Commit graph

201 commits

Author SHA1 Message Date
chapin
6d869dd6ab Revert "Remove ART APEX from the bootstrap apexes"
Revert submission 1563392-remove_art_from_bootstrap

Reason for revert: Bug: 179002105
Reverted Changes:
I65e2a2089:Remove ART APEX from the bootstrap apexes
Ic20df80e2:Remove ART APEX from the bootstrap apexes

Change-Id: I474ab95805c5ca28e0bba91f3d226e8db5a7a9ea
2021-02-01 22:29:59 +00:00
Jiyong Park
b99c12ef10 Remove ART APEX from the bootstrap apexes
Test: forrest
Bug: 169779935
Change-Id: I65e2a2089fa12674f3abbbe2f154eeec984dd5df
2021-01-29 12:08:31 +09:00
Woody Lin
ef9d460ea8 Add init.svc_debug.no_fatal.<svc_name> to skip SVC_CRITICAL
For user who would like to retain the crash symptom and avoid device
from power cycle for live debugging, set
init.svc_debug.no_fatal.<svc_name> to "true" to skip FATAL reboot.

Bug: 177593855
Change-Id: I0bdb6191e5963c08e1ea301a60060acf916dd49b
2021-01-22 15:01:36 +08:00
Elliott Hughes
d92c6a12da Use freecon() with getcon()/getfilecon().
Bug: https://issuetracker.google.com/175090444
Test: treehugger
Change-Id: Ia2b8102f1c9a4fd56ec1ff026ba5b4f375102b9b
2020-12-08 22:30:17 -08:00
Daniel Norman
f597fa5d1d Returns a service parse error on overrides across the treble boundary.
Also includes new --out_<partition> flags for
  system,system_ext,product,vendor,odm
to allow host_init_verifier to work with a collection of init rc files.

Test: host_init_verifier --out_system=... --out_vendor=...
      where vendor contains an init rc file that overrides a service
      present in system. Observe parse failure and non-zero exit.
Bug: 163089173
Change-Id: I520fef613e0036df8a7d47a98d47405eaa969110
2020-11-19 10:02:56 -08:00
Steven Moreland
abc5f8830e init: log 'updatable process' clarification
-> process with updatable components

Fixes: 172605179
Test: N/A
Change-Id: I0f9353fe65cea623e1d2292f0163cc545bfc909d
2020-11-06 17:01:51 +00:00
Woody Lin
45215ae6e5 init/service_parser: Add arguments window' and target' for `critical'
The critical services can now using the interface `critical
[window=<fatal crash window mins>] [target=<fatal reboot target>]` to
setup the timing window that when there are more than 4 crashes in it,
the init will regard it as a fatal system error and reboot the system.

Config `window=${zygote.critical_window.minute:-off}' and
`target=zygote-fatal' for all system-server services, so platform that
configures ro.boot.zygote_critical_window can escape the system-server
crash-loop via init fatal handler.

Bug: 146818493
Change-Id: Ib2dc253616be6935ab9ab52184a1b6394665e813
2020-10-26 11:38:01 +08:00
Jooyung Han
4f23d5a236 init: start ueventd in the default mount namespace
Init starts ueventd in the default mount namespace to support loading
firmware from APEXes.

Bug: 155023652
Test: devices boots
      adb$ nsenter -t (pid of ueventd) -m ls /apex
      => shows all APEXes
Change-Id: Ibb8b33a07eb014752275e3bca4541b8b694dc64b
2020-06-11 15:10:40 +09:00
Suren Baghdasaryan
c9c0bbac53 init: Add task_profiles init command
Introduce new command to allow setting task profiles from inside .rc
script. This is to replace usage of writepid when a service is trying
to join a cgroup. Usage example from a .rc file:

service surfaceflinger /system/bin/surfaceflinger
    task_profiles HighPerformance

Bug: 155419956
Test: change .rc file and confirm task profile is applied
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I0add9c3b363a7cb1ea89778780896cae1c8a303c
2020-04-30 22:24:21 +00:00
Steven Moreland
9e987cbb1a Note selinux trans error happens in permissive.
There was an email thread about this recently, and I've been asked many
times.

For instance, if this error wasn't attributed, denials a service is
hitting would be attributed to init, and that's a recipe for disaster.
Secondarily, thinking about SELinux whenever you write a new service is
good.

