create new profiles to allowing thawing and freezing back the freezer
cgroup
Bug: 151225245
Test: Manually verified that using the SetTaskProfiles method on the
profiles thaws and freezes back the freezer cgroup.
Change-Id: I7f3e193ebe79b49c1f6ac52b6138ff4ec26fc570
On some devices we see a weird in which /metadata/apex will have a wrong
selinux label. This will effectively prevent such devices from getting
any apex updates. Since we haven't figured out a root cause for this
bug, it's safer to explicitly call restorecon on /metadata/apex to make
sure it's correct.
This change shouldn't affect a normal boot flow, since /metadata/apex
will already have a correct label and restorecon_recursive will be a
no-op.
Test: rm -Rf /metadata/apex && \
mkdir /metadata/apex &&
mkdir /metadata/apex/sessions
Bug: 149317789
Merged-In: I971ffe35c93bb79d9e71106c24515ec0ee70333a
Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a
(cherry picked from commit cf7b6bad55)
- zygote needs statsd for logging boot time event.
- statsd starting later leads into stats logging failure which
is reported by all child processes of zygote later.
This brings lots of noise in statsd error.
Bug: 159664734
Test: reboot and check if error log does not show up
E statsd : Found dropped events: 1 error -19 last atom tag 240 from uid 10169
Change-Id: Ie585febb50a9668671c8fda41a872595baae8385
Test: built and booted
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Merged-In: If80758b3d7bf499d428880efa5ed555076bfc291
Change-Id: If80758b3d7bf499d428880efa5ed555076bfc291
On some devices we see a weird in which /metadata/apex will have a wrong
selinux label. This will effectively prevent such devices from getting
any apex updates. Since we haven't figured out a root cause for this
bug, it's safer to explicitly call restorecon on /metadata/apex to make
sure it's correct.
This change shouldn't affect a normal boot flow, since /metadata/apex
will already have a correct label and restorecon_recursive will be a
no-op.
Test: rm -Rf /metadata/apex && \
mkdir /metadata/apex &&
mkdir /metadata/apex/sessions
Bug: 149317789
Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a
Improve app startup performance before the new app is in the top-app
cpuset.
Test: boots, zygote64 in top-app stune group
Bug: 159201879
Change-Id: I3aad4b4b1d2f54db9e7ba86db8a655d8552bad0a
The FUSE filesystem is implemented by a Zygote child. If Zygote dies,
all of its children die along with it, including the FUSE daemon. The
FUSE filesystem is cleaned up automatically whenever the /dev/fuse file
descriptor of the FUSE daemon is closed. However, due to the way the
binder driver holds on to the 'struct files' of processes in the kernel,
the closing of FDs of all of Zygote's children is serialized.
That in turn means that, if a process has a file with dirty pages on
FUSE, and that FD is closed *before* the FUSE FD, the FUSE kernel driver
will happily issue a request to the FUSE daemon to serve that request.
But since the FUSE userspace daemon is already dead, it will never get
served. And because the closing of all FDs is serialized, we will never
close the FUSE fd to unblock this request.
Solve this particular case by manually aborting the FUSE filesystem when
Zygote restarts. Because we now explicitly close the FUSE fd, the FUSE
filesystem will be cleaned up, all outstanding requests to it will be
cancelled, and new ones will be skipped.
Bug: 153411204
Test: kill zygote manually
Change-Id: I2cb6c1a03cc1a932461ff33558894a428ff35180
Bug: 153849221
Test: build and try to capture the trace by perfetto and systrace
Change-Id: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
Merged-In: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
(cherry picked from commit 9d19a05422)
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Merged-In: I5278897413ca0e32aed9d1c7f82e48138bc51404
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
- Cherry pick of aosp/1228482
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
aosp/1228581 introduces a new apexd.status value of "activated" that
is set once APEXes are activated but before this snapshot has occurred.
init may execute "perform_apex_config" once this has occurred, so this
CL changes init to wait for "activated" rather than "ready" before
doing this.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that init
waits on the correct status value.
