tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_core/init/Android.mk

172 lines
4 KiB
Makefile
Raw Normal View History

auto import from //depot/cupcake/@135843
2009-03-04 04:32:55 +01:00
# Copyright 2005 The Android Open Source Project
LOCAL_PATH:= $(call my-dir)
Stop using #if for conditional compilation. Use regular 'if' to prevent bitrot. Also remove remaining typedefs. Change-Id: I2e6ca928e2db29b88b643cf990ff05cfb0be94a6
2015-02-04 23:46:36 +01:00
# --
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
init: remove support for disabled SELinux Remove support for androidboot.selinux=disabled. Running with SELinux disabled is not a supported configuration anymore. SELinux must be in enforcing in shipping devices, but we also support permissive for userdebug/eng builds. Don't try security_setenforce() if we're already in enforcing mode. A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does not have a permissive mode, so the kernel will already be enforcing once the policy is loaded. Bug: 19702273 Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
2015-04-28 21:39:41 +02:00
init_options += -DALLOW_LOCAL_PROP_OVERRIDE=1 -DALLOW_PERMISSIVE_SELINUX=1
Stop using #if for conditional compilation. Use regular 'if' to prevent bitrot. Also remove remaining typedefs. Change-Id: I2e6ca928e2db29b88b643cf990ff05cfb0be94a6
2015-02-04 23:46:36 +01:00
else
init: remove support for disabled SELinux Remove support for androidboot.selinux=disabled. Running with SELinux disabled is not a supported configuration anymore. SELinux must be in enforcing in shipping devices, but we also support permissive for userdebug/eng builds. Don't try security_setenforce() if we're already in enforcing mode. A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does not have a permissive mode, so the kernel will already be enforcing once the policy is loaded. Bug: 19702273 Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
2015-04-28 21:39:41 +02:00
init_options += -DALLOW_LOCAL_PROP_OVERRIDE=0 -DALLOW_PERMISSIVE_SELINUX=0
Stop using #if for conditional compilation. Use regular 'if' to prevent bitrot. Also remove remaining typedefs. Change-Id: I2e6ca928e2db29b88b643cf990ff05cfb0be94a6
2015-02-04 23:46:36 +01:00
endif
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
init_options += -DLOG_UEVENTS=0
init_cflags += \
$(init_options) \
-Wall -Wextra \
-Wno-unused-parameter \
-Werror \
init: enable C++17 Test: Boot bullhead Change-Id: I40961ff765461e8aef211d27158ffb7c4be76493
2017-03-13 19:58:58 +01:00
-std=gnu++1z \
Stop using #if for conditional compilation. Use regular 'if' to prevent bitrot. Also remove remaining typedefs. Change-Id: I2e6ca928e2db29b88b643cf990ff05cfb0be94a6
2015-02-04 23:46:36 +01:00
# --
init: Add C++ tokenizer. Adds a C++ tokenizer along with unit tests. This tokenizer will replace the current C implementation which does a poor job of keeping track of pointers. This CL is a prerequisite for up coming changes to the parser. This CL does not wire up this tokenizer and changes no exsiting code. All that builds is the unit tests. Change-Id: Iec3740bce7153640adc5e5bbdc57e644cedf0038 TEST: Unit tests all pass. No leaks under valgrind BUG: 22843198
