) close(fd);
|
|
|
|
}
|
|
|
|
|
|
|
|
void InitKernelLogging(char** argv) {
|
2019-05-21 22:53:05 +02:00
|
|
|
SetFatalRebootTarget();
|
2019-05-28 19:19:44 +02:00
|
|
|
android::base::InitLogging(argv, &android::base::KernelLogger, InitAborter);
|
init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-04 22:14:14 +02:00
|
|
|
}
|
|
|
|
|
Proper mount namespace configuration for bionic
This CL fixes the design problem of the previous mechanism for providing
the bootstrap bionic and the runtime bionic to the same path.
Previously, bootstrap bionic was self-bind-mounted; i.e.
/system/bin/libc.so is bind-mounted to itself. And the runtime bionic
was bind-mounted on top of the bootstrap bionic. This has not only caused
problems like `adb sync` not working(b/122737045), but also is quite
difficult to understand due to the double-and-self mounting.
This is the new design:
Most importantly, these four are all distinct:
1) bootstrap bionic (/system/lib/bootstrap/libc.so)
2) runtime bionic (/apex/com.android.runtime/lib/bionic/libc.so)
3) mount point for 1) and 2) (/bionic/lib/libc.so)
4) symlink for 3) (/system/lib/libc.so -> /bionic/lib/libc.so)
Inside the mount namespace of the pre-apexd processes, 1) is
bind-mounted to 3). Likewise, inside the mount namespace of the
post-apexd processes, 2) is bind-mounted to 3). In other words, there is
no self-mount, and no double-mount.
Another change is that mount points are under /bionic and the legacy
paths become symlinks to the mount points. This is to make sure that
there is no bind mounts under /system, which is breaking some apps.
Finally, code for creating mount namespaces, mounting bionic, etc are
refactored to mount_namespace.cpp
Bug: 120266448
Bug: 123275379
Test: m, device boots, adb sync/push/pull works,
especially with following paths:
/bionic/lib64/libc.so
/bionic/bin/linker64
/system/lib64/bootstrap/libc.so
/system/bin/bootstrap/linker64
Change-Id: Icdfbdcc1efca540ac854d4df79e07ee61fca559f
2019-01-16 15:00:59 +01:00
|
|
|
bool IsRecoveryMode() {
|
|
|
|
return access("/system/bin/recovery", F_OK) == 0;
|
|
|
|
}
|
|
|
|
|
2021-03-02 08:45:27 +01:00
|
|
|
// Check if default mount namespace is ready to be used with APEX modules
|
|
|
|
static bool is_default_mount_namespace_ready = false;
|
|
|
|
|
|
|
|
bool IsDefaultMountNamespaceReady() {
|
|
|
|
return is_default_mount_namespace_ready;
|
|
|
|
}
|
|
|
|
|
|
|
|
void SetDefaultMountNamespaceReady() {
|
|
|
|
is_default_mount_namespace_ready = true;
|
|
|
|
}
|
|
|
|
|
2021-09-28 09:11:26 +02:00
|
|
|
bool IsMicrodroid() {
|
|
|
|
static bool is_microdroid = android::base::GetProperty("ro.hardware", "") == "microdroid";
|
|
|
|
return is_microdroid;
|
|
|
|
}
|
|
|
|
|
2022-07-15 06:44:14 +02:00
|
|
|
bool Has32BitAbi() {
|
|
|
|
static bool has = !android::base::GetProperty("ro.product.cpu.abilist32", "").empty();
|
|
|
|
return has;
|
|
|
|
}
|
|
|
|
|
2022-07-15 00:51:10 +02:00
|
|
|
std::string GetApexNameFromFileName(const std::string& path) {
|
|
|
|
static const std::string kApexDir = "/apex/";
|
|
|
|
if (StartsWith(path, kApexDir)) {
|
|
|
|
auto begin = kApexDir.size();
|
|
|
|
auto end = path.find('/', begin);
|
|
|
|
return path.substr(begin, end - begin);
|
|
|
|
}
|
|
|
|
return "";
|
|
|
|
}
|
|
|
|
|
2022-07-22 01:05:13 +02:00
|
|
|
std::vector<std::string> FilterVersionedConfigs(const std::vector<std::string>& configs,
|
|
|
|
int active_sdk) {
|
|
|
|
std::vector<std::string> filtered_configs;
|
|
|
|
|
|
|
|
std::map<std::string, std::pair<std::string, int>> script_map;
|
|
|
|
for (const auto& c : configs) {
|
|
|
|
int sdk = 0;
|
|
|
|
const std::vector<std::string> parts = android::base::Split(c, ".");
|
|
|
|
std::string base;
|
|
|
|
if (parts.size() < 2) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
// parts[size()-1], aka the suffix, should be "rc" or "#rc"
|
|
|
|
// any other pattern gets discarded
|
|
|
|
|
|
|
|
const auto& suffix = parts[parts.size() - 1];
|
|
|
|
if (suffix == "rc") {
|
|
|
|
sdk = 0;
|
|
|
|
} else {
|
|
|
|
char trailer[9] = {0};
|
|
|
|
int r = sscanf(suffix.c_str(), "%d%8s", &sdk, trailer);
|
|
|
|
if (r != 2) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (strlen(trailer) > 2 || strcmp(trailer, "rc") != 0) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (sdk < 0 || sdk > active_sdk) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
base = parts[0];
|
|
|
|
for (unsigned int i = 1; i < parts.size() - 1; i++) {
|
|
|
|
base = base + "." + parts[i];
|
|
|
|
}
|
|
|
|
|
|
|
|
// is this preferred over what we already have
|
|
|
|
auto it = script_map.find(base);
|
|
|
|
if (it == script_map.end() || it->second.second < sdk) {
|
|
|
|
script_map[base] = std::make_pair(c, sdk);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for (const auto& m : script_map) {
|
|
|
|
filtered_configs.push_back(m.second.first);
|
|
|
|
}
|
|
|
|
return filtered_configs;
|
|
|
|
}
|
|
|
|
|
2017-06-22 21:53:17 +02:00
|
|
|
} // namespace init
|
|
|
|
} // namespace android
|