Merged-In: I339580bf593d3b09a5dff749ac2a5d1952bcb210
Change-Id: I71b62c9dd2f7951811606002f38612784d3d9086
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
This patch removed the old writeout policy tune which was never touched since
2009. In the meantime, most of Android devices are equipped with over 4GB DRAM
and very fast flash storages like UFS, which becomes more like desktop or
servers in 2009. So, it'd be worth to go back to use the default kernel configs.
Bug: 129751503
Change-Id: Idb58f5b01bbc4afd270cffba5b8912ea3565819f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Also reordered the directories in alphabetical order
Test: m -j
Bug: 149838525
Merged-In: I1a918d189d8bcb394ec6f818d033dbf7e4518713
Change-Id: I4b10a01ed6b3285aec6d87765f225c41ec55be96
create new profiles to allowing thawing and freezing back the freezer
cgroup
Bug: 151225245
Test: Manually verified that using the SetTaskProfiles method on the
profiles thaws and freezes back the freezer cgroup.
Change-Id: I7f3e193ebe79b49c1f6ac52b6138ff4ec26fc570
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Merged-In: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Test: Able to boot without error
Bug: 150671726
Merged-In: If366d284f4f01ebfa660e85bad57861c120ada7e
Change-Id: I9d85c00d191dcaa46c0182b5a15cd89dcdb9ea5e
(cherry picked from commit 1a5ae50943)
Apexes do not support "on" macros, so we are moving
them into the system partition
Bug: 145923087
Test: m -j
Change-Id: Ic671a51f2ec5b91f2f631bae0f509b4aa2d057b4
Merged-In: Ic84e77269f80097b675d6a1b0d206c2bae7d918d
Apexes do not support "on" macros, so we are moving
them into the system partition
Bug: 145923087
Test: m -j
Change-Id: Ic84e77269f80097b675d6a1b0d206c2bae7d918d
Adding two new public keys for R-Developer-GSI and S-Developer-GSI,
respectively.
Bug: 149805495
Test: m r-developer-gsi.avbpubkey
Test: m s-developer-gsi.avbpubkey
Change-Id: Iaa7521ef40b94f13fe3c9c61d276678f47c60b98
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
When kernel lowmemorykiller driver is enabled lmkd detects it by
checking write access to /sys/module/lowmemorykiller/parameters/minfree
parameter. By default this file does not have write access and init
process changes that from "on boot" section of init.rc. However
"on boot" is never executed in the charger mode, therefore lmkd fails
to detect the kernel driver. Fix this by setting lowmemorykiller kernel
driver parameters before lmkd is started.
Bug: 148572711
Test: boot into charger mode with kernel lmk driver enabled
Change-Id: Ifc3ef725b95bdb5f7d801031429dc26bae014d1f
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
It is already disabled, but having an explcit value in the prop makes
some code in the system_server, easier.
Will follow up with a cl to explicitly enable it on internal master,
aosp will remain this way since it doesn't have the additional
components to run FUSE.
Test: Freshly wiped and flashed device has persist.sys.fuse set to false
Bug: 135341433
Merged-In: I1493e2806823b5751794a9a17ee248dc72b857ff
Change-Id: Ibb955a543e367aa2f4518d5c1c4d070cd084eca0
- schedtune.prefer_idle 1
- schedtune.boost 1
Test: mm
Test: configure NNAPI HAL to use nnapi-hal stune
Test: measure perf difference using MLTS benchmark
Change-Id: I5f467c6a58f2c1da40ec8276e101defc808854a3
(cherry picked from commit 1d748feaec)
Instead they will be logged from system_server. This CL just prepares
grounds for logging CL to land.
Test: adb reboot userspace
Bug: 148767783
Change-Id: Ie9482ef735344ecfb0de8a37785d314a3c0417ff
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
aosp/1228581 introduces a new apexd.status value of "activated" that
is set once APEXes are activated but before this snapshot has occurred.
init may execute "perform_apex_config" once this has occurred, so this
CL changes init to wait for "activated" rather than "ready" before
doing this.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that init
waits on the correct status value.