2015-07-30 18:27:11 +02:00
# If building on Linux, then build unit test for the host.
ifeq ($(HOST_OS),linux)
include $(CLEAR_VARS)
LOCAL_CPPFLAGS := $(init_cflags)
LOCAL_SRC_FILES:= \
parser/tokenizer.cpp \
LOCAL_MODULE := libinit_parser
LOCAL_CLANG := true
include $(BUILD_HOST_STATIC_LIBRARY)
include $(CLEAR_VARS)
LOCAL_MODULE := init_parser_tests
LOCAL_SRC_FILES := \
parser/tokenizer_test.cpp \
Revert "bootstat: Refactor init/utils/boot_clock into base/chrono_utils." This reverts commit 7c92e484503f239000ef97ef5b067907fbeaa4a6. Mac sdk still broken (despite testing locally). Change-Id: I7d9206e15997cd0efe081bd3fa17d53d2b20ec32
2017-02-14 20:20:20 +01:00
LOCAL_STATIC_LIBRARIES := libinit_parser
init: Add C++ tokenizer. Adds a C++ tokenizer along with unit tests. This tokenizer will replace the current C implementation which does a poor job of keeping track of pointers. This CL is a prerequisite for up coming changes to the parser. This CL does not wire up this tokenizer and changes no exsiting code. All that builds is the unit tests. Change-Id: Iec3740bce7153640adc5e5bbdc57e644cedf0038 TEST: Unit tests all pass. No leaks under valgrind BUG: 22843198
2015-07-30 18:27:11 +02:00
LOCAL_CLANG := true
include $(BUILD_HOST_NATIVE_TEST)
endif
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
include $(CLEAR_VARS)
LOCAL_CPPFLAGS := $(init_cflags)
LOCAL_SRC_FILES:= \
init: Create classes for Action and Command This creates the concept of 'event_trigger' vs 'property_trigger' Previously these were merged into one, such that 'on property:a=b && property:b=c' is triggered when properties a=b and b=c as expected, however combinations such as 'on early-boot && boot' would trigger during both early-boot and boot. Similarly, 'on early-boot && property:a=b' would trigger on both early-boot and again when property a equals b. The event trigger distinction ensures that the first example fails to parse and the second example only triggers on early-boot if property a equals b. This coalesces Actions with the same triggers into a single Action object Change-Id: I8f661d96e8a2d40236f252301bfe10979d663ea6
2015-07-24 02:53:11 +02:00
action.cpp \
init: Add support for ambient capabilities. Ambient capabilities are inherited in a straightforward way across execve(2): " If you are nonroot but you have a capability, you can add it to pA. If you do so, your children get that capability in pA, pP, and pE. For example, you can set pA = CAP_NET_BIND_SERVICE, and your children can automatically bind low-numbered ports. " This will allow us to get rid of the special meaning for AID_NET_ADMIN and AID_NET_RAW, and if desired, to reduce the use of file capabilities (which grant capabilities to any process that can execute the file). An additional benefit of the latter is that a single .rc file can specify all properties for a service, without having to rely on a separate file for file capabilities. Ambient capabilities are supported starting with kernel 4.3 and have been backported to all Android common kernels back to 3.10. I chose to not use Minijail here (though I'm still using libcap) for two reasons: 1-The Minijail code is designed to work in situations where the process is holding any set of capabilities, so it's more complex. The situation when forking from init allows for simpler code. 2-The way Minijail is structured right now, we would not be able to make the required SELinux calls between UID/GID dropping and other priv dropping code. In the future, it will make sense to add some sort of "hook" to Minijail so that it can be used in situations where we want to do other operations between some of the privilege-dropping operations carried out by Minijail. Bug: 32438163 Test: Use sample service. Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
2016-10-27 16:33:03 +02:00
capabilities.cpp \
init: service file keyword Solve one more issue where privilege is required to open a file and we do not want to grant such to the service. This is the service side of the picture, android_get_control_file() in libcutils is the client. The file's descriptor is placed into the environment as "ANDROID_FILE_<path>". For socket and files where non-alpha and non-numeric characters in the <name/path> are replaced with _. There was an accompanying change in android_get_control_socket() to match in commit 'libcutils: add android_get_control_socket() test' Add a gTest unit test for this that tests create_file and android_get_control_file(). Test: gTest init_tests --gtest_filter=util.create_file Bug: 32450474 Change-Id: I96eb970c707db6d51a9885873329ba1cb1f23140
