Commit graph

1412 commits

Author SHA1 Message Date
Oli Lan
0460f65f78 Merge "Allow apexd to snapshot and restore DE data." 2020-02-03 17:50:51 +00:00
Oli Lan
a466ca8ff4 Allow apexd to snapshot and restore DE data.
This calls into apexd to allow it to snapshot and restore DE apex data
in the case of a rollback. See the corresponding apexd change for more
information.

Cherry-pick from (unsubmitted) internal CL: ag/10163227

Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia4bacc9b7b7a77038ba897acbc7db29e177a6433
2020-02-03 11:47:15 +00:00
Zimuzo Ezeozue
294c16024b Merge "Harden /mnt/pass_through paths" 2020-02-03 11:34:52 +00:00
Maciej Żenczykowski
8fda5feb25 Merge "symlink /dev/net/tun -> ../tun" 2020-02-01 01:24:57 +00:00
Treehugger Robot
938379de5b Merge "Mount binderfs" 2020-01-31 18:46:14 +00:00
Zim
a67b40bc2a Harden /mnt/pass_through paths
Only the FUSE daemon (with media_rw gid) needs access to paths on
/mnt/pass_through. And even then, it only needs execute access on the
dirs, since there will always be a bind mount either from sdcardfs or
the lower filesystem on it and that bind mount correctly handles ACLs
for the FUSE daemon.

Test: manual
Bug: 135341433
Change-Id: I999451e095da355e6247e9e18fb6fe1ab8fc45d6
2020-01-31 16:26:13 +00:00
Maciej Żenczykowski
00a21e3d54 symlink /dev/net/tun -> ../tun
This is the expected location on Linux and this makes 'ip tuntap' work.

Before:
  vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
  open: No such file or directory
  vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
  open: No such file or directory
  vsoc_x86_64:/ # ip tuntap list

After:
  vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
  vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
  vsoc_x86_64:/ # ip tuntap list
  tap0: tap UNKNOWN_FLAGS:800
  tun0: tun UNKNOWN_FLAGS:800

  $ adbz shell ls -ldZ / /dev /dev/tun /dev/net /dev/net/tun
  drwxr-xr-x 25 root   root u:object_r:rootfs:s0         4096 2020-01-25 09:48 /
  drwxr-xr-x 21 root   root u:object_r:device:s0         1240 2020-01-25 09:48 /dev
  drwxr-xr-x  2 root   root u:object_r:device:s0           60 2020-01-25 09:48 /dev/net
  lrwxrwxrwx  1 root   root u:object_r:device:s0            6 2020-01-25 09:48 /dev/net/tun -> ../tun
  crw-rw----  1 system vpn  u:object_r:tun_device:s0  10, 200 2020-01-25 09:48 /dev/tun

Test: see above
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2aa215711454ce4f8a0ef1f34c17621629060fa1
2020-01-30 03:51:33 +00:00
Hridya Valsaraju
8e50be74ae Mount binderfs
Mount binderfs at /dev/binderfs. Also add symlinks from /dev/binder,
/dev/hwbinder and /dev/vndbinder to /dev/binderfs/binder,
/dev/binderfs/hwbinder and /dev/binderfs/vndbinder respectively.

Bug: 136497735
Test: Cuttlefish boots on Android Common Kernel 4.19 with kernel config
CONFIG_ANDROID_BINDERFS=y.

Change-Id: I349face22a2e73bfd79af0188e41188c323388f7
2020-01-29 17:59:17 -08:00
Alistair Delva
1fad2b39a3 Merge "Correct /sys/kernel/tracing permissions" 2020-01-30 00:08:02 +00:00
Alistair Delva
ebb5b3bd48 Correct /sys/kernel/tracing permissions
In Android kernels >4.4 we will see an empty /sys/kernel/tracing
directory which is notionally where you should mount tracefs if you
don't want to mount debugfs. As we move towards not mounting debugfs,
ensure that the non-legacy location also has adequate permissions to be
read by tracing tools.

Note that this change will be OK even if the board init.rc doesn't mount
tracefs here, because sysfs will always create this directory.

Bug: 148436518
Change-Id: I674587d0f08effdb8471a82e3b1ceec3af8588de
2020-01-29 09:10:50 -08:00
Nikita Ioffe
2d88794a7d Merge "Trigger boot animation on userspace reboot" 2020-01-29 11:24:01 +00:00
Nikita Ioffe
764c1ac8ba Trigger boot animation on userspace reboot
Also reset some more properties to make bootanimation work properly.

Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
2020-01-28 10:42:44 +00:00
Zim
c1b53de450 Change gid bit of /mnt/media_rw to external_storage
To allow apps with MANAGE_EXTERNAL_STORAGE permission and therefore
external_storage gid to access unreliable volumes directly on
/mnt/media_rw/<volume>, they need access to the /mnt/media_rw path.

This change doesn't break the FUSE daemon, the only process that should
have media_rw gid in R because the FUSE daemon accesses the lower
filesystem from the pass_through bind mounts of the public volume mount
itself so it doesn't need to walk the /mnt/media_rw path itself

Test: With FUSE enabled, a reliably mounted public volume is accessible
on /storage
Bug: 144914977

Change-Id: Ia3fc9e7483894402c14fb520024e2acca821a24d
2020-01-24 22:13:58 +00:00
Treehugger Robot
eba798a767 Merge "Harden /mnt/pass_through permission bits" 2020-01-22 21:30:53 +00:00
Zim
6ca090e6b0 Harden /mnt/pass_through permission bits
It previously had 0755 permission bits

With such permissive bits, an unauthorized app can access a file using
the /mnt/pass_through path for instance even if access via /storage
would have been restricted.

It is now 0700

TODO: Change ACL for /mnt/user from 0755 to 0700 in vold only when
FUSE flag is on. Changing it with FUSE off breaks accessing /sdcard
because /sdcard is eventually a symlink to /mnt/user/0/primary

Test: adb shell ls -d /mnt/pass_through
Bug: 135341433
Change-Id: I3ea9655c6b8c6b4f847b34a2d3b96784a8f4a160
2020-01-22 17:54:45 +00:00
Ryan Savitski
cdebef1d2b Merge "init: add builtin check for perf_event LSM hooks" 2020-01-21 20:40:50 +00:00
Oli Lan
90c523b30b Give x permission on apex data directories.
This gives search (x) permission on the parent apex data
directory /data/misc/apexdata so that directories below it
may be opened. It also gives that permission on the apex
data directories themselves.

Bug: 147848983
Test: Build & flash, check perms are correct
Change-Id: I27c4ea01602002c89d0771a144265e3879d9041a
2020-01-17 11:41:04 +00:00
David Zeuthen
e83f386653 Add user for credstore.
The credstore system daemon is running as an unprivileged user. This
CL adds this user and also creates a directory (/data/misc/credstore/)
where this daemon can store its data.

Bug: 111446262
Test: N/A
Change-Id: I8da2c32dd04fef797870b8a7bbc5e499bed71f9e
2020-01-16 07:32:04 -05:00
Ryan Savitski
f0f7e70186 init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458

As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.

If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.

This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
  if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
  is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
  test binary/domain felt excessive.

I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.

Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-15 20:58:15 +00:00
Treehugger Robot
ec7be0dc0f Merge "Create /mnt/data_mirror/cur_profiles in init.rc" 2020-01-15 19:47:52 +00:00
Treehugger Robot
e4505960b9 Merge "Disable dm-verity hash prefetching." 2020-01-15 13:13:01 +00:00
Treehugger Robot
f7593a9a2a Merge "[incrementa;] set mode and encryption for /data/incremental" 2020-01-15 02:58:02 +00:00
Songchun Fan
73d9e7d666 [incrementa;] set mode and encryption for /data/incremental
To be consistent with /data/app.

Test: boots
BUG: 137855266
Change-Id: I8aa549155367edfad158924bcf7892ac7bb76f16
2020-01-13 15:04:41 -08:00
Martijn Coenen
9226bb304a Disable dm-verity hash prefetching.
Prefetching appears to have a slightly negative effect on boot time, and
actually makes boot time much worse when the available dm-bufio cache
shrinks. Since we anticipate the dm-bufio cache will shrink (because of
an increasing number of APEX dm-verity targets), disable prefetching
completely.

We've run this change on Pixel 2 since August, and haven't observed any
negative effects. Boot time slightly decreased. With the increased
amount of APEXes we already have, this should now result in an even more
significant boot time decrease.

Bug: 136247322
Test: atest google/perf/boottime/boottime-test
Change-Id: Id588669af1b0b9daaf15323dccf33411e03b8633
2020-01-06 09:41:49 +01:00
Kiyoung Kim
24ccfc244b Merge "Update linkerconfig to target out directory" 2020-01-02 04:18:31 +00:00
Nikita Ioffe
1131a211dc Reset sys.shutdown.requested property
Otherwise, if userspace reboot is triggered from the framework, it will
end up in userspace reboot loop until watchdog kicks in triggers full
reboot.