Change-Id: I339580bf593d3b09a5dff749ac2a5d1952bcb210
snapshotctl merge --logcat --log-to-file
- If --logcat, log to logcat
- If --log-to-file, log to /data/misc/snapshotctl_log/
- If both, log to both
- If none, log to stdout
Test: manually test these 4 cases
Bug: 148818798
Change-Id: I44b52936c0d095867acc6ee781c6bec04f6ebd6b
Mount binderfs at /dev/binderfs. Also add symlinks from /dev/binder,
/dev/hwbinder and /dev/vndbinder to /dev/binderfs/binder,
/dev/binderfs/hwbinder and /dev/binderfs/vndbinder respectively.
The symlink commands will fail harmlessly on a kernel
which does not support binderfs since /dev/{binder,hwbinder,vndbinder}
devices will exist on the same.
Bug: 136497735
Bug: 148696163
Test: Cuttlefish boots on Android Common Kernel 4.19 with kernel config
CONFIG_ANDROID_BINDERFS=y.
Change-Id: I8e04340dc4622b0a3c1fc4aa6bbefcb24eefe00b
This calls into apexd to allow it to snapshot and restore DE apex data
in the case of a rollback. See the corresponding apexd change for more
information.
Cherry-pick from (unsubmitted) internal CL: ag/10163227
Bug: 141148175
Test: atest StagedRollbackTest#testRollbackApexDataDirectories_DeSys
Change-Id: Ia4bacc9b7b7a77038ba897acbc7db29e177a6433
Use chattr to apply +F to /data/media
This will fail on devices who do not support casefolding on userdata.
Bug: 138322712
Test: /data/media is set to +F.
Change-Id: Ib341c23a0992ee97b23113b3a72f33a61e583b04
This reverts commit 8e50be74ae.
Reason for revert: Several devices did not boot
Test: Local build with this reverted had the device boot
Bug: 148689473
Merged-In: I97e96bd86d02a9fe70c5ef02df85c604b0cfb3c3
Change-Id: Ic4a2990e7c0cb08c374a336422c08d9aad28049d
Only the FUSE daemon (with media_rw gid) needs access to paths on
/mnt/pass_through. And even then, it only needs execute access on the
dirs, since there will always be a bind mount either from sdcardfs or
the lower filesystem on it and that bind mount correctly handles ACLs
for the FUSE daemon.
Test: manual
Bug: 135341433
Change-Id: I999451e095da355e6247e9e18fb6fe1ab8fc45d6
This is the expected location on Linux and this makes 'ip tuntap' work.
Before:
vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
open: No such file or directory
vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
open: No such file or directory
vsoc_x86_64:/ # ip tuntap list
After:
vsoc_x86_64:/ # ip tuntap add dev tun0 mode tun
vsoc_x86_64:/ # ip tuntap add dev tap0 mode tap
vsoc_x86_64:/ # ip tuntap list
tap0: tap UNKNOWN_FLAGS:800
tun0: tun UNKNOWN_FLAGS:800
$ adbz shell ls -ldZ / /dev /dev/tun /dev/net /dev/net/tun
drwxr-xr-x 25 root root u:object_r:rootfs:s0 4096 2020-01-25 09:48 /
drwxr-xr-x 21 root root u:object_r:device:s0 1240 2020-01-25 09:48 /dev
drwxr-xr-x 2 root root u:object_r:device:s0 60 2020-01-25 09:48 /dev/net
lrwxrwxrwx 1 root root u:object_r:device:s0 6 2020-01-25 09:48 /dev/net/tun -> ../tun
crw-rw---- 1 system vpn u:object_r:tun_device:s0 10, 200 2020-01-25 09:48 /dev/tun
Test: see above
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I2aa215711454ce4f8a0ef1f34c17621629060fa1
Mount binderfs at /dev/binderfs. Also add symlinks from /dev/binder,
/dev/hwbinder and /dev/vndbinder to /dev/binderfs/binder,
/dev/binderfs/hwbinder and /dev/binderfs/vndbinder respectively.