2016-10-27 16:45:34 +02:00
descriptors.cpp \
init: Use classes for parsing and clean up memory allocations Create a Parser class that uses multiple SectionParser interfaces to handle parsing the different sections of an init rc. Create an ActionParser and ServiceParser that implement SectionParser and parse the sections corresponding to Action and Service classes. Remove the legacy keyword structure and replace it with std::map's that map keyword -> (minimum args, maximum args, function pointer) for Commands and Service Options. Create an ImportParser that implements SectionParser and handles the import 'section'. Clean up the unsafe memory handling of the Action class by using std::unique_ptr. Change-Id: Ic5ea5510cb956dbc3f78745a35096ca7d6da7085
2015-08-26 20:43:36 +02:00
import_parser.cpp \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
init_parser.cpp \
Log more timing information from init. Also make important events in init's life NOTICE rather than INFO, and ensure that NOTICE events actually make it to the kernel log. Also fix the logging so that if you have a printf format string error, the compiler now catches it. Also give messages from init, ueventd, and watchdogd distinct tags. (Previously they'd all call themselves "init", and dmesg doesn't include pids, so you couldn't untangle them.) Also include the tag in SELinux messages. Bug: 19544788 Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
2015-03-28 07:20:44 +01:00
log.cpp \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
parser.cpp \
Create Service and ServiceManager classes Change-Id: I363a5e4751ad83d2f4096882a6fbbeddca03acfe
2015-07-31 21:45:25 +02:00
service.cpp \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
util.cpp \
Send property_service AVC messages to the kernel audit system The property service uses an SELinux userspace check to determine if a process is allowed to set a property. If the security check fails, a userspace SELinux denial is generated. Currently, these denials are only sent to dmesg. Instead of sending these denials to dmesg, send it to the kernel audit system. This will cause these userspace denials to be treated similarly to kernel generated denials (eg, logd will pick them up and process them). This will ensure that denials generated by the property service will show up in logcat / dmesg / event log. After this patch, running "setprop asdf asdf" from the unprivileged adb shell user will result in the following audit message: type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service' Test: manual Bug: 27878170 Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
2017-01-03 17:37:54 +01:00
LOCAL_STATIC_LIBRARIES := libbase libselinux liblog libprocessgroup libnl
init: Add support for ambient capabilities. Ambient capabilities are inherited in a straightforward way across execve(2): " If you are nonroot but you have a capability, you can add it to pA. If you do so, your children get that capability in pA, pP, and pE. For example, you can set pA = CAP_NET_BIND_SERVICE, and your children can automatically bind low-numbered ports. " This will allow us to get rid of the special meaning for AID_NET_ADMIN and AID_NET_RAW, and if desired, to reduce the use of file capabilities (which grant capabilities to any process that can execute the file). An additional benefit of the latter is that a single .rc file can specify all properties for a service, without having to rely on a separate file for file capabilities. Ambient capabilities are supported starting with kernel 4.3 and have been backported to all Android common kernels back to 3.10. I chose to not use Minijail here (though I'm still using libcap) for two reasons: 1-The Minijail code is designed to work in situations where the process is holding any set of capabilities, so it's more complex. The situation when forking from init allows for simpler code. 2-The way Minijail is structured right now, we would not be able to make the required SELinux calls between UID/GID dropping and other priv dropping code. In the future, it will make sense to add some sort of "hook" to Minijail so that it can be used in situations where we want to do other operations between some of the privilege-dropping operations carried out by Minijail. Bug: 32438163 Test: Use sample service. Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