Bug: N/A
Test: N/A
Change-Id: Ib9d2c5d8947375a0d4c33ecf3d075caef6b41f70
2020-04-09 12:48:46 -07:00
Tom Cherry
a2f9136b2c Refactor libinit_test_utils to not use libinit and expose its libraries
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included.  To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources.  Additionally, expose these sources as a
default for users of libinit_test_utils.

Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
2020-02-20 11:31:35 -08:00
Bernie Innocenti
cecebbbacc Convert system/core to Result::ok()
No functionality changes, this is a mechanical cleanup.

Test: m
Test: cd system/core && atest
Change-Id: Ifdaa3ce1947ed578f656d5a446978726eb416c36
2020-02-06 17:04:27 +00:00
Nikita Ioffe
018ddd7a6f Unify logic for resetting properties before userspace reboot
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.

Also fixed a typo in what HandleUserspaceReboot function.

Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
2019-12-20 17:55:13 +00:00
Gavin Corkery
5d0deb563d Store crashing process name in sysprop
As part of Watchdog-triggered rollback logging, it would
be useful to know the service which has caused
updatable_crashing to be set. Store this in a new property
sys.init.updatable_crashing_process_name.

Test: manual
Bug: 138782888
Change-Id: Iffa38b2b746abbb5d823a8d69b7b8d2456836f4e
2019-12-10 23:00:24 +00:00
Nikita Ioffe
abd504611b Merge "Remove service defined in an APEX during userspace reboot" 2019-12-06 02:35:41 +00:00
Nikita Ioffe
091c4d1439 Remove service defined in an APEX during userspace reboot
Such services will be re-parsed and added back to the service list
during post-fs-data stage.

Test: adb reboot userspace
Test: atest CtsInitTestCases
Bug: 145669993
Bug: 135984674
Change-Id: Ibb393dfe0f101c4ebe37bc763733fd5d981d3691
2019-12-05 17:51:43 +00:00
Tom Cherry
c88d8f93cf init: Replace property_set() with android::base::SetProperty()
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().

In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.

Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
2019-12-04 15:43:21 -08:00
Tom Cherry
d89ed132a0 init: always kill oneshot services' process groups.
~2007 a change was added that would allow oneshot services to
daemonize by not killing their process group.  This was a hack at the
time, and should certainly not be needed now.  I've resisted removing
the behavior however, as it hadn't caused any issues.

Recently, it was detected that the cgroups that these processes belong
to, would exist forever and therefore leak memory.  Instead of simply
removing the cgroups when empty, this provides a good opportunity to
do the right thing and fix this behavior once and for all.

The new (correct) behavior only happens for devices with vendor images
built for Android R or later.  Init will log a warning to dmesg when
it detects this difference in behavior has occurred.

Bug: 144545923
Test: boot CF/Coral and see no difference in behavior.
Test: boot CF with a service that daemonizes and see the warning.
Change-Id: I333a2e25a541ec0114ac50ab8ae7f1ea3f055447
2019-11-19 15:13:17 -08:00
Tom Cherry
18278d2e9c init: make triggering shutdown from vendor_init better
Previously, we assumed that TriggerShutdown() should never be called
from vendor_init and used property service as a back up in case it
ever did.  We have since then found out that vendor_init may indeed
call TriggerShutdown() and we want to make it just as strict as it is
in init, wherein it will immediately start the shutdown sequence
without executing any further commands.

Test: init unit tests, trigger shuttdown from init and vendor_init
Change-Id: I1f44dae801a28269eb8127879a8b7d6adff6f353
2019-11-13 12:41:34 -08:00
Suren Baghdasaryan
c29c2baa69 init: Add support for native service registration with lmkd
init should be able to register native services with lmkd so that they
can be killed when needed. Only processes with oom_score_adjust not
equal to the default -1000 will be registered with lmkd because with the
score that low the process is unkillable anyway.
Inform lmkd when a registered process is killed so that the record can be
removed.
Change init.rc to start lmkd during init phase so that it is there to
register other services.
Replace hardcoded oom_score_adj values with appropriate definitions.

Bug: 129011369
Test: boot and verify native service registration
Change-Id: Ie5ed62203395120d86dc1c8250fae01aa0b3c511
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-11-07 18:19:31 +00:00
Tom Cherry
0dbfea7b07 init: trigger shutdown directly from builtins
Especially now that property_service is a thread, there may be some
delay between when init sets sys.powerctl and when the main thread of
init receives this and triggers shutdown.  It's possible that
outstanding init commands are run during this gap and that is not
desirable.

Instead, have builtins call TriggerShutdown() directly, so we can be
sure that the next action that init runs will be to shutdown the
device.

