tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/init/snapuserd_transition.cpp

439 lines
14 KiB
C++
Raw Normal View History

init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
/*
* Copyright (C) 2020 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "snapuserd_transition.h"
#include <sys/mman.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include <sys/xattr.h>
#include <unistd.h>
#include <filesystem>
#include <string>
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
#include <string_view>
Optimize PrepareSnapshotPartitionsForUpdate runtime During PrepareSnapshotPartitionsForUpdate, we attempt to connect to snapuserd with a 5s timeout, only to tell snapuserd to shutdown immediately. If snapuserd isn't running, we will wait-out the whole 5 seconds. Change the logic to return early if socket_connect() calls return ENOENT, indicating that snapuserd socket isn't used by any process. This reduces allocateSpaceForPayload() time from 6s to 1s. Test: th Bug: 315215541 Change-Id: Ib24d7c63733a896c082ac92aaa88ad52d050a2a5
2023-12-11 20:14:48 +01:00
#include <thread>
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/parseint.h>
init: Set oom_score_adj to snapuserd process When a process is started as a native service, oom_score_adj is set to -1000 so that processes are unkillable by lmkd. During boot, snapuserd process is not started as a service; hence, we need to set the oom_score_adj explicitly else in the event of low memory situation, lmkd can kill the process thereby device can never boot. Bug: 234691483 Test: th and OTA on Pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Ic2c85aa470522b4bc847a16b4f5cebfc528ed3cf
2022-06-02 10:00:39 +02:00
#include <android-base/stringprintf.h>
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
#include <cutils/sockets.h>
init: Wait for snapuserd before starting second stage This is a race between init process and bionic libc initialization of snapuserd. init->fork() ----------------> SecondStageMain() -> PropertyInit() | | v execveat ---> __libc_init_common() -> __system_properties_init() (snapuserd) When init process calls PropertyInit(), /dev/__properties__ directory is created. When bionic libc of snapuserd daemon invokes __system_properties_init _after_ init process PropertyInit() function is invoked, libc will try to initialize the property by reading /system/etc/selinux/plat_property_contexts. Since any reads on /system has to be served by snapuserd, this specific read from libc cannot be serviced leading to deadlock. Reproduce the race by inducing a sleep of 1500ms just before execveat() so that init process calls PropertyInit() before bionic libc initialization. This leads to deadlock immediately and with additional kernel instrumentation with debug logs confirms the failure: ====================================================== init: Relaunched snapuserd with pid: 428 ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8 ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8 [ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0 [ 25.423000][ T428] vfs_read+0x2e0/0x354 [ 25.426986][ T428] ksys_read+0x7c/0xec [ 25.430894][ T428] __arm64_sys_read+0x20/0x30 [ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0 [ 25.442095][ T428] do_el0_svc+0x28/0xa0 [ 25.446100][ T428] el0_svc+0x14/0x24 [ 25.449825][ T428] el0_sync_handler+0x88/0xec [ 25.454343][ T428] el0_sync+0x1c0/0x200 ===================================================== Fix: Before starting init second stage, we will wait for snapuserd daemon to be up and running. We do a simple probe by reading system partition. This read will eventually be serviced by daemon confirming that daemon is up and running. Furthermore, we are still in the kernel domain and sepolicy has not been enforced yet. Thus, access to these device mapper block devices are ok even though we may see audit logs. Note that daemon will re-initialize the __system_property_init() as part of WaitForSocket() call. This is subtle but important; since bionic libc initialized had failed silently, it is important that this re-initialization is done. Bug: 207298357 Test: Induce the failure by explicitly delaying the call of execveat(). With fix, no issues observed. Tested incremental OTA on pixel ~15 times. Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
2022-01-25 08:05:31 +01:00
#include <fs_avb/fs_avb.h>
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include <libsnapshot/snapshot.h>
#include <private/android_filesystem_config.h>
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
#include <procinfo/process_map.h>
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include <selinux/android.h>
snapuserd: Refactor code to a seperate directory Move all the code relevant to snapuserd to a seperate directory. Add OWNERS file. No other code changes apart from moving files around and fixing couple location of header paths at few places. Bug: 194642092 Test: Compile, Full OTA Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Ib1d852bfeda4eca5c996d6cd7b057f141cb5ddad
2021-07-26 08:59:18 +02:00
