These events are _somewhat_ normal, in that not all devices have all
partitions, but not logging anything makes it unnecessarily hard for
folks to debug simple failures.
Bug: http://b/31186390
Test: booted, checked dmesg
Change-Id: I403377c585ea35cfe73b0bed9443b75e3a84dc8d
This will make it possible to start some key services before mounting
data partition
Bug: 30118894
Change-Id: Ia9f8cc035de6cc0df9a61605864915efa0266d7f
(cherry picked from commit abfbec342f)
This will make it possible to start some key services before mounting
data partition
(cherry picked from commit abfbec342f)
Bug: 30118894
Change-Id: Ia9f8cc035de6cc0df9a61605864915efa0266d7f
Create /dev/random and /dev/urandom in the first stage, so that when we
reexec, arc4random is available for libc initialization.
Bug: http://b/29622562
Change-Id: I5b2071539a17eec609faac91dc28b08eba5ff89b
Right now these two partitions are mounted in the fs stage of the init
process. As a result, many vendor/ODM files needed earlier in the boot
process (e.g., init.<hardware>.rc, fstab.<hardware>.rc,
uevent.<hardware>.rc, SELinux policy files etc) can only live on the root
partition.
To prevent vendors/ODMs from polluting the root partition, this patch makes
it possible to mount the vendor and ODM partitions in the first stage of the
init process. The fstab info of both partitions to be mounted early is
composed from new kernel cmdline arguments android.early.prefix and
android.early.fstab.
For example, with:
android.early.prefix=/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/
android.early.fstab=mmcblk0p10+/odm+ext4+ro+verify\nmmcblk0p09+/vendor+ext4+ro+verify
the final fstab string will be:
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p10 /odm ext4 ro verify
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p09 /vendor ext4 ro verify
The android.early.prefix is optional. When it is missing, the final fstab
string will be directly converted from android.early.fstab.
This patch also makes sure that the early mounted partitions are dm-verity
enabled so that they are trust worthy to store system files.
BUG=27805372
Change-Id: I3cf32482a5ec65445ba3aedab2164c7ba8f12694
killProcessGroup actually works on cgroups. Kill the POSIX process
group ourselves.
Bug: http://b/29751426
Change-Id: I1a2808488510f4262811b6407bcd0948ad23bc60
* Use const reference type for parameters to avoid unnecessary copy.
* Suppress warning of not using faster overloaded string find function.
Bug: 30407689
Bug: 30411878
Change-Id: I6cfdbbd50cf5e8f3db6e5263076d3a17a9a791ee
Test: build with WITH_TIDY=1
Merged-In: Ie79dbe21899867bc62031f8618bb1322b8071525
Often a bugreport is accidentally triggered by the combo keys, but there
is nothing in the bugreport to confirm that action because init's
klog level is KLOG_NOTICE_LEVEL.
This change change keychord's INFO messages to NOTICE, and also logs the
case where a service was not launched because ADB was disabled.
BUG: 30440213
BUG: 30345559
Change-Id: I6ccadef1621cb41dcd15e7c1660366f0e147dc7a
Remove the /dev/__kmsg__ workarounds (which can then be removed
from sepolicy), and fix confusion in the translation between
android-base logging and kernel logging priorities (in particular,
where 'notice' comes in the hierarchy).
Bug: http://b/30317429
Change-Id: I6eaf9919904b6b55bc402c20bf1a4ae269014bc7
Test: adb shell dmesg | grep init
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed. This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.
This CL changes the implementation of the "restorecon_recursive"
built-in command to use the new SKIPCE flag to avoid labeling files
in CE directories. vold will request a restorecon when the keys
are actually installed.
Bug: 30126557
Change-Id: I320584574a4d712c493b5bbd8a79b56c0c04aa58
Right now we set sys.usb.controller property in init.$platform.usb.rc
to enable ConfigFS gadgets.
Let system detect and set UDC driver name from /sys/class/udc instead.
Change-Id: I99ad49d24dc53b543c5573e209bf00d6c2d91dd4
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Arguments of commands are expanded based on properties if they contain
${property.name}, however this is not currently done for arguments of
services.