2016-10-27 16:33:03 +02:00
LOCAL_WHOLE_STATIC_LIBRARIES := libcap
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
LOCAL_MODULE := libinit
init: add LOCAL_SANITIZE := integer Call abort() on undefined or sketchy integer behavior. Protects against integer overflow attacks. Change-Id: If73e6b382f2ee645fec406805739f9684ddbb5f0
2015-08-15 17:24:23 +02:00
LOCAL_SANITIZE := integer
Make it clearer to grep that init is built with clang. Change-Id: Ic2abffd27e382cb691d772cdf088442645e59bf7
2015-06-11 07:43:51 +02:00
LOCAL_CLANG := true
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
include $(BUILD_STATIC_LIBRARY)
include $(CLEAR_VARS)
LOCAL_CPPFLAGS := $(init_cflags)
auto import from //depot/cupcake/@135843
2009-03-04 04:32:55 +01:00
LOCAL_SRC_FILES:= \
Use TEMP_FAILURE_RETRY, always build bootchart.cpp. Also switch the revision parsing over to sscanf as promised. I haven't done the hardware parsing because I don't yet know whether we actually need to keep the space-stripping code. Change-Id: Ic33378345cd515cb08d00c543acf44eb72673396
2015-02-04 19:25:09 +01:00
bootchart.cpp \
Build init as C++. This is just the minimal change to keep it building. Change-Id: I245c5b8413a1db114576c81462eb5737f5ffcef2
2015-02-04 02:12:07 +01:00
builtins.cpp \
devices.cpp \
init.cpp \
keychords.cpp \
property_service.cpp \
signal_handler.cpp \
ueventd.cpp \
ueventd_parser.cpp \
watchdogd.cpp \
auto import from //depot/cupcake/@135843
2009-03-04 04:32:55 +01:00
LOCAL_MODULE:= init
load ro.recovery_id property from recovery partition Change-Id: I9dc1f325e353375d9c1c8ed949636e2404601076
2015-05-08 17:30:33 +02:00
LOCAL_C_INCLUDES += \
system/core/mkbootimg
auto import from //depot/cupcake/@135843
2009-03-04 04:32:55 +01:00
LOCAL_FORCE_STATIC_EXECUTABLE := true
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
LOCAL_UNSTRIPPED_PATH := $(TARGET_ROOT_OUT_UNSTRIPPED)
Remove HAVE_SELINUX guards Change-Id: I8272c573b3c5dc663203bafab68fad5e94d89364
2012-10-17 08:07:05 +02:00
LOCAL_STATIC_LIBRARIES := \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
libinit \
init: use libbootloader_message. Bug: 29582118 Change-Id: I6285b29774a11d6dda8496c7c73e4c1d17a672bd (cherry picked from commit 0b1252cca0ecd5603e0fc0d5dadde91410b6b557)
2016-06-25 03:28:03 +02:00
libbootloader_message \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
libfs_mgr \
Error correction: Use libfec in fs_mgr Use libfec to read and parse verity metadata to protect against data corruption. Bug: 21893453 Change-Id: I3a3543e0d999316707302b3be8735a7133d22946
2015-05-22 16:43:50 +02:00
libfec \
libfec_rs \
Revert "Revert "fs_mgr_verity: Add support for squashfs"" This reverts commit 7b97c7a3fa0f1bdae5b45a70f625ff48f9dab0c1. Change-Id: Id47e70479fe9247b7936f2e54d4dbfbb4f63f635
2015-04-09 02:59:19 +02:00
libsquashfs_utils \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
liblogwrap \
libcutils \
Remove "_static" and "_host" suffix from libext4_utils. Bug: 34220783 Change-Id: I967dbaa9c48ad1feed2369c3a40f745b86a350f8
2017-01-11 23:03:11 +01:00
libext4_utils \
User 0 directories are created by vold now. This ensures that all users on device follow a consistent path for setup and validation of encryption policy. Also add remaining user-specific directories and fix linking order. Bug: 25796509 Change-Id: I8c2e42a78569817f7f5ea03f54b743a6661fdb9c
2016-02-03 22:44:44 +01:00
libbase \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
libc \
libselinux \
init/adb: correct static lib dependencies for libselinux Now that libselinux uses libpackagelistparser, in order for libpackagelistparser to be properly statically linked liblog must come after libselinux for all the liblog references to be defined in libpackagelistparser which is included in libselinux. This patch corrects that order. Change-Id: I7aee10c9395310919779ed2463aab6b2f8b380cc Signed-off-by: William Roberts <william.c.roberts@intel.com>
2015-08-04 23:23:04 +02:00
liblog \
libcrypto_utils: convert to Soong. Bug: http://b/30708454 Change-Id: Iaad64272ced766f87e67f2877e990afccc558065
2016-08-06 00:47:57 +02:00
libcrypto_utils \
libcrypto \
Revert "Revert "Adding e4crypt support"" Fix build break caused by original change This reverts commit 84b0bab58fcc7f225e9a17a15c531b0c2fc509c5. Change-Id: I99fbd7c3d1ed92db1f546033c8493bb71a327924
2015-03-26 16:49:42 +01:00
libc++_static \