Test: reboot works
Test: reboot into recovery due to bad /data works
Change-Id: I26fb9f4f57f46c7451b8b58187138cfedd6fd9eb
2019-10-11 13:45:42 -07:00
Nikita Ioffe
72d249143d Make init.updatable_crashing a read/write property
This property will need to be reset during userspace reboot, so it can't
be a read-only property anymore.

Test: builds
Bug: 135984674
Change-Id: I4e079b537cb5c725ac0b652804fdc801a6facfcf
2019-10-04 16:45:56 +01:00
Tom Cherry
9328021ce7 init: add tips for debugging linker errors when launching init services
Test: we can see linker errors in dmesg when following these tips
Change-Id: I86b65e01d06ed7c0b908c4512d55872cd5595eca
2019-09-26 15:24:40 -07:00
Tom Cherry
5241d10049 init: create sockets before forking
There is a race condition with Service::Start and socket creation.
Since socket creation currently happens after the fork(), it's
possible that init can continue executing other commands before the
socket is created.  If init starts another service that relies on that
socket, it isn't guaranteed to be available.

Particularly, we've seen this with hwservicemanager starting after
logd, but hwservicemanager's logs sometimes not showing up.

Bug: 140810300
Test: boot and logging functions correctly

Change-Id: Ib2932e836d345830cd38f3b556598508fd953058
2019-09-19 16:10:30 -07:00
Tom Cherry
60971e6ce2 init: add reboot_on_failure service option
This replaces the recently added `exec_reboot_on_failure` builtin, since
it'll be cleaner to extend service definitions than extending `exec`.
This is in line with what we decided when adding `exec_start` instead
of extending `exec` to add parameters for priority.

Test: `exec_start` a service with a reboot_on_failure option and watch
      the system reboot appropriately when the service is not found and when
      the service terminates with a non-zero exit code.

Change-Id: I332bf9839fa94840d159a810c4a6ba2522189d0b
2019-09-13 16:48:35 +01:00
Martin Stjernholm
cacf04351f Update logic for detecting pre-apexd services to check that the ART APEX is
mounted.

Necessary to make e.g. bootanimation work, which depends on (at least)
libandroidicu.so in the ART APEX.

Test: Build & boot
Bug: 135753770
Exempt-From-Owner-Approval: Approved internally
Change-Id: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
Merged-In: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
2019-08-30 17:47:31 +01:00
Daniel Norman
fb54b74fa0 Merge changes from topic "services_serve_interfaces_test"
* changes:
  Adds new property for service name -> PID.
  Adds a library to parse service info from init_rc files for use in tests.
  Adds a visibility rule for init defaults.
2019-08-02 21:51:17 +00:00
Tom Cherry
4772f1da47 init: check the arguments of builtins during the build
Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more.  This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct.  For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.

Test: build

Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b
2019-08-01 10:54:47 -07:00
Tom Cherry
c5cf85db23 init: don't log in expand_props directly
It's better to pass the error message to the caller to determine how
best to print the error.

Test: build
Change-Id: Id8857c459df2f26c031650166609608d20e4d051
2019-08-01 10:34:58 -07:00
Daniel Norman
c788771da7 Adds new property for service name -> PID.
Bug: 138114550
Test: used in vts_ibase_test
Change-Id: Id21b81aa09b8597d17ad0a132ddd7749fe1182e9
2019-07-31 11:35:32 -07:00
Tom Cherry
2e4c85f157 init: clean up file / socket descriptor creation
clang-tidy hinted that some of this code wasn't right.  Looking
deeper, there is really not much related to file and socket
descriptors, except that they're published in similar ways to the
environment.  All of the abstraction into a 'Descriptor' class takes
us further away from specifying what we really mean.

This removes that abstraction, adds stricter checks and better errors
for parsing init scripts, reports sockets and files that are unable to
be acquired before exec, and updates the README.md for the passcred
option.

Test: build, logd (uses files and sockets) works
Change-Id: I59e611e95c85bdbefa779ef69b32b9dd4ee203e2
2019-07-15 12:17:30 -07:00
Tom Cherry
247ffbf314 Fix a few clang-tidy issues and add NOLINT for others
android-base:
* Add NOLINT for expanding namespace std for std::string* ostream
  overload

libdm:
* Fix missing parentesis around macro parameters

init:
* Fix missing CLOEXEC usage and add NOLINT for the intended
  usages.
* Fix missing parentesis around macro parameters
* Fix erase() / remove_if() idiom
* Correctly specific unsigned char when intended
* 'namespace flags' should be signed, since 'flags' it signed for
  clone()
* Add clear to property restore vector<string> to empty after move
* Explicit comparison against 0 for strcmp

Test: build
Change-Id: I8c31dafda2c43ebc5aa50124cbbd6e23ed2c4101
2019-07-09 16:17:36 +00:00
Tom Cherry
ff88e30126 init: remove console_init_action
There's no fundamental reason to store this aside.  That property can
only be written by init, so it's not likely that we're going to
corrupt it.