This patch makes it that arguments of services are expanded each time
that the service starts at the point immediately before execve().
Bug: 28788401
Change-Id: Iba581a8377e25a6478d4d2ec2e8b29e181d8640c
This CL extracts code from Service::Start into four helper functions,
bringing Service::Start down to 134 lines vs 212 lines originally. This
makes the method a lot easier to follow. There is no change in behaviour.
Also, make error messages consistent (start with lowercase) and
format Service::Start to fit in 100 cols.
Bug: 30035168
Change-Id: If979976fba4d339a336d030f802ca9f169fd012c
I'll come back and remove klog_init when I've removed other calls to it.
Change-Id: Iad7fd26d853b4ddc54e9abd44516b6f138cbbfcb
Test: booted N9, looked at "adb shell dmesg" output.
When the flag is on, insmod will bypass vermagic and symbol version
checking in the kernel. This is to make it possible to update kernel
without recompiling kernel modules.
BUG=28803994
Change-Id: Ib4be6999ef52baefd4210ee0d242360e43318907
Arguments of commands are expanded based on properties if they contain
${property.name}, however this is not currently done for arguments of
services.
This patch makes it that arguments of services are expanded each time
that the service starts at the point immediately before execve().
Change-Id: Iba581a8377e25a6478d4d2ec2e8b29e181d8640c
Put every service into a process group, kill the process group
and all child processes created within the group when killing the
service. Removed libutil dependency in libprocessgroup.
Bug: 25355957
Change-Id: Ieed60ec41579f638ab9b1e66a7e6330ed578ab05
Signed-off-by: Collin Mulliner <collinrm@squareup.com>
Since commit: 24a3cbfa73
ueventd is attempting to relabel devices on calls to
make_device() when the device already exists. However, it
should only be called if the contexts for relabelfrom and
relabelto are different.
When this condition occurs, one will see denials like this:
[ 14.409448] type=1400 audit(978307239.225:26): avc: denied { relabelfrom } for pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613 scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
[ 14.428107] type=1400 audit(978307239.225:27): avc: denied { relabelto } for pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613 scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
Bug: 29106809
Change-Id: I2105b169206f0b26420f3c4b0ba5c49aeb98da92
Signed-off-by: William Roberts <william.c.roberts@intel.com>
am: 0da9f42f2c
* commit '0da9f42f2c2ec6985018ad45603b32532d096a60':
init: support matching sysfs class paths in ueventd.rc
Change-Id: Ifc85ba3205a5207a4285da94b483164490dbde4d
Currently, ueventd.rc files only support /sys/devices/... paths
and don't support symlinked paths, specifically /sys/class/...
Supporting the class paths is necessary to have non-hardware
dependent paths. Some subsystems like IIO use /sys/bus/iio/, so
support that as well.
Change-Id: I29f3bf67b41664d1d75ac1820c46e13afe336d56
Signed-off-by: Rob Herring <robh@kernel.org>
fixup_sys_perms does the same matching as the function perm_path_matches
other than the leading '/sys'. Adjust the path and use the common
matching function. Replace the fixed length C strings with std::string.
Change-Id: Ic09d91aa4ac1f1096018617537d782b82ee9ef63
Signed-off-by: Rob Herring <robh@kernel.org>
If we fail to set a crypto policy on a system-DE directory, this is a
serious and unrecoverable condition; the only way forward is to erase
the entire device. In a future commit we will also allow users the
option of booting again.
Bug: 28318405
Change-Id: Iff1e52c5bbee1beed29dc4b609d24bfeb7d138da
Switch insmod from using init_module to finit_module. From
"man finit_module":
The finit_module() system call is like init_module(), but reads the
module to be loaded from the file descriptor fd. It is useful when the
authenticity of a kernel module can be determined from its location in
the file system; in cases where that is possible, the overhead of
using cryptographically signed modules to determine the authenticity
of a module can be avoided.
finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo
Bug: 27824855
(cherry picked from commit 124a9c97e9)
Change-Id: I5e87de1a7b8c3d8849bf757c71b08e81c378b021
There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. This happens
when the kernel sends events for adding block devices during ueventd's
coldboot /sys walk.