#include <snapuserd/snapuserd_client.h>
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include "block_dev_initializer.h"
init: Set oom_score_adj to snapuserd process When a process is started as a native service, oom_score_adj is set to -1000 so that processes are unkillable by lmkd. During boot, snapuserd process is not started as a service; hence, we need to set the oom_score_adj explicitly else in the event of low memory situation, lmkd can kill the process thereby device can never boot. Bug: 234691483 Test: th and OTA on Pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Ic2c85aa470522b4bc847a16b4f5cebfc528ed3cf
2022-06-02 10:00:39 +02:00
#include "lmkd_service.h"
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
#include "service_utils.h"
#include "util.h"
namespace android {
namespace init {
using namespace std::string_literals;
using android::base::unique_fd;
using android::snapshot::SnapshotManager;
using android::snapshot::SnapuserdClient;
static constexpr char kSnapuserdPath[] = "/system/bin/snapuserd";
static constexpr char kSnapuserdFirstStagePidVar[] = "FIRST_STAGE_SNAPUSERD_PID";
static constexpr char kSnapuserdFirstStageFdVar[] = "FIRST_STAGE_SNAPUSERD_FD";
snapuserd: Allow connecting to the first-stage daemon. Currently there is no socket for daemon instances launched during the selinux phase of init. We don't create any sockets due to the complexity of the required sepolicy. This workaround will allow us to create the socket with very minimal sepolicy changes. init will launch a one-off instance of snapuserd in "proxy" mode, and then the following steps will occur: 1. The proxy daemon will be given two sockets, the "normal" socket that snapuserd clients would connect to, and a "proxy" socket. 2. The proxy daemon will listen on the proxy socket. 3. The first-stage daemon will wake up and connect to the proxy daemon as a client. 4. The proxy will send the normal socket via SCM_RIGHTS, then exit. 5. The first-stage daemon can now listen and accept on the normal socket. Ordering of these events is achieved through a snapuserd.proxy_ready property. Some special-casing was needed in init to make this work. The snapuserd socket owned by snapuserd_proxy is placed into a "persist" mode so it doesn't get deleted when snapuserd_proxy exits. There's also a special case method to create a Service object around a previously existing pid. Finally, first-stage init is technically on a different updateable partition than snapuserd. Thus, we add a way to query snapuserd to see if it supports socket handoff. If it does, we communicate this information through an environment variable to second-stage init. Bug: 193833730 Test: manual test Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58
2021-07-22 06:53:28 +02:00
static constexpr char kSnapuserdFirstStageInfoVar[] = "FIRST_STAGE_SNAPUSERD_INFO";
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
static constexpr char kSnapuserdLabel[] = "u:object_r:snapuserd_exec:s0";
static constexpr char kSnapuserdSocketLabel[] = "u:object_r:snapuserd_socket:s0";
init: Remove legacy virtual-ab support Bug: 304829384 Test: OTA on Pixel Change-Id: I8463a1cc102379daa41fdade6820222a5e3bdd86 Signed-off-by: Akilesh Kailash <akailash@google.com>
2024-03-28 17:51:52 +01:00
void LaunchFirstStageSnapuserd() {
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
SocketDescriptor socket_desc;
socket_desc.name = android::snapshot::kSnapuserdSocket;
socket_desc.type = SOCK_STREAM;
socket_desc.perm = 0660;
socket_desc.uid = AID_SYSTEM;
socket_desc.gid = AID_SYSTEM;
// We specify a label here even though it technically is not needed. During
// first_stage_mount there is no sepolicy loaded. Once sepolicy is loaded,
// we bypass the socket entirely.
auto socket = socket_desc.Create(kSnapuserdSocketLabel);
if (!socket.ok()) {
LOG(FATAL) << "Could not create snapuserd socket: " << socket.error();
}
pid_t pid = fork();
if (pid < 0) {
PLOG(FATAL) << "Cannot launch snapuserd; fork failed";
}
if (pid == 0) {
socket->Publish();
libsnapshot: Integrate userspace snapshots APIs dm-user block device will be the snapshot device; thus, no more explicit call to MapSnapshot(). Additionally, block device name for dm-user will be the snapshot name so that mount works seamlessly. API's to query the snapshot status, merge progress has been integrated. Since daemon requires base device for merge, we pass additional parameter during initialization. Add a new virtual a/b property flag to enable/disable user-snapshots feature. Propagate this flag to init layer for first stage mount during boot process. Some minor cleanup and renaming of variables. Bug: 193863443 Test: 1: Full OTA on CF and pixel and verify the merge completion. Tested merge-resume path by rebooting device during merge. 2: Incremental OTA on CF and pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I5088f40a55807946cd044b3987678ead3696d996
2021-10-03 11:41:13 +02:00
init: Remove legacy virtual-ab support Bug: 304829384 Test: OTA on Pixel Change-Id: I8463a1cc102379daa41fdade6820222a5e3bdd86 Signed-off-by: Akilesh Kailash <akailash@google.com>