Test: boot and use serial console
Change-Id: I9248fbaf959ea913d09add829d4cb509af99d570
2019-06-26 14:20:53 -07:00
Tom Cherry
b1ffb1ded5 Move actual parsing from Service to ServiceParser
This is how this should have been done since the beginning.

Test: build, boot
Change-Id: Ifd795776c71a2e666da7fab90cbb3f356af93d4f
2019-06-26 14:03:16 -07:00
Tom Cherry
2aeb1addee Split out ServiceList and ServiceParser from service.cpp/.h
These always should have been in their own files.

Test: build
Change-Id: I201109b5ee63016e78901bbfd404846d45e1d4e6
2019-06-26 13:45:07 -07:00
Tom Cherry
f4db2aad57 init: use Errorf() now that we have it
Init had some pretty horrid Error() << StringPrintf(...) calls that
are all much better replaced by Errorf(...) now.

Test: build, check that keyword_map errors look correct
Change-Id: I572588c7541b928c72ae1bf140b814acdef1cd60
2019-06-14 22:07:32 +00:00
Tom Cherry
bbcbc2ffb3 init: replace Result<Success> with Result<void>
Now that Result<T> is actually expected<T, ...>, and the expected
proposal states expected<void, ...> as the way to indicate an expected
object that returns either successfully with no object or an error,
let's move init's Result<Success> to the preferred Result<void>.

Bug: 132145659
Test: boot, init unit tests
Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 12:39:18 -07:00
Jiyong Park
8fd64c8af1 Move result.h from init to libbase
The Result, Error, ErrnoError are quite generic. Moving them from init
to libbase so that they can be used from other places.

Bug: 132145659
Test: libbase_test
Change-Id: Id774a587f74380fadd7a0fc88c0aa892c3d9a489
2019-06-06 08:58:55 +09:00
Vic Yang
e01ca4da2d init: Refactor service.h/cpp
Factors out utility functions into service_utils.h/cpp, so that they
can be reused by the upcoming native zygote.

Bug: 133443795
Test: Build and boot cuttlefish.
Change-Id: I0531b6f17561119c8cc33dd9ba375b351747fcfe
2019-05-30 14:24:03 -07:00
Jiyong Park
d7f7c208da Don't use apexd when TARGET_FLATTEN_APEX == true
When TARGET_FLATTEN_APEX is true (= ro.apex.updatable is unset or set to
false), apexd is not used to activate the built-in flattened APEXes.
Init simply bind-mounts /system/apex to /apex.

However, there is a special case here. The runtime APEX is installed as
either /system/apex/com.android.runtime.debug or
/system/apex/com.android.runtime.release, whereas it should be activated
on /apex/com.android.runtime - without the .debug or .release suffix.
To handle that case, the build system creates an empty directory
/system/apex/com.android.runtime and the .debug or .release directory
is bind-mounted to the empty directory by init at runtime.

This change also fixes a minor bug that native watchdog is triggered
for all post-apexd processes regardless of whether ro.apex.updatable
is true or not. Since apexd is expected to shutdown itself when ro.apex
.updatable is false, we don't trigger the watchdog in that case.

Bug: 132413565
Bug: 133305381
Test: marlin and sdk_gphone are bootable
Merged-In: I219465b8b81decb960e2c5f46bab6e0768b31317
Change-Id: I219465b8b81decb960e2c5f46bab6e0768b31317
(cherry picked from commit f93088ba2b)
2019-05-29 07:04:27 +09:00
Tom Cherry
9949ec5f56 init: replace Result<> with expected<>
Android-base has an implementation of the future std::expected<>.
This provides the same baseline functionality as Result<>, so use it
instead of our own version.

Bug: 132145659
Test: boot, init unit tests
Change-Id: I11e61bcb5719b262a6420483ed51a762826a9e23
2019-05-22 15:23:01 -07:00
Martijn Coenen
acc45aa0a1 class_start_post_data also starts disabled services.
This keyword was introduced to support restarting services on devices
using APEX and FDE. The current implementation is not a restart, but
rather a 'reset' followed by a 'start', because the real /data must be
mounted in-between those two actions. But we effectively want this to be
a restart, which means that we also want to start 'disabled' services
that were running at the time we called 'class_reset_post_data'.