In this case the device node links used to compute the SELinux context
are not known and the node is created under the generic context:
u:object_r:block_device:s0.
A second add event for block device nodes is triggered after the platform
devices are handled by ueventd and the SELinux context is correctly computed
but the mknod call fails because the node already exists. This patch handles
this error case and updates the node's security context.
The race is introduced by the uevent sent from the sdcard device probe
function. The issue appears when this uevent is triggered during ueventd's
coldboot procedure but before the /sys/devices recursive walk reached the
corresponding sdcard platform device path.
The backtrace looks something like:
1. ueventd_main()
2. device_init()
3. coldboot("/sys/devices");
4. do_coldboot()
5. handle_device_fd()
6. handle_device_event()
6.1 handle_block_device_event()
6.2 handle_platform_device_event()
Because handle_device_fd() reads all events from the netlink socket it may
handle the add events for the sdcard partition nodes send occasionally by the
kernel during coldboot /sys walk procedure.
If handle_device_event() continues with handle_block_device_event()
before handle_platform_device_event() registers the sdcard platform device then
handle_block_device_event() will create device nodes without knowing all block
device symlinks (get_block_device_symlinks()):
1. handle_device(path=/dev/block/mmcblk0p3, links = NULL)
2. make_device(path=/dev/block/mmcblk0p3, links = NULL)
3. selabel_lookup_best_match(path=/dev/block/mmcblk0p3, links = NULL)
returns the default context (u:object_r:block_device:s0) for
/dev/block/mmcblk0p3 instead of more specific context like:
u:object_r:boot_block_device:s0
4. setfscreatecon(u:object_r:block_device:s0)
5. mknod(/dev/block/mmcblk0p3)
So the node is create with the wrong context. Afterwards the coldboot /sys walk
continues and make_device() will be called with correct path and links.
But even if the secontext is computed correctly this time it will not be
applied to the device node because mknod() fails.
I see this issue randomly appearing (one time in 10 reboots) on a Minnoboard
Turbot with external sdcard as the boot device.
BUG=28388946
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
(cherry picked from commit 24a3cbfa73)
Change-Id: I2d217f1c8d48553eb4a37457dbf27fff54051cf9
There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. This happens
when the kernel sends events for adding block devices during ueventd's
coldboot /sys walk.
In this case the device node links used to compute the SELinux context
are not known and the node is created under the generic context:
u:object_r:block_device:s0.
A second add event for block device nodes is triggered after the platform
devices are handled by ueventd and the SELinux context is correctly computed
but the mknod call fails because the node already exists. This patch handles
this error case and updates the node's security context.
The race is introduced by the uevent sent from the sdcard device probe
function. The issue appears when this uevent is triggered during ueventd's
coldboot procedure but before the /sys/devices recursive walk reached the
corresponding sdcard platform device path.
The backtrace looks something like:
1. ueventd_main()
2. device_init()
3. coldboot("/sys/devices");
4. do_coldboot()
5. handle_device_fd()
6. handle_device_event()
6.1 handle_block_device_event()
6.2 handle_platform_device_event()
Because handle_device_fd() reads all events from the netlink socket it may
handle the add events for the sdcard partition nodes send occasionally by the
kernel during coldboot /sys walk procedure.
If handle_device_event() continues with handle_block_device_event()
before handle_platform_device_event() registers the sdcard platform device then
handle_block_device_event() will create device nodes without knowing all block
device symlinks (get_block_device_symlinks()):
1. handle_device(path=/dev/block/mmcblk0p3, links = NULL)
2. make_device(path=/dev/block/mmcblk0p3, links = NULL)
3. selabel_lookup_best_match(path=/dev/block/mmcblk0p3, links = NULL)
returns the default context (u:object_r:block_device:s0) for
/dev/block/mmcblk0p3 instead of more specific context like:
u:object_r:boot_block_device:s0
4. setfscreatecon(u:object_r:block_device:s0)
5. mknod(/dev/block/mmcblk0p3)
So the node is create with the wrong context. Afterwards the coldboot /sys walk
continues and make_device() will be called with correct path and links.