resolved conflicts for merge of 79f33846 to lmp-mr1-dev-plus-aosp Change-Id: I24c60a2747931917a3ea09b953905ce0f4145280
2015-04-14 01:29:05 +02:00
libdl \
Remove "_host" and "_static" suffix from libsparse definition. This now combines all the "libsparse" libraries into the same soong target. A minor side-effect of this change is that the libsparse static library depends on the libz shared library instead of the libz static library. This minor change has no effect since targets using the static libsparse library need to explicitly include either the static libz or the shared one. Bug: 34220783 Change-Id: I8f41586cf4c3336791cfa57ab4f5ae59a76d7ffa
2017-01-11 23:37:50 +01:00
libsparse \
use process groups for processes started by init Put every service into a process group, kill the process group and all child processes created within the group when killing the service. Removed libutil dependency in libprocessgroup. Bug: 25355957 Change-Id: Ieed60ec41579f638ab9b1e66a7e6330ed578ab05 Signed-off-by: Collin Mulliner <collinrm@squareup.com>
2016-06-01 23:03:55 +02:00
libz \
Send property_service AVC messages to the kernel audit system The property service uses an SELinux userspace check to determine if a process is allowed to set a property. If the security check fails, a userspace SELinux denial is generated. Currently, these denials are only sent to dmesg. Instead of sending these denials to dmesg, send it to the kernel audit system. This will cause these userspace denials to be treated similarly to kernel generated denials (eg, logd will pick them up and process them). This will ensure that denials generated by the property service will show up in logcat / dmesg / event log. After this patch, running "setprop asdf asdf" from the unprivileged adb shell user will result in the following audit message: type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service' Test: manual Bug: 27878170 Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
2017-01-03 17:37:54 +01:00
libprocessgroup \
libnl \
fs_mgr: support using libavb to enable dm-verity external/avb/libavb provides the new Android Verified Boot (AVB) flow. It has different verity metadata format than previous formats in fs_mgr_verity.cpp fs_mgr should support using libavb to read the metadata (a.k.a. HASHTREE descriptor in AVB) to enable dm-verity in kernel. Two important files in this commit: - fs_mgr_avb_ops.c: an implementation of struct AvbOps* for libavb to do platform dependent I/O operations, e.g., read_from_partition. - fs_mgr_avb.cpp: it reads the metadata (a.k.a. vbmeta images in AVB) from all partitions, verifies its integrity against the values of androidboot.vbmeta.{hash_alg, size, digest} passed from bootloader in kernel command line. Then enable dm-verity for partitions having the corresponding HASHTREE descriptor and with an 'avb' fstab flag. Bug: 31264231 Test: Enable dm-verity on /system partition Test: Enable dm-verity with FEC on /system partition Change-Id: I4652806984fe5a30c61be0839135b5ca78323d38
2017-01-11 15:21:38 +01:00
libavb
Extend init and ueventd for SE Android. Add SE Android support for init and ueventd. init: - Load policy at boot. - Set the security context for service daemons and their sockets. - New built-in commands: setcon, setenforce, restorecon, setsebool. - New option for services: seclabel. ueventd: - Set the security context for device directories and nodes. Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac
2012-01-13 14:48:47 +01:00
Include correct type of SELinux policy This makes the build system include split SELinux policy (three CIL files and the secilc compiler needed to compile them) if PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux policy is included. Split policy currently adds around 400 ms to boot time (measured on marlin/sailfish and bullhead) because the policy needs to be compiled during boot. This is the main reason why we include split policy only on devices which require it. Test: Device boots, no additional SELinux denials. This test is performed on a device with PRODUCT_FULL_TREBLE set to true, and on a device with PRODUCT_FULL_TREBLE set to false. Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and the three *.cil files, but does not contain the sepolicy file. Device with PRODUCT_FULL_TREBLE set to false contains sepolicy file but does not contain the secilc file or any *.cil files. Bug: 31363362 Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc
2017-03-02 21:53:32 +01:00
# Include SELinux policy. We do this here because different modules
# need to be included based on the value of PRODUCT_FULL_TREBLE. This
# type of conditional inclusion cannot be done in top-level files such
# as build/target/product/embedded.mk.
# This conditional inclusion closely mimics the conditional logic
# inside init/init.cpp for loading SELinux policy from files.
ifeq ($(PRODUCT_FULL_TREBLE),true)
# Use split SELinux policy
LOCAL_REQUIRED_MODULES += \
mapping_sepolicy.cil \
nonplat_sepolicy.cil \
plat_sepolicy.cil \
Use precompiled sepolicy when available NOTE: This change affects only devices which use SELinux kernel policy split over system and vendor directories/partitions. Prior to this change, init compiled sepolicy from *.cil files on every boot, thus slowing boot down by about 400 ms. This change enables init to skip the step compilation and thus avoid spending the 400 ms. The skipping occurs only if the device's vendor partition includes an acceptable precompiled policy file. If no acceptable policy is found, the compilation step takes place same as before. Because such devices support updating system and vendor partitions independently of each other, the vendor partition's precompiled policy is only used if it was compiled against the system partition's policy. The exact mechanism is that both partitions include a file containing the SHA-256 digest of the system partition's policy (plat_sepolicy.cil) and the precompiled policy is considered usable only if the two digests are identical. Test: Device with monolithic policy boots up just fine Test: Device with split policy and with matching precompiled policy boots up just fine and getprop ro.boottime.init.selinux returns a number below 100 ms. No "Compiling SELinux policy" message in dmesg. Test: Device with split policy and with non-matching precompiled policy boots up just fine and getpropr ro.boottime.init.selinux returns a number above 400 ms. There is a "Compiling SELinux policy" message in dmesg. The non-matching policy was obtained by adding an allow rule to system/sepolicy, building a new system image using make systemimage and then flashing it onto the device. Bug: 31363362 Change-Id: Ic2e81a83051689b5cd5ef1299ba6aaa1b1df1bdc
2017-03-07 23:12:01 +01:00
plat_sepolicy.cil.sha256 \
Build split file_contexts on TREBLE builds Build file_contexts.bin on legacy builds. Test: Marlin and Bullhead build and boot with no new denials. Test: Marlin and Bullhead recovery boots with no new denials. Test: Bullhead boots with file_contexts.bin in / Test: Marlin boot with /system/etc/selinux/plat_file_contexts and /vendor/etc/selinux/nonplat_file_contexts. Bug: 36002414 Change-Id: I66f138fc3ad808df0480e0467cee03fd40177f31
2017-03-09 00:17:21 +01:00
secilc \
nonplat_file_contexts \
plat_file_contexts
Use precompiled sepolicy when available NOTE: This change affects only devices which use SELinux kernel policy split over system and vendor directories/partitions. Prior to this change, init compiled sepolicy from *.cil files on every boot, thus slowing boot down by about 400 ms. This change enables init to skip the step compilation and thus avoid spending the 400 ms. The skipping occurs only if the device's vendor partition includes an acceptable precompiled policy file. If no acceptable policy is found, the compilation step takes place same as before. Because such devices support updating system and vendor partitions independently of each other, the vendor partition's precompiled policy is only used if it was compiled against the system partition's policy. The exact mechanism is that both partitions include a file containing the SHA-256 digest of the system partition's policy (plat_sepolicy.cil) and the precompiled policy is considered usable only if the two digests are identical. Test: Device with monolithic policy boots up just fine Test: Device with split policy and with matching precompiled policy boots up just fine and getprop ro.boottime.init.selinux returns a number below 100 ms. No "Compiling SELinux policy" message in dmesg. Test: Device with split policy and with non-matching precompiled policy boots up just fine and getpropr ro.boottime.init.selinux returns a number above 400 ms. There is a "Compiling SELinux policy" message in dmesg. The non-matching policy was obtained by adding an allow rule to system/sepolicy, building a new system image using make systemimage and then flashing it onto the device. Bug: 31363362 Change-Id: Ic2e81a83051689b5cd5ef1299ba6aaa1b1df1bdc
2017-03-07 23:12:01 +01:00
# Include precompiled policy, unless told otherwise
ifneq ($(PRODUCT_PRECOMPILED_SEPOLICY),false)
LOCAL_REQUIRED_MODULES += precompiled_sepolicy precompiled_sepolicy.plat.sha256
endif
Include correct type of SELinux policy This makes the build system include split SELinux policy (three CIL files and the secilc compiler needed to compile them) if PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux policy is included. Split policy currently adds around 400 ms to boot time (measured on marlin/sailfish and bullhead) because the policy needs to be compiled during boot. This is the main reason why we include split policy only on devices which require it. Test: Device boots, no additional SELinux denials. This test is performed on a device with PRODUCT_FULL_TREBLE set to true, and on a device with PRODUCT_FULL_TREBLE set to false. Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and the three *.cil files, but does not contain the sepolicy file. Device with PRODUCT_FULL_TREBLE set to false contains sepolicy file but does not contain the secilc file or any *.cil files. Bug: 31363362 Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc
2017-03-02 21:53:32 +01:00
else