2024-03-28 17:51:52 +01:00
char arg0[] = "/system/bin/snapuserd";
char arg1[] = "-user_snapshot";
char* const argv[] = {arg0, arg1, nullptr};
if (execv(arg0, argv) < 0) {
PLOG(FATAL) << "Cannot launch snapuserd; execv failed";
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
}
init: Remove legacy virtual-ab support Bug: 304829384 Test: OTA on Pixel Change-Id: I8463a1cc102379daa41fdade6820222a5e3bdd86 Signed-off-by: Akilesh Kailash <akailash@google.com>
2024-03-28 17:51:52 +01:00
_exit(127);
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
}
snapuserd: Allow connecting to the first-stage daemon. Currently there is no socket for daemon instances launched during the selinux phase of init. We don't create any sockets due to the complexity of the required sepolicy. This workaround will allow us to create the socket with very minimal sepolicy changes. init will launch a one-off instance of snapuserd in "proxy" mode, and then the following steps will occur: 1. The proxy daemon will be given two sockets, the "normal" socket that snapuserd clients would connect to, and a "proxy" socket. 2. The proxy daemon will listen on the proxy socket. 3. The first-stage daemon will wake up and connect to the proxy daemon as a client. 4. The proxy will send the normal socket via SCM_RIGHTS, then exit. 5. The first-stage daemon can now listen and accept on the normal socket. Ordering of these events is achieved through a snapuserd.proxy_ready property. Some special-casing was needed in init to make this work. The snapuserd socket owned by snapuserd_proxy is placed into a "persist" mode so it doesn't get deleted when snapuserd_proxy exits. There's also a special case method to create a Service object around a previously existing pid. Finally, first-stage init is technically on a different updateable partition than snapuserd. Thus, we add a way to query snapuserd to see if it supports socket handoff. If it does, we communicate this information through an environment variable to second-stage init. Bug: 193833730 Test: manual test Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58
2021-07-22 06:53:28 +02:00
auto client = SnapuserdClient::Connect(android::snapshot::kSnapuserdSocket, 10s);
if (!client) {
LOG(FATAL) << "Could not connect to first-stage snapuserd";
}
if (client->SupportsSecondStageSocketHandoff()) {
setenv(kSnapuserdFirstStageInfoVar, "socket", 1);
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
setenv(kSnapuserdFirstStagePidVar, std::to_string(pid).c_str(), 1);
init: Wait for daemon to fully spin up all threads During selinux transition, daemon will notify `init` process by writing to file "/metadata/ota/daemon-alive-indicator". Init will wait until daemon notifies it. Furthermore, daemon will only write to that file once all threads are spin up and attached to dm-user misc devices. Once snapshot-merge is completed, this file will be removed. Additionally, during boot, init will also ensure that there are no stale files and will try to remove just before selinux transition. Bug: 262407519 Test: OTA on Pixel - Verify new file exits and init waits until daemon is fully up. Change-Id: Iabef58ad282d80a7afa493e9df9468ae41a13e44 Signed-off-by: Akilesh Kailash <akailash@google.com>
2023-01-03 06:11:13 +01:00
if (!client->RemoveTransitionedDaemonIndicator()) {
LOG(ERROR) << "RemoveTransitionedDaemonIndicator failed";
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
LOG(INFO) << "Relaunched snapuserd with pid: " << pid;
}
std::optional<pid_t> GetSnapuserdFirstStagePid() {
const char* pid_str = getenv(kSnapuserdFirstStagePidVar);
if (!pid_str) {
return {};
}
int pid = 0;
if (!android::base::ParseInt(pid_str, &pid)) {
LOG(FATAL) << "Could not parse pid in environment, " << kSnapuserdFirstStagePidVar << "="
<< pid_str;
}
return {pid};
}
static void RelabelLink(const std::string& link) {
selinux_android_restorecon(link.c_str(), 0);
std::string path;
if (android::base::Readlink(link, &path)) {
selinux_android_restorecon(path.c_str(), 0);
}
}
static void RelabelDeviceMapper() {
selinux_android_restorecon("/dev/device-mapper", 0);
std::error_code ec;
for (auto& iter : std::filesystem::directory_iterator("/dev/block", ec)) {
const auto& path = iter.path();
if (android::base::StartsWith(path.string(), "/dev/block/dm-")) {
selinux_android_restorecon(path.string().c_str(), 0);
}
}
}
static std::optional<int> GetRamdiskSnapuserdFd() {
const char* fd_str = getenv(kSnapuserdFirstStageFdVar);
if (!fd_str) {
return {};
}
int fd;
if (!android::base::ParseInt(fd_str, &fd)) {
LOG(FATAL) << "Could not parse fd in environment, " << kSnapuserdFirstStageFdVar << "="
<< fd_str;
}
return {fd};
}
void RestoreconRamdiskSnapuserd(int fd) {
if (fsetxattr(fd, XATTR_NAME_SELINUX, kSnapuserdLabel, strlen(kSnapuserdLabel) + 1, 0) < 0) {
PLOG(FATAL) << "fsetxattr snapuserd failed";
}
}
SnapuserdSelinuxHelper::SnapuserdSelinuxHelper(std::unique_ptr<SnapshotManager>&& sm, pid_t old_pid)
: sm_(std::move(sm)), old_pid_(old_pid) {
// Only dm-user device names change during transitions, so the other
// devices are expected to be present.