But even if the secontext is computed correctly this time it will not be
applied to the device node because mknod() fails.
I see this issue randomly appearing (one time in 10 reboots) on a Minnoboard
Turbot with external sdcard as the boot device.
BUG=28388946
Change-Id: I96e239af29d82b753e5d349b3ecefaad09edee87
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
The old way (using triggers) starts defaultcrypto twice because
queue_property_triggers_action retriggers the action.
Bug: 27452459
Change-Id: I48c844836f551673d0dbfed6c33bd8ee1e035f40
am: 1397e7a
* commit '1397e7af4b432d174dbbc7400cca9a00ce34ea5d':
ueventd: convert to use pwd family of functions
Change-Id: I02c1d78835054bd296ce84586410bbcee1760a9c
Switch ueventd to use the grp.h and pwd.h family of
functions for converting strings to uids. This removes the
need for using android_filesystem_config.h.
Change-Id: I25a6f536bb11683d5cd69a0d7b348d25a272dd3b
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Remove android_filesystem_config.h since it was not being used.
Change-Id: I691513d50a3fdb7563a63aee7551137ba983825c
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Start to move users of android_filesystem_config.h to use the
standard grp and pwd interface functions.
Advantages:
* one copy of android_ids in libc, removing it from init objects.
* immediately starts oem_xxx users and groups in rc.
* future will support _named_ oem ids via backend improvements.
Change-Id: Ib1ae1e0cbdcaaf60deb3759681a6030b615c069c
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry pick from commit a98cc9c202)
Try writing a "0" into:
- /sys/class/leds/lcd-backlight/brightness
- /sys/class/backlight/*/brightness
to turn off the backlight during shutdown cleanup.
Bug: 27506425
Change-Id: Ic8a44dc8909b303f24e14f71cfb43292df60efde
Try writing a "0" into:
- /sys/class/leds/lcd-backlight/brightness
- /sys/class/backlight/*/brightness
to turn off the backlight during shutdown cleanup.
Bug: 27506425
Change-Id: Ic8a44dc8909b303f24e14f71cfb43292df60efde
Switch insmod from using init_module to finit_module. From
"man finit_module":
The finit_module() system call is like init_module(), but reads the
module to be loaded from the file descriptor fd. It is useful when the
authenticity of a kernel module can be determined from its location in
the file system; in cases where that is possible, the overhead of
using cryptographically signed modules to determine the authenticity
of a module can be avoided.
finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo
Bug: 27824855
Change-Id: Id0ea88cd1930393c8c73ce38e63d5b2eeadf946a
Prebuilt kernels have not been updated with the requisite patches.
This reverts commit c819e78e7f.
Change-Id: I8e63373a9b8a1e5adcb2471dfe43bde28e3f8e65
Also make sure it is above a minimum threshold, else abort.
(cherry-pick of internal commit: 5d36813dc8)
Bug: 27681085
Change-Id: Ia1d9583254fd64828092533298a99ec64b8233f7
This CL allows enabling of multiple consoles. A service can be
mapped to a specific console by providing the optional argument,
IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3b24e7f6848bbe5c6475f11334c04ec536e6af88
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Signed-off-by: Viorel Suman <viorel.suman@intel.com>
This CL allows enabling of multiple consoles. The expected format
of "androidboot.console" kernel parameter is a list of available
consoles, as follows:
androidboot.console=tty0:ttyS0
A service can be mapped to a specific console by providing the
optional argument, IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3f8556425c8651bd121995869700f18b23365d55
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Remove references to SELinux policy files in /data/security
from libselinux/android.c. In the process all code that is
apparently related to handling an alternate policy and/or
reloading the policy has been removed.