Bug: 136497735
Test: Cuttlefish boots on Android Common Kernel 4.19 with kernel config
CONFIG_ANDROID_BINDERFS=y.
Change-Id: I349face22a2e73bfd79af0188e41188c323388f7
In Android kernels >4.4 we will see an empty /sys/kernel/tracing
directory which is notionally where you should mount tracefs if you
don't want to mount debugfs. As we move towards not mounting debugfs,
ensure that the non-legacy location also has adequate permissions to be
read by tracing tools.
Note that this change will be OK even if the board init.rc doesn't mount
tracefs here, because sysfs will always create this directory.
Bug: 148436518
Change-Id: I674587d0f08effdb8471a82e3b1ceec3af8588de
Also reset some more properties to make bootanimation work properly.
Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
To allow apps with MANAGE_EXTERNAL_STORAGE permission and therefore
external_storage gid to access unreliable volumes directly on
/mnt/media_rw/<volume>, they need access to the /mnt/media_rw path.
This change doesn't break the FUSE daemon, the only process that should
have media_rw gid in R because the FUSE daemon accesses the lower
filesystem from the pass_through bind mounts of the public volume mount
itself so it doesn't need to walk the /mnt/media_rw path itself
Test: With FUSE enabled, a reliably mounted public volume is accessible
on /storage
Bug: 144914977
Change-Id: Ia3fc9e7483894402c14fb520024e2acca821a24d
It previously had 0755 permission bits
With such permissive bits, an unauthorized app can access a file using
the /mnt/pass_through path for instance even if access via /storage
would have been restricted.
It is now 0700
TODO: Change ACL for /mnt/user from 0755 to 0700 in vold only when
FUSE flag is on. Changing it with FUSE off breaks accessing /sdcard
because /sdcard is eventually a symlink to /mnt/user/0/primary
Test: adb shell ls -d /mnt/pass_through
Bug: 135341433
Change-Id: I3ea9655c6b8c6b4f847b34a2d3b96784a8f4a160
This gives search (x) permission on the parent apex data
directory /data/misc/apexdata so that directories below it
may be opened. It also gives that permission on the apex
data directories themselves.
Bug: 147848983
Test: Build & flash, check perms are correct
Change-Id: I27c4ea01602002c89d0771a144265e3879d9041a
The credstore system daemon is running as an unprivileged user. This
CL adds this user and also creates a directory (/data/misc/credstore/)
where this daemon can store its data.
Bug: 111446262
Test: N/A
Change-Id: I8da2c32dd04fef797870b8a7bbc5e499bed71f9e
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
Prefetching appears to have a slightly negative effect on boot time, and
actually makes boot time much worse when the available dm-bufio cache
shrinks. Since we anticipate the dm-bufio cache will shrink (because of
an increasing number of APEX dm-verity targets), disable prefetching
completely.
We've run this change on Pixel 2 since August, and haven't observed any
negative effects. Boot time slightly decreased. With the increased
amount of APEXes we already have, this should now result in an even more
significant boot time decrease.
Bug: 136247322
Test: atest google/perf/boottime/boottime-test
Change-Id: Id588669af1b0b9daaf15323dccf33411e03b8633
Otherwise, if userspace reboot is triggered from the framework, it will
end up in userspace reboot loop until watchdog kicks in triggers full
reboot.
Bug: 135984674
Test: adb shell svc power reboot userspace
Change-Id: I0de451aad4ea236a3ff1c20b317b01c6529b6231
Current linkerconfig targets for specific output file. However,
linkerconfig will generate more than 1 file based on APEX modules, so it
should take argument for target directory rather than target file. This
change updates linkerconfig's argument to point output directory.
Bug: 146993126
Test: m -j passed & Cuttlefish succeeded to boot
Change-Id: I3a720a047077688582436aabd307adafeafc5398
Remove prebuilt ld.config.txt to use linker config from generator only,
including legacy and vndk_lite case.