sm_->SetUeventRegenCallback([this](const std::string& device) -> bool {
if (android::base::StartsWith(device, "/dev/dm-user/")) {
return block_dev_init_.InitDmUser(android::base::Basename(device));
}
return true;
});
}
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
static void LockAllSystemPages() {
bool ok = true;
auto callback = [&](const android::procinfo::MapInfo& map) -> void {
if (!ok || android::base::StartsWith(map.name, "/dev/") ||
!android::base::StartsWith(map.name, "/")) {
return;
}
auto start = reinterpret_cast<const void*>(map.start);
init: snapuserd: Fix ranges for mlock() It cannot be assumed that file mappings in /proc/<pid>/maps will be completely backed by the underlying file. [1] Use MappedFileSize() to deduce the correct ranges for the mlock() calls when locking system pages in the OTA path. While at it also clean up the some unreachable code (mlockall()), and improve error logging. [1] SIGBUS at https://man7.org/linux/man-pages/man2/mmap.2.html#RETURN_VALUE Test: Incremental OTA Bug: 324952273 Change-Id: Ia2ab150e1b8de8c638f5b1acc1de83deb7ac5cff Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2024-02-15 02:03:01 +01:00
uint64_t len = android::procinfo::MappedFileSize(map);
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
if (!len) {
return;
}
init: snapuserd: Fix ranges for mlock() It cannot be assumed that file mappings in /proc/<pid>/maps will be completely backed by the underlying file. [1] Use MappedFileSize() to deduce the correct ranges for the mlock() calls when locking system pages in the OTA path. While at it also clean up the some unreachable code (mlockall()), and improve error logging. [1] SIGBUS at https://man7.org/linux/man-pages/man2/mmap.2.html#RETURN_VALUE Test: Incremental OTA Bug: 324952273 Change-Id: Ia2ab150e1b8de8c638f5b1acc1de83deb7ac5cff Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2024-02-15 02:03:01 +01:00
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
if (mlock(start, len) < 0) {
init: snapuserd: Fix ranges for mlock() It cannot be assumed that file mappings in /proc/<pid>/maps will be completely backed by the underlying file. [1] Use MappedFileSize() to deduce the correct ranges for the mlock() calls when locking system pages in the OTA path. While at it also clean up the some unreachable code (mlockall()), and improve error logging. [1] SIGBUS at https://man7.org/linux/man-pages/man2/mmap.2.html#RETURN_VALUE Test: Incremental OTA Bug: 324952273 Change-Id: Ia2ab150e1b8de8c638f5b1acc1de83deb7ac5cff Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2024-02-15 02:03:01 +01:00
PLOG(ERROR) << "\"" << map.name << "\": mlock(" << start << ", " << len
<< ") failed: pgoff = " << map.pgoff;
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
ok = false;
}
};
if (!android::procinfo::ReadProcessMaps(getpid(), callback) || !ok) {
init: snapuserd: Fix ranges for mlock() It cannot be assumed that file mappings in /proc/<pid>/maps will be completely backed by the underlying file. [1] Use MappedFileSize() to deduce the correct ranges for the mlock() calls when locking system pages in the OTA path. While at it also clean up the some unreachable code (mlockall()), and improve error logging. [1] SIGBUS at https://man7.org/linux/man-pages/man2/mmap.2.html#RETURN_VALUE Test: Incremental OTA Bug: 324952273 Change-Id: Ia2ab150e1b8de8c638f5b1acc1de83deb7ac5cff Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
2024-02-15 02:03:01 +01:00
LOG(FATAL) << "Could not process /proc/" << getpid() << "/maps file for init";
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
}
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
void SnapuserdSelinuxHelper::StartTransition() {
LOG(INFO) << "Starting SELinux transition of snapuserd";
// The restorecon path reads from /system etc, so make sure any reads have
// been cached before proceeding.
auto handle = selinux_android_file_context_handle();
if (!handle) {
LOG(FATAL) << "Could not create SELinux file context handle";
}
selinux_android_set_sehandle(handle);
// We cannot access /system after the transition, so make sure init is
// pinned in memory.