Bug: 26544104
Change-Id: I47bf76ac3c26c5d71f92a21ffac2b17ba14262ea
Also cleans up two instances of open() with useless mode params, and
changes a few uses of snprintf to use sizeof(buffer) instead of
hardcoded buffer sizes.
Change-Id: If11591003d910c995e72ad8f75afd072c255a3c5
Be consistent when mounting filesystems, and mount selinuxfs
at the same time other filesystems are mounted. In particular,
this ensures that a /sys/fs/selinux/null is available at early
boot, avoiding an unnecessary mknod call.
Change-Id: I01e6b3900f48b4cb3f12d8a928e1e95911524252
Instead of using chown, use the symlink safe lchown.
Instead of using chmod, use the symlink safe fchmodat
with AT_SYMLINK_NOFOLLOW.
Fix a bug where the SELinux filesystem creation context may
not be restored, and some memory not freed, if bind() fails.
Check the return values from the chown/chmod calls and unlink
the files if it ever fails.
(cherrypicked from commit ab5629c197)
Bug: 27337831
Change-Id: I28c5f4dee55aa706437eb51ad403c1fbf56138de
Instead of using chown, use the symlink safe lchown.
Instead of using chmod, use the symlink safe fchmodat
with AT_SYMLINK_NOFOLLOW.
Fix a bug where the SELinux filesystem creation context may
not be restored, and some memory not freed, if bind() fails.
Check the return values from the chown/chmod calls and unlink
the files if it ever fails.
Bug: 27337831
Change-Id: I3343786f5a4eefda7bbb8317f2eca16bd21003c0
When child (pid==0) executes fork branch 'pid_str'
will always be 0 writting wrong value to file(s).
Fix by utilizing getpid() to obtain correct pid.
Tracker link provides some insight on why use cases
aren't broken.
Bug: https://code.google.com/p/android/issues/detail?id=200392
Change-Id: I29989365a8bac94502c090918fa30e5cc88eb1ea
Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>
This ensures that all users on device follow a consistent path for
setup and validation of encryption policy.
Also add remaining user-specific directories and fix linking order.
Bug: 25796509
Change-Id: I8c2e42a78569817f7f5ea03f54b743a6661fdb9c
In function 'load_firmware', parameter 'buf' passed to 'write'
is wrong. To fix it, use android::base::WriteFully to replace.
Change-Id: I13f79bdc9be9e5eb669f6bd975535b1dce965ef0
Signed-off-by: Biao Lu <biao.lu@intel.com>
Best practice for services that reside on the system, vendor, and odm
partitions is to have a corresponding init .rc file in the
/{system,vendor,odm}/etc/init directory, which contains its service
entry and any related actions.
Change-Id: I26204f9a0f09ce8069f3791ccd9ee61d164a048f
In current implementation, the mount_all command imports all .rc files
under /{system,vendor,odm}/etc/init/ after mouting filesystems is complete.
There's a need from ODMs to import different .rc files under different boot
modes (e.g., factory mode). Without this support, they will have to fiddle
around the init implementation.
This commit makes mount_all import the .rc files/directories specified
as additional arguments. If no path is given, the original ones are applied
the same way as the current implementation.
BUG: 26549689
Change-Id: Ie67ce13dde4c440ff8bf534826bc392c882a433f
Changes to the way FBE works to support lifecycles mean that these
commands aren't needed any more.
Bug: 22358539
Change-Id: Id73339e0aa8070dd688f35b5d59de75236961395
Don't spend CPU cycles formatting a bunch of strings if we're
just going to throw them away later. Maybe make booting faster.
Change-Id: I4d8eb99fb3fa873ca91cf776933d0ad01988abf5
Currently, properties that begin with "ro." are special cased to skip
over the "ro." part of the prefix before matching with entries in
property_contexts. This is not strictly needed however and it is
causing complications with the separated prop files work from Bug
21852512, so it is now removed.
Bug 26425619
Change-Id: I3cd14fa2176f96b3931e5f6a50c4a7bcd3af3da6
When ro.build.shutdown_timeout is set, init will send a SIGTERM signal to
all services on reboot. The normal shutdown process will continue once
all services have exited or after the shutdown timeout
(ro.build.shutdown_timeout).