# Use monolithic SELinux policy
Build split file_contexts on TREBLE builds Build file_contexts.bin on legacy builds. Test: Marlin and Bullhead build and boot with no new denials. Test: Marlin and Bullhead recovery boots with no new denials. Test: Bullhead boots with file_contexts.bin in / Test: Marlin boot with /system/etc/selinux/plat_file_contexts and /vendor/etc/selinux/nonplat_file_contexts. Bug: 36002414 Change-Id: I66f138fc3ad808df0480e0467cee03fd40177f31
2017-03-09 00:17:21 +01:00
LOCAL_REQUIRED_MODULES += sepolicy \
file_contexts.bin
Include correct type of SELinux policy This makes the build system include split SELinux policy (three CIL files and the secilc compiler needed to compile them) if PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux policy is included. Split policy currently adds around 400 ms to boot time (measured on marlin/sailfish and bullhead) because the policy needs to be compiled during boot. This is the main reason why we include split policy only on devices which require it. Test: Device boots, no additional SELinux denials. This test is performed on a device with PRODUCT_FULL_TREBLE set to true, and on a device with PRODUCT_FULL_TREBLE set to false. Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and the three *.cil files, but does not contain the sepolicy file. Device with PRODUCT_FULL_TREBLE set to false contains sepolicy file but does not contain the secilc file or any *.cil files. Bug: 31363362 Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc
2017-03-02 21:53:32 +01:00
endif
init: Add support for ambient capabilities. Ambient capabilities are inherited in a straightforward way across execve(2): " If you are nonroot but you have a capability, you can add it to pA. If you do so, your children get that capability in pA, pP, and pE. For example, you can set pA = CAP_NET_BIND_SERVICE, and your children can automatically bind low-numbered ports. " This will allow us to get rid of the special meaning for AID_NET_ADMIN and AID_NET_RAW, and if desired, to reduce the use of file capabilities (which grant capabilities to any process that can execute the file). An additional benefit of the latter is that a single .rc file can specify all properties for a service, without having to rely on a separate file for file capabilities. Ambient capabilities are supported starting with kernel 4.3 and have been backported to all Android common kernels back to 3.10. I chose to not use Minijail here (though I'm still using libcap) for two reasons: 1-The Minijail code is designed to work in situations where the process is holding any set of capabilities, so it's more complex. The situation when forking from init allows for simpler code. 2-The way Minijail is structured right now, we would not be able to make the required SELinux calls between UID/GID dropping and other priv dropping code. In the future, it will make sense to add some sort of "hook" to Minijail so that it can be used in situations where we want to do other operations between some of the privilege-dropping operations carried out by Minijail. Bug: 32438163 Test: Use sample service. Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
2016-10-27 16:33:03 +02:00
# Create symlinks.
Use LOCAL_POST_INSTALL_CMD to simplify symlink creation. Change-Id: I67ad7248c26561d394e66901e90ef5814ec69fb3
2014-11-25 00:43:34 +01:00
LOCAL_POST_INSTALL_CMD := $(hide) mkdir -p $(TARGET_ROOT_OUT)/sbin; \
ln -sf ../init $(TARGET_ROOT_OUT)/sbin/ueventd; \
ln -sf ../init $(TARGET_ROOT_OUT)/sbin/watchdogd
ueventd: easier debug logging Move ueventd debug flag into the Android.mk. Boost klog level if event logging enabled. Change-Id: Iae48edbc43c487092c2424023576af29c76ff401
2014-03-07 00:07:42 +01:00
init: add LOCAL_SANITIZE := integer Call abort() on undefined or sketchy integer behavior. Protects against integer overflow attacks. Change-Id: If73e6b382f2ee645fec406805739f9684ddbb5f0
2015-08-15 17:24:23 +02:00
LOCAL_SANITIZE := integer
Make it clearer to grep that init is built with clang. Change-Id: Ic2abffd27e382cb691d772cdf088442645e59bf7
2015-06-11 07:43:51 +02:00
LOCAL_CLANG := true
auto import from //depot/cupcake/@135843
2009-03-04 04:32:55 +01:00
include $(BUILD_EXECUTABLE)
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
init: Add support for ambient capabilities. Ambient capabilities are inherited in a straightforward way across execve(2): " If you are nonroot but you have a capability, you can add it to pA. If you do so, your children get that capability in pA, pP, and pE. For example, you can set pA = CAP_NET_BIND_SERVICE, and your children can automatically bind low-numbered ports. " This will allow us to get rid of the special meaning for AID_NET_ADMIN and AID_NET_RAW, and if desired, to reduce the use of file capabilities (which grant capabilities to any process that can execute the file). An additional benefit of the latter is that a single .rc file can specify all properties for a service, without having to rely on a separate file for file capabilities. Ambient capabilities are supported starting with kernel 4.3 and have been backported to all Android common kernels back to 3.10. I chose to not use Minijail here (though I'm still using libcap) for two reasons: 1-The Minijail code is designed to work in situations where the process is holding any set of capabilities, so it's more complex. The situation when forking from init allows for simpler code. 2-The way Minijail is structured right now, we would not be able to make the required SELinux calls between UID/GID dropping and other priv dropping code. In the future, it will make sense to add some sort of "hook" to Minijail so that it can be used in situations where we want to do other operations between some of the privilege-dropping operations carried out by Minijail. Bug: 32438163 Test: Use sample service. Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