Bug: 135984674
Test: adb shell svc power reboot userspace
Change-Id: I0de451aad4ea236a3ff1c20b317b01c6529b6231
2019-12-30 16:06:35 +00:00
Kiyoung Kim
3b2dbe9d75 Update linkerconfig to target out directory
Current linkerconfig targets for specific output file. However,
linkerconfig will generate more than 1 file based on APEX modules, so it
should take argument for target directory rather than target file. This
change updates linkerconfig's argument to point output directory.

Bug: 146993126
Test: m -j passed & Cuttlefish succeeded to boot
Change-Id: I3a720a047077688582436aabd307adafeafc5398
2019-12-30 18:44:41 +09:00
Nikita Ioffe
018ddd7a6f Unify logic for resetting properties before userspace reboot
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.

Also fixed a typo in what HandleUserspaceReboot function.

Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
2019-12-20 17:55:13 +00:00
Kiyoung Kim
80416f7a80 Merge "Generate linkerconfig per mount namespaces" 2019-12-20 03:30:33 +00:00
Kiyoung Kim
e4d3f2123f Generate linkerconfig per mount namespaces
There are two namespaces from init - bootstrap and default - and those
will have different set of APEX modules. To support difference between
two namespaces, linker config should be generated per namespace and each
namespace should use its own linker configuration. As a first step of
the work, this change will create different mount point for each
namespace, and re-generate linker config after APEX mount from each
namespaces.

Bug: 144664390
Test: m -j passed & tested from cuttlefish
Change-Id: Iac2e222376ec4b0ced6c29eed18b21d39ff0b1ba
2019-12-20 09:46:59 +09:00
Songchun Fan
a1344fa6d7 Merge "[incremental] create /data/incremental in init.rc" 2019-12-19 18:14:06 +00:00
Songchun Fan
284962431b [incremental] create /data/incremental in init.rc
We use /data/incremental to keep all the directories that are mounted on
the Incremental File System.

Since system_server does not have permission to dynamically create dirs
directly under /data, we create /data/incremental in init.rc.

Test: boots
BUG: 136132412
Change-Id: Ic90cc8f652672a8d4459c0cd38db9c0872217af4
2019-12-18 09:26:51 -08:00
Martijn Coenen
0dbb2a75f2 Revert "Have /storage always point to sdcardfs by default."
This reverts commit 5d53bfce2d.

Reason for revert: for consistency, we've decided that for now, all code will have the same view of /storage: FUSE. Will address the TODO here later.

Change-Id: Ia75e23c91fb098f6309c160de2889f06507c3717
2019-12-17 13:45:10 +00:00
Ricky Wai
fdc0986554 Create /mnt/data_mirror/cur_profiles in init.rc
Also, bind mount /data/misc/profiles/cur to /mnt/data_mirror/cur_profiles

Bug: 143937733
Test: Directories are created and mounted
Change-Id: Idcf73b84db84dc671ec5a5025f4b4ec1bc5fd1fc
2019-12-13 17:32:18 +00:00
Martijn Coenen
5d53bfce2d Have /storage always point to sdcardfs by default.
This is a partial revert of change
Idf851b3a42910e0ce8fdd75daea1cce91dd1aa98, and brings us back to the
state we shipped in Q.

The default behavior for now is that we want native daemons to use the
default sdcardfs view, as they did before. Zygote-spawned apps will then
get the correct view assigned to them as they get spawned.

Bug: 146189163
Test: atest AdoptableHostTest
Change-Id: I2248f39e029138962a41a6ead944431414c901ad
2019-12-13 16:52:11 +01:00
Ricky Wai
3cca270e95 Create /data_mirror in init.rc
Mount a tmpfs on top of it, and serve as a mirror of /data/data
and /data/user_de, which will be used when zygote forks and
overlay its CE and DE storage to prevent app can see other applications.

Also, changed /data/user/0 from symlink to bind mount, so
/data_mirror/data_ce/null can just bind to /data/user directly.