Bug: 139638519
Test: m -j passed
Change-Id: I043d51daca8cde1977236f9fbda919176a18618d
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.
Also fixed a typo in what HandleUserspaceReboot function.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
There are two namespaces from init - bootstrap and default - and those
will have different set of APEX modules. To support difference between
two namespaces, linker config should be generated per namespace and each
namespace should use its own linker configuration. As a first step of
the work, this change will create different mount point for each
namespace, and re-generate linker config after APEX mount from each
namespaces.
Bug: 144664390
Test: m -j passed & tested from cuttlefish
Change-Id: Iac2e222376ec4b0ced6c29eed18b21d39ff0b1ba
Remove ld.config.recovery.txt build as this will be replaced to be
generated from linkerconfig during build time.
Bug: 146414198
Test: m -j passed
Test: Checked linker config generated under recovery's system/etc
Change-Id: I0d2aa121973c4c99e68f44f4e76e4eab74dc2f95
We use /data/incremental to keep all the directories that are mounted on
the Incremental File System.
Since system_server does not have permission to dynamically create dirs
directly under /data, we create /data/incremental in init.rc.
Test: boots
BUG: 136132412
Change-Id: Ic90cc8f652672a8d4459c0cd38db9c0872217af4
This reverts commit 5d53bfce2d.
Reason for revert: for consistency, we've decided that for now, all code will have the same view of /storage: FUSE. Will address the TODO here later.
Change-Id: Ia75e23c91fb098f6309c160de2889f06507c3717
Also, bind mount /data/misc/profiles/cur to /mnt/data_mirror/cur_profiles
Bug: 143937733
Test: Directories are created and mounted
Change-Id: Idcf73b84db84dc671ec5a5025f4b4ec1bc5fd1fc
This is a partial revert of change
Idf851b3a42910e0ce8fdd75daea1cce91dd1aa98, and brings us back to the
state we shipped in Q.
The default behavior for now is that we want native daemons to use the
default sdcardfs view, as they did before. Zygote-spawned apps will then
get the correct view assigned to them as they get spawned.
Bug: 146189163
Test: atest AdoptableHostTest
Change-Id: I2248f39e029138962a41a6ead944431414c901ad
Mount a tmpfs on top of it, and serve as a mirror of /data/data
and /data/user_de, which will be used when zygote forks and
overlay its CE and DE storage to prevent app can see other applications.
Also, changed /data/user/0 from symlink to bind mount, so
/data_mirror/data_ce/null can just bind to /data/user directly.
Bug: 143937733
Test: Directories are created and mounted
Change-Id: Ic72c47c9d3dc0ffc98510f5bb351eccf76524232
This should solve the problem of
`property:sys.usb.config=adb && property:sys.usb.configfs=0` action
being wrongly triggered during userspace reboot.
Also reset some adbd-related property in `on userspace-reboot-requested`
action to make sure that userspace reboot sequence is as close as
possible to normal boot sequence w.r.t adbd.
Test: adb reboot userspace
Test: checked property:sys.usb.config=adb && property:sys.usb.configfs=0
action is not triggered
Bug: 135984674
Change-Id: Icf40386399ee84d01228020e65f71ba473d72822
This creates the /data/misc/apexrollback directory which will
hold snapshots of DE_sys apex data directories (i.e. it will
hold backups of data from /data/misc/apexdata for particular
apexes).
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created.
Change-Id: If45377a9b29cc1f52dd08ea1339829e3bb3032e9
This creates the directory /data/misc/apexdata, at the same time as other
directories under /data/misc. Then, when apexd has finished activating
APEXes, a directory is created under /data/misc/apexdata for every
APEX, with the same name as the APEX module name.
See go/apex-data-directories.
APEXes are discovered by scanning the /apex directory. It may be better
to delegate this process to a library, but it is proposed to defer that
change to a future CL.
Bug: 141148175
Test: Built and flashed, checked directories were created.
