Let the CheckShutdown() method clear the do_shutdown_ member instead of
clearing that member separately from calling CheckShutdown().
Bug: 266255006
Change-Id: Ifc1cff2be92a45db7f91be2fdb812930d2fd1ad5
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The DebugRebootLogging() function was introduced to help with
root-causing b/150863651. Remove this function since this logging
functionality is no longer needed. Also remove the functions and methods
that are only used by DebugRebootLogging().
Change-Id: Ia150604c6cd70f42b13d655ba43b95445a55b6e2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Combine two if-statements. This change is fine because:
* The code between the two if-statements does not queue actions.
* If an action is queued from another thread then WakeMainInitThread()
is called after the action has been queued.
Bug: 266255006
Change-Id: Id4b9565ff4fdb3ee2a2bbca316c8c78e0f2d38dd
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We could combine this with the existing log, but I
wouldn't want to make that appear later.
Ironically, adding this log to try to reduce logs.
Bug: 36785118
Test: :) adb logcat -d | grep "started service" | wc -l
131
Change-Id: I38f4e9740871aa256eef0c62e897038eb46871a5
Make the code that creates BuiltinArguments instances easier to read by
using initializer lists instead of constructor calls. Remove the
BuiltinArguments constructors.
Change-Id: I6cf215a81d298cf7e524e22fb75db820e0225c9a
Signed-off-by: Bart Van Assche <bvanassche@google.com>
For many years, services declaring "console" would only be started if the
console device specified by androidboot.console= was present under /dev.
However, they would also be started if the /dev/console node existed.
This fallback causes problems with newer GKI kernel images which now
hard-code "console=ttynull" via CONFIG_CMDLINE, which essentially means
/dev/console always exists, even though this console points nowhere.
It also causes problems on devices where the androidboot.console was not
the same as the kernel dmesg console ("console="), such as cuttlefish,
because those platforms could not simultaneously enable kernel logging
but disable the interactive serial console feature. The framework just
assumed both would be muxed on the same serial port. Cuttlefish had a
workaround, to use "androidboot.console=invalid" to avoid the fallback,
but this doesn't work on devices which still want to mux the kernel logs
and interactive serial console.
This change resolves the issue in a better way, by introducing a new
boolean property called "androidboot.serialconsole". Setting this to "0"
will disable the console services, regardless of whether the
/dev/console or /dev/${ro.boot.console} devices exist. Older kernels
and bootloaders don't need to set this and can rely on the old behavior
in init, but bootloaders booting newer kernels must set it to avoid the
"performance is impacted" message due to console services being started.
Bug: 266982931
Bug: 223797063
Bug: 267428635
Test: "launch_cvd" with "androidboot.console=invalid" removed;
See the "performance is impacted" message.
Test: "launch_cvd" with "androidboot.serialconsole=0";
The "performance is impacted" message is gone.
Change-Id: Iaad4d27ffe4df74ed49606d3cabe83483c350df4
There can be more than one fstab entry of system partition.
For example, the filesystem of one entry is ext4 and another is erofs.
system /system ext4 ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
system /system erofs ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
If both filesystems of system and system_ext paritions are erofs,
only the ext4 fstab entry will be returned by GetEntryForMountPoint,
and system_ext cann't be mounted.
So we need to return both of the fstab entries and try all of them.
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.com>
Change-Id: I407553d48b1749cd0554f057a6bfd38daa96fdcb
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.corp-partner.google.com>
Let the compiler verify that lock_ is held when any of the data members
are accessed.
Bug: 266255006
Change-Id: I71b341815d84ab530627d934ad4d4681b652b9d8
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Let the compiler verify that shutdown_command_lock_ is held when
shutdown_command_ is accessed.
Bug: 266255006
Change-Id: Ibd05137ab65e20f247f35bbb2bb1865e05f51f41
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Wait until strace has attached to the service instead of assuming that
it has attached after one second.
Change-Id: Ifb71fa2419563e1334d8500ea867ec92121395e0
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Remove the ConvertToArgv() function. Do not cast the std::string::find()
result. Make the strace path absolute.
Change-Id: If329e91275c834ba375863e40901f6be07a5f347
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Without root, Service::Start() fails due to lack of permissions.
Bug: 267559075
Test: run cts -m CtsInitTestCases -t init#GentleKill
atest init#GentleKill
Will skip under cts, pass under atest
Change-Id: I69e8be7000718bdba1c2acd9675b5645c0891afc
PropertyInit loads the build.prop files and set the system properties.
Set the SELinux log callback before that to show the avc denials for debugging.
Test: $ make init_system
Push this module and ensure system property set denials are shown during boot
Bug: 185920634
Bug: 211547922
Change-Id: If9f34d469d3da2ebdfe64bb611de85a3ca37e000
Since we cannot create a gpt table on zoned LU, we cannot make a generic symlink
from it. Instead, let's make it by uevent, "/dev/block/by-name/zoned_device".
Note that, we support only one zoned device in the system.
Bug: 265180564
Change-Id: Ie62b0fd68b77e3e43cf0f5c5cad9503150174271
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
During selinux transition, daemon will notify `init` process
by writing to file "/metadata/ota/daemon-alive-indicator".