init: only mlock() system pages when performing snapuserd transitions. Bug: 181032115 Test: manual test w/ VABC OTA Change-Id: Ib4d2856b9b5eaf8688534f9d84edeb64d4b3244d
2021-03-05 23:10:55 +01:00
LockAllSystemPages();
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
argv_.emplace_back("snapuserd");
argv_.emplace_back("-no_socket");
init: Detach daemon only after sepolicy is loaded The new sequence of operation would be: 1: Load sepolicy - Daemon will continue to be alive and serve any I/O request 2: After sepolicy loading is complete - Switch the device-mapper tables. 3: Kill the block device daemon launched in the first-stage init. 4: Re-launch the daemon with the correct selinux labels set. 5: Enforce the sepolicy Bug: 240321741 Test: Full OTA on pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
2022-07-15 20:40:07 +02:00
if (!sm_->PrepareSnapuserdArgsForSelinux(&argv_)) {
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
LOG(FATAL) << "Could not perform selinux transition";
}
}
void SnapuserdSelinuxHelper::FinishTransition() {
RelabelLink("/dev/block/by-name/super");
RelabelDeviceMapper();
selinux_android_restorecon("/dev/null", 0);
selinux_android_restorecon("/dev/urandom", 0);
selinux_android_restorecon("/dev/kmsg", 0);
selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE);
RelaunchFirstStageSnapuserd();
if (munlockall() < 0) {
PLOG(ERROR) << "munlockall failed";
}
}
init: Wait for snapuserd before starting second stage This is a race between init process and bionic libc initialization of snapuserd. init->fork() ----------------> SecondStageMain() -> PropertyInit() | | v execveat ---> __libc_init_common() -> __system_properties_init() (snapuserd) When init process calls PropertyInit(), /dev/__properties__ directory is created. When bionic libc of snapuserd daemon invokes __system_properties_init _after_ init process PropertyInit() function is invoked, libc will try to initialize the property by reading /system/etc/selinux/plat_property_contexts. Since any reads on /system has to be served by snapuserd, this specific read from libc cannot be serviced leading to deadlock. Reproduce the race by inducing a sleep of 1500ms just before execveat() so that init process calls PropertyInit() before bionic libc initialization. This leads to deadlock immediately and with additional kernel instrumentation with debug logs confirms the failure: ====================================================== init: Relaunched snapuserd with pid: 428 ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8 ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8 [ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0 [ 25.423000][ T428] vfs_read+0x2e0/0x354 [ 25.426986][ T428] ksys_read+0x7c/0xec [ 25.430894][ T428] __arm64_sys_read+0x20/0x30 [ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0 [ 25.442095][ T428] do_el0_svc+0x28/0xa0 [ 25.446100][ T428] el0_svc+0x14/0x24 [ 25.449825][ T428] el0_sync_handler+0x88/0xec [ 25.454343][ T428] el0_sync+0x1c0/0x200 ===================================================== Fix: Before starting init second stage, we will wait for snapuserd daemon to be up and running. We do a simple probe by reading system partition. This read will eventually be serviced by daemon confirming that daemon is up and running. Furthermore, we are still in the kernel domain and sepolicy has not been enforced yet. Thus, access to these device mapper block devices are ok even though we may see audit logs. Note that daemon will re-initialize the __system_property_init() as part of WaitForSocket() call. This is subtle but important; since bionic libc initialized had failed silently, it is important that this re-initialization is done. Bug: 207298357 Test: Induce the failure by explicitly delaying the call of execveat(). With fix, no issues observed. Tested incremental OTA on pixel ~15 times. Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
2022-01-25 08:05:31 +01:00
/*
* Before starting init second stage, we will wait
* for snapuserd daemon to be up and running; bionic libc
* may read /system/etc/selinux/plat_property_contexts file
* before invoking main() function. This will happen if
* init initializes property during second stage. Any access
* to /system without snapuserd daemon will lead to a deadlock.
*
* Thus, we do a simple probe by reading system partition. This
* read will eventually be serviced by daemon confirming that
* daemon is up and running. Furthermore, we are still in the kernel
* domain and sepolicy has not been enforced yet. Thus, access
* to these device mapper block devices are ok even though
* we may see audit logs.
*/
bool SnapuserdSelinuxHelper::TestSnapuserdIsReady() {
init: Wait for daemon to fully spin up all threads During selinux transition, daemon will notify `init` process by writing to file "/metadata/ota/daemon-alive-indicator". Init will wait until daemon notifies it. Furthermore, daemon will only write to that file once all threads are spin up and attached to dm-user misc devices. Once snapshot-merge is completed, this file will be removed. Additionally, during boot, init will also ensure that there are no stale files and will try to remove just before selinux transition. Bug: 262407519 Test: OTA on Pixel - Verify new file exits and init waits until daemon is fully up. Change-Id: Iabef58ad282d80a7afa493e9df9468ae41a13e44 Signed-off-by: Akilesh Kailash <akailash@google.com>
2023-01-03 06:11:13 +01:00
// Wait for the daemon to be fully up. Daemon will write to path
// /metadata/ota/daemon-alive-indicator only when all the threads
// are ready and attached to dm-user.
//
// This check will fail for GRF devices with vendor on Android S.
// snapuserd binary from Android S won't be able to communicate
// and hence, we will fallback and issue I/O to verify
// the presence of daemon.