2016-10-27 16:33:03 +02:00
# Unit tests.
# =========================================================
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
include $(CLEAR_VARS)
LOCAL_MODULE := init_tests
LOCAL_SRC_FILES := \
Implement exec. Change-Id: I20329bc9b378479d745b498d6a00eca0872cd5ab
2015-02-07 05:15:18 +01:00
init_parser_test.cpp \
Address property service DoS. Bug: http://b/35166374 Test: ran new test Change-Id: I94cf5750f0d2dc87f4a118b2c63b16255ef30fd2
2017-02-22 23:54:15 +01:00
property_service_test.cpp \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
util_test.cpp \
LOCAL_SHARED_LIBRARIES += \
libcutils \
Revert "Revert "Create libbase."" This reverts commit a7870d88167f619e758b5bcd15b410d16da7c16b.
2015-03-16 18:08:46 +01:00
libbase \
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
LOCAL_STATIC_LIBRARIES := libinit
init: add LOCAL_SANITIZE := integer Call abort() on undefined or sketchy integer behavior. Protects against integer overflow attacks. Change-Id: If73e6b382f2ee645fec406805739f9684ddbb5f0
2015-08-15 17:24:23 +02:00
LOCAL_SANITIZE := integer
Make it clearer to grep that init is built with clang. Change-Id: Ic2abffd27e382cb691d772cdf088442645e59bf7
2015-06-11 07:43:51 +02:00
LOCAL_CLANG := true
init: service file keyword Solve one more issue where privilege is required to open a file and we do not want to grant such to the service. This is the service side of the picture, android_get_control_file() in libcutils is the client. The file's descriptor is placed into the environment as "ANDROID_FILE_<path>". For socket and files where non-alpha and non-numeric characters in the <name/path> are replaced with _. There was an accompanying change in android_get_control_socket() to match in commit 'libcutils: add android_get_control_socket() test' Add a gTest unit test for this that tests create_file and android_get_control_file(). Test: gTest init_tests --gtest_filter=util.create_file Bug: 32450474 Change-Id: I96eb970c707db6d51a9885873329ba1cb1f23140
2016-10-27 16:45:34 +02:00
LOCAL_CPPFLAGS := -Wall -Wextra -Werror
Clean up reading and writing in init. This isn't particularly useful in and of itself, but it does introduce the first (trivial) unit test, improves the documentation (including details about how to debug init crashes), and made me aware of how unpleasant the existing parser is. I also fixed a bug in passing --- unless you thought the "peboot" and "pm" commands were features... Bug: 19217569 Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
2015-02-06 21:19:48 +01:00
include $(BUILD_NATIVE_TEST)
Add a sample service for testing init. I find myself using something like this every time I add functionality to init. I cannot possibly be the only one doing this. On the other hand, if this hasn't been added for so long, maybe there's a reason for that. The advantage of using a test service versus modifying an existing service is that the test service doesn't *require* any permissions or privileges, so you can add and/or remove whatever you need to test without breaking the service. I found it useful to have the service check its own /proc/<pid>/status from command-line arguments, so that's what the service does. This CL also adds a .clang-format file for init. Bug: None Test: Service runs and exits successfully. Change-Id: I3e7841a7283158e10c0bf55e0103c03902afb1f0
2016-12-20 22:54:04 +01:00
# Include targets in subdirs.
# =========================================================
include $(call all-makefiles-under,$(LOCAL_PATH))
Reference in a new issue Copy permalink