If ro.build.shutdown_timeout is not set, we assume a 0s timeout.
Bug: 26216447
Test: manual: Ask to reboot. All services exit cleanly.
Change-Id: If921f6e8d87211e500ac9fa86f3e1eabe02d18cf
If ro.oem_unlock_supported is specified for the device and it supports
verified boot, export lock status in ro.boot.flash.locked.
Bug: 26039090
Change-Id: Ie7844aeb458c97944c72d46ea962b9cfb0a7875d
This is deadcode as property_init() will only ever be called once and
the only remaining caller of properties_initialized() is
Service::NotifyStateChange() which can only be called after properties
have been initialized.
Change-Id: Ie071af84fcdbead72d259890fc8fb8db624282e7
If __system_property_area_init() fails, there is a fundamental issue
with the system and we should abort from init.
Bug: 21852512
Change-Id: I05d7978ba3bcc347027a6d9443de7cdd229033d2
If the device is corrupted, set up dm-verity in EIO mode instead of
logging mode. This prevents corrupted blocks from being returned to
user space. Note that restart mode is used by default and a warning
will be displayed to the user after corruption is first detected.
Bug: 19277516
Change-Id: I38966d73eb814836bc34b4bad1192583e5010b36
/property_contexts exists before selinux policies are loaded, so we must
restorecon before other processes can access it
Bug: 21852512
Change-Id: Ie983caac635eb928ab19eea996a5625f3673de39
The init language supports setting the creation context of a socket
as the 6th argument to the socket keyword. For example, in the
following service, the context associated with the netd socket
is u:r:netd:s0
service netd /system/bin/netd
class main
socket netd stream 0660 root system u:r:netd:s0
socket dnsproxyd stream 0660 root inet
socket mdns stream 0660 root system
socket fwmarkd stream 0660 root inet
The 6 argument form of the socket statement is rarely if ever used,
since the init code supplies a sensible default.
Currently, there's no error checking on the value supplied as
the 6th argument. For example, if you have the following socket
statement:
socket netd stream 0660 root system graphics
a socket will attempt to get created with an invalid "graphics"
context. When setsockcreatecon fails, it retains the default socket
creation context, which for init is u:r:init:s0. This results in a
socket being created which is in an unexpected context.
Check the return value from the setsockcreatecon() call. If an
invalid context is specified, return early and don't subsequently
attempt to create the socket with the default context.
Bug: 25851205
Change-Id: Ic66cd6f7efe3897fb247b587ddeac5d35e1602b7
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Now that libselinux uses libpackagelistparser, in order
for libpackagelistparser to be properly statically linked
liblog must come after libselinux for all the liblog
references to be defined in libpackagelistparser which
is included in libselinux. This patch corrects that order.
Change-Id: I7aee10c9395310919779ed2463aab6b2f8b380cc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Keeping these means that every build has different init and debuggerd
binaries, even if the source was the same. So OTAs that don't touch
these sources would still need to update the binaries.
Both of these messages are only informational, so can be safely removed.
Bootchart already encodes build-specific information from the system
properties.
Bug: 24204119
Change-Id: I7ebd65a20a3e031e7528c9f741616e20b3cd7446
* commit '2fb90dc8b2b590e674c5e433e8bf3d3f08a887c8':
debuggerd: audit pid, uid and gid on SE Linux denial
property_service: log pid,uid and gid of setprop client
The cost of generating and throwing away a bunch of stuff that no one
normally sees is high enough to be worth avoiding.