Change-Id: I639d6f490ae0b97f116ce38ff3ac348bd73aa20e
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions with chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttelfish
Change-Id: Iaae5af65721eee8106311c1efb4760a9db13564a
Avoids this error on later runs:
ln: cannot create symbolic link from '/sys/kernel/debug' to 'out/target/product/walleye/root/d/debug': Permission denied
Bug: http://b/145148158
Test: touch * ; mm -j32 -k
Change-Id: I0c1c0c6e7666c0bc3373687d8c1c7bdf0847913f
In any case, UFS storage suffers from long discard latency.
Change-Id: Iaa8ef6eb862934af43254bd10873a12c3d34e926
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Run this process as early as possible in the boot -- right
after its config has been parsed from the apex. This ensures
the sdk prop is set as early as it can be, should some other
early process need to look at it.
Note: this is unlikely to be the permanent way this gets run,
as it's only needed when apexes update.
Bug: 137191822
Test: boot && adb shell getprop | grep sdk_info
Change-Id: Ia48ef89435ca165333b52d653e3131f71a522747
This will be taken care of by vold (when necessary).
Bug: 135341433
Test: device boots, passthrough mount still works
atest AdoptableHostTest
Change-Id: I5a144eff0e4220fa0154bfa7d62a2dec625c88bc
There will be useful in debugging/logging events to statsd.
Also as part of this CL, sys.init.userspace_reboot.in_progress property
is now used as a mean of synchronization. It is set directly in
DoUserspaceReboot, to make sure that all the setprop actions triggered
by userspace-reboot-requested were processed.
Test: adb reboot userspace
Test: adb shell getprop sys.init.userspace_reboot.last_started
Test: adb shell getprop sys.init.userspace_reboot.last_finished
Bug: 135984674
Change-Id: I9debcd4f058e790855200d5295344dafb30e496a
Adds the freezer cgroup to process groups
Change-Id: Ib7a8dbe776ff156ff3827b9a659365384f3e6ac8
Bug: 143308662
Test: manual - frozen processes aren't scheduled for execution until
unfrozen
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc. There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.
Bug: 131087886
Bug: 140313207
Test: build/boot
Merged-In: I043d9a02ba588ca37ceba2c4e28ed631792b2586
Change-Id: I043d9a02ba588ca37ceba2c4e28ed631792b2586
* changes:
init: Add support for native service registration with lmkd
lmkd: Support process types when registering a process
lmkd: Add library function to unregister a process
lmkd: Prepare lmkd to support connection from init process
lmkd: Restrict process record modifications to the client that created it
init should be able to register native services with lmkd so that they
can be killed when needed. Only processes with oom_score_adjust not
equal to the default -1000 will be registered with lmkd because with the
score that low the process is unkillable anyway.
Inform lmkd when a registered process is killed so that the record can be
removed.
Change init.rc to start lmkd during init phase so that it is there to
register other services.
Replace hardcoded oom_score_adj values with appropriate definitions.
Bug: 129011369
Test: boot and verify native service registration
Change-Id: Ie5ed62203395120d86dc1c8250fae01aa0b3c511
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
We are going to teamfood userspace reboot soon, and in order to gather
as much data as possible we are fine with ignoring checkpointing for the
devices with ext4 (teamfood will be a very limited set of people that
are aware what they've signed for).
As result of this, we don't need to reset vold and kill zram backing
device. Added a TODO to restore that functionality if needed.
Since I was there, fixed yet another typo in userspace-reboot-resume -_-
Bug: 135984674
Test: adb reboot userspace
Change-Id: I2b7a93aaf738fe9bec9d606d7e11aefb325550b1
Migrating these files to soong modules and those modules are defined
under /packages/modules/vndk since they are highly coupled with vndk.
Bug: 141450808
Test: m llndk.libraries.txt
Change-Id: Id33366f604e3e6696a9be95dc50f40d143325697
FscryptSetDirectoryPolicy no longer tries to infer the action from the
filename. Well mostly; it still assumes top-level directories in /data
should be encrypted unless the mkdir arguments say otherwise, but
it warns.