auto client = std::make_unique<SnapuserdClient>();
if (!client->IsTransitionedDaemonReady()) {
LOG(ERROR) << "IsTransitionedDaemonReady failed";
}
init: Wait for snapuserd before starting second stage This is a race between init process and bionic libc initialization of snapuserd. init->fork() ----------------> SecondStageMain() -> PropertyInit() | | v execveat ---> __libc_init_common() -> __system_properties_init() (snapuserd) When init process calls PropertyInit(), /dev/__properties__ directory is created. When bionic libc of snapuserd daemon invokes __system_properties_init _after_ init process PropertyInit() function is invoked, libc will try to initialize the property by reading /system/etc/selinux/plat_property_contexts. Since any reads on /system has to be served by snapuserd, this specific read from libc cannot be serviced leading to deadlock. Reproduce the race by inducing a sleep of 1500ms just before execveat() so that init process calls PropertyInit() before bionic libc initialization. This leads to deadlock immediately and with additional kernel instrumentation with debug logs confirms the failure: ====================================================== init: Relaunched snapuserd with pid: 428 ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8 ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8 [ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0 [ 25.423000][ T428] vfs_read+0x2e0/0x354 [ 25.426986][ T428] ksys_read+0x7c/0xec [ 25.430894][ T428] __arm64_sys_read+0x20/0x30 [ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0 [ 25.442095][ T428] do_el0_svc+0x28/0xa0 [ 25.446100][ T428] el0_svc+0x14/0x24 [ 25.449825][ T428] el0_sync_handler+0x88/0xec [ 25.454343][ T428] el0_sync+0x1c0/0x200 ===================================================== Fix: Before starting init second stage, we will wait for snapuserd daemon to be up and running. We do a simple probe by reading system partition. This read will eventually be serviced by daemon confirming that daemon is up and running. Furthermore, we are still in the kernel domain and sepolicy has not been enforced yet. Thus, access to these device mapper block devices are ok even though we may see audit logs. Note that daemon will re-initialize the __system_property_init() as part of WaitForSocket() call. This is subtle but important; since bionic libc initialized had failed silently, it is important that this re-initialization is done. Bug: 207298357 Test: Induce the failure by explicitly delaying the call of execveat(). With fix, no issues observed. Tested incremental OTA on pixel ~15 times. Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
2022-01-25 08:05:31 +01:00
std::string dev = "/dev/block/mapper/system"s + fs_mgr_get_slot_suffix();
android::base::unique_fd fd(open(dev.c_str(), O_RDONLY | O_DIRECT));
if (fd < 0) {
PLOG(ERROR) << "open " << dev << " failed";
return false;
}
void* addr;
ssize_t page_size = getpagesize();
if (posix_memalign(&addr, page_size, page_size) < 0) {
PLOG(ERROR) << "posix_memalign with page size " << page_size;
return false;
}
std::unique_ptr<void, decltype(&::free)> buffer(addr, ::free);
int iter = 0;
while (iter < 10) {
ssize_t n = TEMP_FAILURE_RETRY(pread(fd.get(), buffer.get(), page_size, 0));
if (n < 0) {
// Wait for sometime before retry
std::this_thread::sleep_for(100ms);
} else if (n == page_size) {
return true;
} else {
LOG(ERROR) << "pread returned: " << n << " from: " << dev << " expected: " << page_size;
}
iter += 1;
}
return false;
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
void SnapuserdSelinuxHelper::RelaunchFirstStageSnapuserd() {
init: Detach daemon only after sepolicy is loaded The new sequence of operation would be: 1: Load sepolicy - Daemon will continue to be alive and serve any I/O request 2: After sepolicy loading is complete - Switch the device-mapper tables. 3: Kill the block device daemon launched in the first-stage init. 4: Re-launch the daemon with the correct selinux labels set. 5: Enforce the sepolicy Bug: 240321741 Test: Full OTA on pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
2022-07-15 20:40:07 +02:00
if (!sm_->DetachFirstStageSnapuserdForSelinux()) {
LOG(FATAL) << "Could not perform selinux transition";
}
KillFirstStageSnapuserd(old_pid_);
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
auto fd = GetRamdiskSnapuserdFd();
if (!fd) {
LOG(FATAL) << "Environment variable " << kSnapuserdFirstStageFdVar << " was not set!";
}
unsetenv(kSnapuserdFirstStageFdVar);
RestoreconRamdiskSnapuserd(fd.value());
pid_t pid = fork();
if (pid < 0) {
PLOG(FATAL) << "Fork to relaunch snapuserd failed";
}
if (pid > 0) {
// We don't need the descriptor anymore, and it should be closed to
// avoid leaking into subprocesses.