Init will wait until daemon notifies it. Furthermore, daemon
will only write to that file once all threads are spin up
and attached to dm-user misc devices.
Once snapshot-merge is completed, this file will be removed.
Additionally, during boot, init will also ensure that
there are no stale files and will try to remove just
before selinux transition.
Bug: 262407519
Test: OTA on Pixel - Verify new file exits and init waits until daemon
is fully up.
Change-Id: Iabef58ad282d80a7afa493e9df9468ae41a13e44
Signed-off-by: Akilesh Kailash <akailash@google.com>
ParseApexConfigs() uses Parser::ParseConfigFile() to parse .rc files in
the target apex. ParseConfigFile() returning bool (with logging on
error) doesn't propagate the error message back to the callers
(including apexd or PackageManager).
We'd better to migrate other Parse*() methods of Parser class to return
Result<T>. But this change focuses on plumbing error progagation for
APEX configs.
Bug: 238820991
Test: atest CtsInitTestCases
Change-Id: Ifad97635dbb53a70053ec73a7a5b7e742466daf6
Tests that a service marked as gentle_kill terminiated with SIGTERM
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Change-Id: I169b52cfd74f07b4d2439761ea315117323b3fcb
If a service specifies gentle_kill, attempt to stop it will send SIGTERM
instead of SIGKILL. After 200ms, it will issue a SIGKILL.
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Added in next patch
Change-Id: Ieb0e4e24d31780aca1cf291f9d21d49cee181cf2
Persistent properties are flushed with fsync which can cause the
non-persistent property write path to block.
Bug: 250125146
Test: manual test with ro.property_service.async_persist_write = true
Change-Id: Id123bfc7de948b76c51b4d98d00c8cb4a0850bf1
Defaulting Android to limit memlock to 64KB. This will help preventing
pages from being swapped until the app is killed it's memory will stay
resident. CTS test is enforced only in U+ devies.
Bug: 201797650
Test: Added new test to verify we are memlock at or under 64KB
Change-Id: I5a9e9da12f6df5a056ee47d0593c13e9c779e054
From
https://android-build.googleplex.com/builds/tests/view?testResultId=TR66328435937757440&invocationId=I00700010119503421:
system/core/init/init_test.cpp:219: Failure
Failed
Value of: service->Start()
Actual: createProcessGroup(0, 15611) failed for service 'console'
Expected: is ok
The above error message does not contain enough information to
root-cause the test failure. Hence this CL that makes an error message
more informative.
Bug: 262090304
Change-Id: I09929b2f2aabf1eec4d90ec93234a9e968888da4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If a service that runs under root doesn't have the capabilities field in
it's definition, then it will inherit all the capabilities that init
has.
This change adds a linter to detect such services and ask developers to
explicitly specify capabilities that their service needs. If service
doesn't require any capabilities then empty capabilities fields should
be added in the service definition.
The actual access control list on what capabilities a process can use is
controlled by the SELinux, so inheriting all the init capabilities is
not a security issue here. However, asking services to explicitly
specify the capabilities they need is a good defense-in-depth mechanism.
So far this linter only checks the services on /system partition.
All currently offending services are added to the exempt list. I will
work on fixing some of them in the follow-up changes.
Bug: 249796710
Test: m dist
Change-Id: I2db06af165ae320a9c5086756067dceef20cd28d
It runs a service with root privilege which can't be done on user
builds. Until the issue is resolved, skip the test on user builds.
Bug: 262090304
Test: N/A
Change-Id: I690ffbd7fdaef688a0c862e0c653e9b21e281ece
Current documentation is misleading: if a service runs as root and
doesn't specify any capabilities, then it will start with all the
capabilities (note that whether it can use them is controlled by
selinux).
Test: n/a
Bug: 249796710
Change-Id: I0d6a884127c6a6c5b651c1222fcf48322065daae
The availability of /dev/console varies across different devices and
even across different build variants (ex: userdebug/user). Instead of
relying on the device-specific condition, use the /dev/null as the
console device for the test.
Bug: 262090304
Test: atest CtsInitTestCases on raven-user
Change-Id: I3b12d66e94609328dfdd6f640d1adb88a773fa38
process_cgroup_empty_ is used to indicate that a service is already
killed or not. If cgroup support lacks, services cannot be killed
because process_cgroup_empty_ is always true.
This change fixes it by not assigning process_cgroup_empty_ as true.
Instead, make KillProcessGroup send signals even when cgroup is
disabled. Also DoKillProcessGroupOnce() is updated so it returns a number of killed processes, excluding already dead processes. This behavior agrees with its name (DoKillProcessOnce), and it prevents regression upon missing cgroups, because kill(-pgid) will always
"succeed" so KillProcessGroup will loop even when all processes are
already dead.
Bug: 257264124
Test: boot microdroid, see services are terminated
Change-Id: I19abf19ff1b70c666cd6f12d0a12956765174aaa
DM_DEV_CREATE no longer creates sysfs nodes. Note this in ueventd and
add some helper APIs to libdm, so devices can be created with a
placeholder table.
This also fixes a bug in dmctl where the detailed info on suspended
devices was wrong.
Bug: 259328366
Test: dmctl with "uevents" tool
Change-Id: I822f8010e48d32841aa0ee508822f76d03a3dd85