Bug: 26641735
Test: boot, check log messages
Change-Id: Id6d2cea7fb856f17323897d85cf6190c981b443c
It should userspace-reboot-requested, not userspace-reboot
Test: adb reboot userspace
Bug: 135984674
Change-Id: I1e844b7705eb70ee3702a1dc0432644592666364
linkerconfig reads vndk-related libraries.txt files. Now these files are
generated by soong.
Bug: 142963962
Bug: 141450808
Test: m && device boots && TH
Change-Id: I98c2f934815238cacd4ec8536ce2f9f24bbf1b32
New linkerconfig reads some txt files which list various kinds of
vndk libraries. For example, vndksp.libraries.txt file has the list of
VNDKSP type libraries. The exact file names are retrieved from .vendor
variants.
With VNDK APEX, .vendor variants are not installed but
.com.android.vndk.current variants are packaged into VNDK APEX.
This CL changes the variant type from .vendor to
.com.android.vndk.current so that *.libraries.txt files can list the
installed files correctly.
Bug: 141451661
Test: m && device boot
Change-Id: Ibbc27b1ae6a44cc2337a0b14918caa27107a4c8e
The lib isn't used by most of the apps. Don't waste memory by preloading
it to all apps.
Bug: 142482121
Test: `lsof -p $(pidof zygote64) | grep libneuralnetwork` shows nothing
Change-Id: I4a6e3df838fa3b7a46271e548e9fdc87bea948ae
* Refactored code around stopping services a little bit to reuse it
between full reboot and userspace reboot.
* Add a scope_guard to fallback to full reboot in case userspace reboot
fails.
* In case of userspace reboot init will also wait for services to be
terminated/killed and log the ones that didn't react to
SIGTERM/SIGKILL in time.
* If some of the services didn't react to SIGKILL, fail userspace reboot.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I820c7bc406169333b0f929f0eea028d8384eb2ac
libneuralnetworks.so could be preloaded. In that case, it should be
accessible from libnativeloader which runs in the art namespace.
Bug: 141847343
Bug: 142089311
Test: m, cheets2 boots
Change-Id: I8710b624dff131f5cb797d53915f6597e3017c34
This CL only draws boundaries between userspace and full reboots, and
adds some functionality that will be required for userspace reboot:
* Whenever device is shutting down is now controlled in reboot.cpp,
since during userspace reboot this state can change.
* Now it's also possible to restart handling of control messages inside
property service. In case of userspace reboot, init will restart it
after stopping post-data services.
* New userspace-reboot-requested trigger is added similar to shutdown
one for full reboot.
Test: adb reboot
Test: adb reboot userspace
Bug: 135984674
Change-Id: Id55a53ba781d2b90ce40449037b6d8d47e72c476
This CL updates ld.config.vndk_lite.txt, which still is not handled by
linkerconfig.
Test: presubmits
Bug: 140790209
Change-Id: Ia822f86aa0b853656555ade0bed191e07c07d09d
Remove the kludge in libnativeloader to deal with the inconsistency wrt the
name of the APEX package.
Test: Build & boot
Test: atest system/core/libnativeloader (on cf_x86_phone)
Bug: 139408016
Change-Id: I6115b49237c78c2ea4aa943ca4fe0b296b5a2b62
As generic ld.config.txt will be covered with linker config generator,
ld.config.txt with previous vndk build is no longer required. This
change removes this part so there will be no unnecessary build step for
multiple vndk version build. Also vndk snapshot will have vndkcore and
vndkprivate files with version number, update_and_install_ld_config.mk
has been updated temporary for vndk_lite build.
Bug: 142072719
Test: m -j passed with aosp_arm64 build
Change-Id: Ia7529c80b179dc262c6e7646a34c2a05a0d9be84
Last generic ld.config.txt deprecation caused build error from
build_test build because of invalid ld.config.txt build target. To fix
this ld.config.txt build target should be enabled until
ld.config.vndklite.txt and ld.config.legacy.txt also become deprecated.