close(fd.value());
setenv(kSnapuserdFirstStagePidVar, std::to_string(pid).c_str(), 1);
LOG(INFO) << "Relaunched snapuserd with pid: " << pid;
init: Wait for snapuserd before starting second stage This is a race between init process and bionic libc initialization of snapuserd. init->fork() ----------------> SecondStageMain() -> PropertyInit() | | v execveat ---> __libc_init_common() -> __system_properties_init() (snapuserd) When init process calls PropertyInit(), /dev/__properties__ directory is created. When bionic libc of snapuserd daemon invokes __system_properties_init _after_ init process PropertyInit() function is invoked, libc will try to initialize the property by reading /system/etc/selinux/plat_property_contexts. Since any reads on /system has to be served by snapuserd, this specific read from libc cannot be serviced leading to deadlock. Reproduce the race by inducing a sleep of 1500ms just before execveat() so that init process calls PropertyInit() before bionic libc initialization. This leads to deadlock immediately and with additional kernel instrumentation with debug logs confirms the failure: ====================================================== init: Relaunched snapuserd with pid: 428 ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8 ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8 [ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0 [ 25.423000][ T428] vfs_read+0x2e0/0x354 [ 25.426986][ T428] ksys_read+0x7c/0xec [ 25.430894][ T428] __arm64_sys_read+0x20/0x30 [ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0 [ 25.442095][ T428] do_el0_svc+0x28/0xa0 [ 25.446100][ T428] el0_svc+0x14/0x24 [ 25.449825][ T428] el0_sync_handler+0x88/0xec [ 25.454343][ T428] el0_sync+0x1c0/0x200 ===================================================== Fix: Before starting init second stage, we will wait for snapuserd daemon to be up and running. We do a simple probe by reading system partition. This read will eventually be serviced by daemon confirming that daemon is up and running. Furthermore, we are still in the kernel domain and sepolicy has not been enforced yet. Thus, access to these device mapper block devices are ok even though we may see audit logs. Note that daemon will re-initialize the __system_property_init() as part of WaitForSocket() call. This is subtle but important; since bionic libc initialized had failed silently, it is important that this re-initialization is done. Bug: 207298357 Test: Induce the failure by explicitly delaying the call of execveat(). With fix, no issues observed. Tested incremental OTA on pixel ~15 times. Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
2022-01-25 08:05:31 +01:00
init: Set oom_score_adj to snapuserd process When a process is started as a native service, oom_score_adj is set to -1000 so that processes are unkillable by lmkd. During boot, snapuserd process is not started as a service; hence, we need to set the oom_score_adj explicitly else in the event of low memory situation, lmkd can kill the process thereby device can never boot. Bug: 234691483 Test: th and OTA on Pixel Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: Ic2c85aa470522b4bc847a16b4f5cebfc528ed3cf
2022-06-02 10:00:39 +02:00
// Since daemon is not started as a service, we have
// to explicitly set the OOM score to default which is unkillable
std::string oom_str = std::to_string(DEFAULT_OOM_SCORE_ADJUST);
std::string oom_file = android::base::StringPrintf("/proc/%d/oom_score_adj", pid);
if (!android::base::WriteStringToFile(oom_str, oom_file)) {
PLOG(ERROR) << "couldn't write oom_score_adj to snapuserd daemon with pid: " << pid;
}
init: Wait for snapuserd before starting second stage This is a race between init process and bionic libc initialization of snapuserd. init->fork() ----------------> SecondStageMain() -> PropertyInit() | | v execveat ---> __libc_init_common() -> __system_properties_init() (snapuserd) When init process calls PropertyInit(), /dev/__properties__ directory is created. When bionic libc of snapuserd daemon invokes __system_properties_init _after_ init process PropertyInit() function is invoked, libc will try to initialize the property by reading /system/etc/selinux/plat_property_contexts. Since any reads on /system has to be served by snapuserd, this specific read from libc cannot be serviced leading to deadlock. Reproduce the race by inducing a sleep of 1500ms just before execveat() so that init process calls PropertyInit() before bionic libc initialization. This leads to deadlock immediately and with additional kernel instrumentation with debug logs confirms the failure: ====================================================== init: Relaunched snapuserd with pid: 428 ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8 ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8 [ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0 [ 25.423000][ T428] vfs_read+0x2e0/0x354 [ 25.426986][ T428] ksys_read+0x7c/0xec [ 25.430894][ T428] __arm64_sys_read+0x20/0x30 [ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0 [ 25.442095][ T428] do_el0_svc+0x28/0xa0 [ 25.446100][ T428] el0_svc+0x14/0x24 [ 25.449825][ T428] el0_sync_handler+0x88/0xec [ 25.454343][ T428] el0_sync+0x1c0/0x200 ===================================================== Fix: Before starting init second stage, we will wait for snapuserd daemon to be up and running. We do a simple probe by reading system partition. This read will eventually be serviced by daemon confirming that daemon is up and running. Furthermore, we are still in the kernel domain and sepolicy has not been enforced yet. Thus, access to these device mapper block devices are ok even though we may see audit logs. Note that daemon will re-initialize the __system_property_init() as part of WaitForSocket() call. This is subtle but important; since bionic libc initialized had failed silently, it is important that this re-initialization is done. Bug: 207298357 Test: Induce the failure by explicitly delaying the call of execveat(). With fix, no issues observed. Tested incremental OTA on pixel ~15 times. Signed-off-by: Akilesh Kailash <akailash@google.com> Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
2022-01-25 08:05:31 +01:00
if (!TestSnapuserdIsReady()) {
PLOG(FATAL) << "snapuserd daemon failed to launch";
} else {
LOG(INFO) << "snapuserd daemon is up and running";
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
return;
}
// Make sure the descriptor is gone after we exec.