Bug: 143937733
Test: Directories are created and mounted
Change-Id: Ic72c47c9d3dc0ffc98510f5bb351eccf76524232
2019-12-12 14:44:44 +00:00
Kiyoung Kim
597eca8a8c Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Oli Lan
4370ff58ae Create directory for snapshots of DE_sys apex data.
This creates the /data/misc/apexrollback directory which will
hold snapshots of DE_sys apex data directories (i.e. it will
hold backups of data from /data/misc/apexdata for particular
apexes).

See go/apex-data-directories for details.

Bug: 141148175
Test: Built and flashed, checked directory was created.
Change-Id: If45377a9b29cc1f52dd08ea1339829e3bb3032e9
2019-12-09 11:12:53 +00:00
Oli Lan
13e51e7f0b Create DE_sys APEX data directories.
This creates the directory /data/misc/apexdata, at the same time as other
directories under /data/misc. Then, when apexd has finished activating
APEXes, a directory is created under /data/misc/apexdata for every
APEX, with the same name as the APEX module name.

See go/apex-data-directories.

APEXes are discovered by scanning the /apex directory. It may be better
to delegate this process to a library, but it is proposed to defer that
change to a future CL.

Bug: 141148175
Test: Built and flashed, checked directories were created.
Change-Id: I639d6f490ae0b97f116ce38ff3ac348bd73aa20e
2019-12-09 11:10:42 +00:00
Kiyoung Kim
99df54be93 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions with chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttelfish
Change-Id: Iaae5af65721eee8106311c1efb4760a9db13564a
2019-12-09 19:45:11 +09:00
Jaegeuk Kim
7bf14bb932 Merge "rootdir: init.rc to limit discard size to 128MB" 2019-12-06 21:59:19 +00:00
Jaegeuk Kim
fe9e8a3fa5 rootdir: init.rc to limit discard size to 128MB
In any case, UFS storage suffers from long discard latency.

Change-Id: Iaa8ef6eb862934af43254bd10873a12c3d34e926
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2019-12-05 15:58:18 -08:00
Anton Hansson
3c5cc31824 Run the derive_sdk service
Run this process as early as possible in the boot -- right
after its config has been parsed from the apex. This ensures
the sdk prop is set as early as it can be, should some other
early process need to look at it.

Note: this is unlikely to be the permanent way this gets run,
as it's only needed when apexes update.

Bug: 137191822
Test: boot && adb shell getprop | grep sdk_info
Change-Id: Ia48ef89435ca165333b52d653e3131f71a522747
2019-12-05 15:38:37 +00:00
Martijn Coenen
58bd37f1e3 Merge "Remove bootstrapping the passthrough mount." 2019-11-29 08:41:37 +00:00
Shuo Qian
8834223ff8 Merge "A system folder for emergency number database OTA" 2019-11-27 19:14:50 +00:00
Shuo Qian
f0e65d852a A system folder for emergency number database OTA
Test: Manual; tested with the other CL in the same topic
Bug: 136027884
Change-Id: Ia5675613b9ae19927108d089955d2900d97c892c
2019-11-27 19:04:39 +00:00
Martijn Coenen
cc67ff5add Remove bootstrapping the passthrough mount.
This will be taken care of by vold (when necessary).

Bug: 135341433
Test: device boots, passthrough mount still works
      atest AdoptableHostTest
Change-Id: I5a144eff0e4220fa0154bfa7d62a2dec625c88bc
2019-11-22 13:13:50 +01:00
Nikita Ioffe
c5282e4c6b Merge "Add sysprops for start & end of userspace reboot" 2019-11-14 21:50:59 +00:00
Nikita Ioffe
c0df1874ad Add sysprops for start & end of userspace reboot
There will be useful in debugging/logging events to statsd.

Also as part of this CL, sys.init.userspace_reboot.in_progress property
is now used as a mean of synchronization. It is set directly in
DoUserspaceReboot, to make sure that all the setprop actions triggered
by userspace-reboot-requested were processed.

Test: adb reboot userspace
Test: adb shell getprop sys.init.userspace_reboot.last_started
Test: adb shell getprop sys.init.userspace_reboot.last_finished
Bug: 135984674
Change-Id: I9debcd4f058e790855200d5295344dafb30e496a
2019-11-14 01:38:05 +00:00
Marco Ballesio
726a68cb40 Add support for freezer cgroup
Adds the freezer cgroup to process groups

Change-Id: Ib7a8dbe776ff156ff3827b9a659365384f3e6ac8
Bug: 143308662
Test: manual - frozen processes aren't scheduled for execution until
unfrozen
2019-11-13 20:21:07 +00:00