Bug: 138920271
Test: m ld.config.txt passed
Test: build_test passed
Change-Id: I7f45ee66d3ed70a1a698261e1e801a30729f592f
libneuralnetworks.so could be preloaded. In that case, it should be
accessible from libnativeloader which runs in the runtime namespace.
Bug: 141847343
Bug: 142111172
Test: m, marlin/sailfish boots
Change-Id: I5b2f3073d0711d6049b4e1e1bd0bcc403949fe14
This change is part of a topic that moves the recovery resources from the
system partition to the vendor partition, if it exists, or the vendor directory
on the system partition otherwise. The recovery resources are moving from the
system image to the vendor partition so that a single system image may be used
with either an A/B or a non-A/B vendor image. The topic removes a delta in the
system image that prevented such reuse in the past.
The recovery resources that are moving are involved with updating the recovery
partition after an update. In a non-A/B configuration, the system boots from
the recovery partition, updates the other partitions (system, vendor, etc.)
Then, the next time the system boots normally, a script updates the recovery
partition (if necessary). This script, the executables it invokes, and the data
files that it uses were previously on the system partition. The resources that
are moving include the following.
* install-recovery.sh
* applypatch
* recovery-resource.dat (if present)
* recovery-from-boot.p (if present)
This change moves the recovery resources to vendor in libcutils/fs_config.cpp
and removes the flash_recovery service from rootdir/init.rc. This service moved
to a vendor init.rc file in bootable/recovery/applypatch.
Bug: 68319577
Test: Ensure that recovery partition is updated correctly.
Change-Id: I492f7989ea8042912e9d0e0eadeaa351affbee13
From latest change fully treblelized devices started to use
ld.config.txt from generator instead of the one under /system/etc. As so
existing ld.config.txt is no longer required. This change removes all
ld.config.txt content and build script for it.
Bug: 138920271
Test: m -j passed
Test: Tested from Cuttlefish
Change-Id: I9e2d4b305442a4fccc4378a997ec92bfd6cddb84
Some device requires VNDK_USING_CORE_VARIANT list, but it was not
implemented in previous. Adding this library list to the build target so
it can be added to system image.
Bug: 141695559
Test: m -j passed & Tested from Cuttlefish
Change-Id: I52750583050401098ca8dacee9cf84e8c5727e36
We want ashmem to only be used via libcutils API, with long-term goal
being deprecation of ashmem with memfd. To do that we route libcutils to
a new source of ashmem fds. We then phase out uses of /dev/ashmem that
doesn't go through libcutils using SELinux.
In Q, we introduced ashmemd as the source of ashmem fds to libcutils.
However, having a separate process and, consequently, binder hops to
handle /dev/ashmem results in performance/memory overhead.
To address the overhead, replace ashmemd with a duplicate of
/dev/ashmem. Name it /dev/ashmem<boot_id>, where boot_id is a random
number generated on each boot. This way we make sure that developers
don't accidentally depend on /dev/ashmem<boot_id>, as that name can't be
hardcoded.
Bug: 139855428
Test: writing "add"/"remove" to /sys/class/misc/ashmem/uevent correctly
adds/removes /dev/ashmem and /dev/ashmem/boot_id
Change-Id: I36d23116048bfcd99903ba46cc133161835a2cfa
Current implementation just uses VNDK library list from variable.
However this does not match with expected library name as some libraries
change their names from initial one by appending extra information such
as version. To match this name each libraries should be searched from
installed module list.
Bug: 141584631
Test: m -j passed
Test: Tested from cuttlefish
Change-Id: If9685be59404226de4db16642781546e478694fb
To aid in debugging if there are failures.
Bug: 137267623
Test: add prints to boringssl_self_test and see them
Test: add failure prints to the linker and see them before
boringssl_self_test runs
Change-Id: I89d50c6a46df994d6ea1fadf00e3a8a796043234