if (fcntl(fd.value(), F_SETFD, FD_CLOEXEC) < 0) {
PLOG(FATAL) << "fcntl FD_CLOEXEC failed for snapuserd fd";
}
std::vector<char*> argv;
for (auto& arg : argv_) {
argv.emplace_back(arg.data());
}
argv.emplace_back(nullptr);
int rv = syscall(SYS_execveat, fd.value(), "", reinterpret_cast<char* const*>(argv.data()),
nullptr, AT_EMPTY_PATH);
if (rv < 0) {
PLOG(FATAL) << "Failed to execveat() snapuserd";
}
}
std::unique_ptr<SnapuserdSelinuxHelper> SnapuserdSelinuxHelper::CreateIfNeeded() {
if (IsRecoveryMode()) {
return nullptr;
}
auto old_pid = GetSnapuserdFirstStagePid();
if (!old_pid) {
return nullptr;
}
auto sm = SnapshotManager::NewForFirstStageMount();
if (!sm) {
LOG(FATAL) << "Unable to create SnapshotManager";
}
return std::make_unique<SnapuserdSelinuxHelper>(std::move(sm), old_pid.value());
}
void KillFirstStageSnapuserd(pid_t pid) {
if (kill(pid, SIGTERM) < 0 && errno != ESRCH) {
LOG(ERROR) << "Kill snapuserd pid failed: " << pid;
} else {
LOG(INFO) << "Sent SIGTERM to snapuserd process " << pid;
}
}
void CleanupSnapuserdSocket() {
auto socket_path = ANDROID_SOCKET_DIR "/"s + android::snapshot::kSnapuserdSocket;
if (access(socket_path.c_str(), F_OK) != 0) {
return;
}
// Tell the daemon to stop accepting connections and to gracefully exit
// once all outstanding handlers have terminated.
if (auto client = SnapuserdClient::Connect(android::snapshot::kSnapuserdSocket, 3s)) {
client->DetachSnapuserd();
}
// Unlink the socket so we can create it again in second-stage.
if (unlink(socket_path.c_str()) < 0) {
PLOG(FATAL) << "unlink " << socket_path << " failed";
}
}
void SaveRamdiskPathToSnapuserd() {
int fd = open(kSnapuserdPath, O_PATH);
if (fd < 0) {
PLOG(FATAL) << "Unable to open snapuserd: " << kSnapuserdPath;
}
auto value = std::to_string(fd);
if (setenv(kSnapuserdFirstStageFdVar, value.c_str(), 1) < 0) {
PLOG(FATAL) << "setenv failed: " << kSnapuserdFirstStageFdVar << "=" << value;
}
}
bool IsFirstStageSnapuserdRunning() {
return GetSnapuserdFirstStagePid().has_value();
}
snapuserd: Allow connecting to the first-stage daemon. Currently there is no socket for daemon instances launched during the selinux phase of init. We don't create any sockets due to the complexity of the required sepolicy. This workaround will allow us to create the socket with very minimal sepolicy changes. init will launch a one-off instance of snapuserd in "proxy" mode, and then the following steps will occur: 1. The proxy daemon will be given two sockets, the "normal" socket that snapuserd clients would connect to, and a "proxy" socket. 2. The proxy daemon will listen on the proxy socket. 3. The first-stage daemon will wake up and connect to the proxy daemon as a client. 4. The proxy will send the normal socket via SCM_RIGHTS, then exit. 5. The first-stage daemon can now listen and accept on the normal socket. Ordering of these events is achieved through a snapuserd.proxy_ready property. Some special-casing was needed in init to make this work. The snapuserd socket owned by snapuserd_proxy is placed into a "persist" mode so it doesn't get deleted when snapuserd_proxy exits. There's also a special case method to create a Service object around a previously existing pid. Finally, first-stage init is technically on a different updateable partition than snapuserd. Thus, we add a way to query snapuserd to see if it supports socket handoff. If it does, we communicate this information through an environment variable to second-stage init. Bug: 193833730 Test: manual test Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58
2021-07-22 06:53:28 +02:00
std::vector<std::string> GetSnapuserdFirstStageInfo() {
const char* pid_str = getenv(kSnapuserdFirstStageInfoVar);
if (!pid_str) {
return {};
}
return android::base::Split(pid_str, ",");
}
init: Add an selinux transition for snapuserd. With compressed VAB updates, it is not possible to mount /system without first running snapuserd, which is the userspace component to the dm-user kernel module. This poses a problem because as soon as selinux enforcement is enabled, snapuserd (running in a kernel context) does not have access to read and decompress the underlying system partition. To account for this, we split SelinuxInitialize into multiple steps: First, sepolicy is read into an in-memory string. Second, the device-mapper tables for all snapshots are rebuilt. This flushes any pending reads and creates new dm-user devices. The original kernel-privileged snapuserd is then killed. Third, sepolicy is loaded from the in-memory string. Fourth, we re-launch snapuserd and connect it to the newly created dm-user devices. As part of this step we restorecon device-mapper devices and /dev/block/by-name/super, since the new snapuserd is in a limited context. Finally, we set enforcing mode. This sequence ensures that snapuserd has appropriate privileges with a minimal number of permissive audits. Bug: 173476209 Test: full OTA with VABC applies and boots Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 09:21:20 +01:00
} // namespace init
} // namespace android
Reference in a new issue Copy permalink