To implement this, keep track of whether a service was running when its
class was reset at post-data, and start all those services.

Bug: 132592548
Test: manual testing on FDE Taimen
Change-Id: I1e81e2c8e0ab2782150073d74e50e4cd734af7b9
Merged-In: I1e81e2c8e0ab2782150073d74e50e4cd734af7b9
2019-05-16 09:30:35 +02:00
Martijn Coenen
fc78be2935 Merge "Support for stopping/starting post-data-mount class subsets." 2019-05-07 06:41:01 +00:00
Zimuzo
88de80fc53 Attempt native rollback for frequent crashes before boot completed
Before, if updatable processes crash 4 times in 4mins, a native
rollback will be attempted. This behavior does not detect
system_server early boot deadlocks because the system server requires
at least a min to detect a deadlock, and crash itself. The crashes
don't happen frequently enough for init to detect.

After, this cl, the old behavior exists and additionally, init detects
*any* 4 crashes of updatable processes before boot completed,
regardless of if they happen within 4mins or not.

Test: Manually tested by adding artificial sleep in system_server so
deadlock is triggered before boot. system_server crashes 4 times in
over 4mins and the ro.init.updatable_crashing prop is set to 1.
Bug: 129597207

Change-Id: Ie6fb5693ff4be105bcbe139c22850fb076e40260
2019-04-30 11:19:19 +00:00
Martijn Coenen
70788f93ba Support for stopping/starting post-data-mount class subsets.
On devices that use FDE and APEX at the same time, we need to bring up a
minimal framework to be able to mount the /data partition. During this
period, a tmpfs /data filesystem is created, which doesn't contain any
of the updated APEXEs. As a consequence, all those processes will be
using the APEXes from the /system partition.

This is obviously not desired, as APEXes in /system may be old and/or
contain security issues. Additionally, it would create a difference
between FBE and FDE devices at runtime.

Ideally, we restart all processes that have started after we created the
tmpfs /data. We can't (re)start based on class names alone, because some
classes (eg 'hal') contain services that are required to start apexd
itself and that shouldn't be killed (eg the graphics HAL).

To address this, keep track of which processes are started after /data
is mounted, with a new 'mark_post_data' keyword. Additionally, create
'class_reset_post_data', which resets all services in the class that
were created after the initial /data mount, and 'class_start_post_data',
which starts all services in the class that were started after /data was
mounted.

On a device with FBE, these keywords wouldn't be used; on a device with
FDE, we'd use them to bring down the right processes after the user has
entered the correct secret, and restart them.

Bug: 118485723
Test: manually verified process list
Change-Id: I16adb776dacf1dd1feeaff9e60639b99899905eb
2019-04-26 14:04:59 +02:00
Bernie Innocenti
7cb72c96b4 Disallow operator!() on unique_fd
This catches a common mistake where client code checks for errors using
the common idiom that works for std::iostream and other file-like
classes:

  unique_fd fd = open(...);
  if (!fd) {
  }

Test: atest libbase_test
Test: m droid
Change-Id: I9629a7795537ecb3b57be9c741c06f80967e4cc2
2019-03-28 15:56:07 +09:00
Yifan Hong
567f1874fd init: expand prop in 'file'
Allow having properties in 'file' option of a service.

Test: boots (sanity)
Test: lpdumpd
Bug: 126233777
Change-Id: I55158b81e3829b393a9725fd8f09200690d0230f
2019-03-21 16:00:00 -07:00
Elliott Hughes
076305e4fb init: use PLOG rather than strerror.
Test: builds
Change-Id: Ifdba8e7fa4cd5c852946bb0f398382f2d64674cd
2019-03-08 12:34:53 -08:00
Tom Cherry
1cd082d421 init: allow services to have no capabilities set
In particular, this allows services running as the root user to have
capabilities removed instead of always having full capabilities.

Test: boot device with a root service with an empty capabilities
      option in init showing no capabilities in /proc/<pid>/status
Change-Id: I569a5573ed4bc5fab0eb37ce9224ab708e980451
2019-02-06 11:25:18 -08:00
Treehugger Robot
54ef09c88e Merge "Reland: "Identify post-apexd crashing processes"" 2019-02-05 03:16:30 +00:00