Here's AOSP ToT on N9...
init: (Parsing /system/etc/init/atrace.rc took 0.0112s.)
init: (Parsing /system/etc/init/bootanim.rc took 0.0094s.)
init: (Parsing /system/etc/init/crash_reporter.rc took 0.0103s.)
init: (Parsing /system/etc/init/debuggerd.rc took 0.0090s.)
init: (Parsing /system/etc/init/debuggerd64.rc took 0.0085s.)
init: (Parsing /system/etc/init/drmserver.rc took 0.0078s.)
init: (Parsing /system/etc/init/dumpstate.rc took 0.0073s.)
init: (Parsing /system/etc/init/gatekeeperd.rc took 0.0063s.)
init: (Parsing /system/etc/init/installd.rc took 0.0067s.)
init: (Parsing /system/etc/init/keystore.rc took 0.0060s.)
init: (Parsing /system/etc/init/lmkd.rc took 0.0060s.)
init: (Parsing /system/etc/init/logcatd.rc took 0.0059s.)
init: (Parsing /system/etc/init/logd.rc took 0.0068s.)
init: (Parsing /system/etc/init/mdnsd.rc took 0.0057s.)
init: (Parsing /system/etc/init/mediaserver.rc took 0.0064s.)
init: (Parsing /system/etc/init/metrics_daemon.rc took 0.0063s.)
init: (Parsing /system/etc/init/mtpd.rc took 0.0055s.)
init: (Parsing /system/etc/init/netd.rc took 0.0066s.)
init: (Parsing /system/etc/init/perfprofd.rc took 0.0057s.)
init: (Parsing /system/etc/init/racoon.rc took 0.0054s.)
init: (Parsing /system/etc/init/rild.rc took 0.0061s.)
init: (Parsing /system/etc/init/servicemanager.rc took 0.0063s.)
init: (Parsing /system/etc/init/surfaceflinger.rc took 0.0061s.)
init: (Parsing /system/etc/init/uncrypt.rc took 0.0068s.)
init: (Parsing /system/etc/init/vdc.rc took 0.0065s.)
init: (Parsing /system/etc/init/vold.rc took 0.0063s.)
0.0112+0.0094+0.0103+0.0090+0.0085+0.0078+0.0073+0.0063+0.0067+0.0060+
0.0060+0.0059+0.0068+0.0057+0.0064+0.0063+0.0055+0.0066+0.0057+0.0054+
0.0061+0.0063+0.0061+0.0068+0.0065+0.0063 = 0.1809
And here it is again with the logging disabled:
init: (Parsing /system/etc/init/atrace.rc took 0.0021s.)
init: (Parsing /system/etc/init/bootanim.rc took 0.0006s.)
init: (Parsing /system/etc/init/crash_reporter.rc took 0.0007s.)
init: (Parsing /system/etc/init/debuggerd.rc took 0.0004s.)
init: (Parsing /system/etc/init/debuggerd64.rc took 0.0005s.)
init: (Parsing /system/etc/init/drmserver.rc took 0.0005s.)
init: (Parsing /system/etc/init/dumpstate.rc took 0.0005s.)
init: (Parsing /system/etc/init/gatekeeperd.rc took 0.0005s.)
init: (Parsing /system/etc/init/installd.rc took 0.0005s.)
init: (Parsing /system/etc/init/keystore.rc took 0.0013s.)
init: (Parsing /system/etc/init/lmkd.rc took 0.0006s.)
init: (Parsing /system/etc/init/logcatd.rc took 0.0013s.)
init: (Parsing /system/etc/init/logd.rc took 0.0007s.)
init: (Parsing /system/etc/init/mdnsd.rc took 0.0005s.)
init: (Parsing /system/etc/init/mediaserver.rc took 0.0009s.)
init: (Parsing /system/etc/init/metrics_daemon.rc took 0.0008s.)
init: (Parsing /system/etc/init/mtpd.rc took 0.0011s.)
init: (Parsing /system/etc/init/netd.rc took 0.0005s.)
init: (Parsing /system/etc/init/perfprofd.rc took 0.0005s.)
init: (Parsing /system/etc/init/racoon.rc took 0.0005s.)
init: (Parsing /system/etc/init/rild.rc took 0.0005s.)
init: (Parsing /system/etc/init/servicemanager.rc took 0.0005s.)
init: (Parsing /system/etc/init/surfaceflinger.rc took 0.0005s.)
init: (Parsing /system/etc/init/uncrypt.rc took 0.0005s.)
init: (Parsing /system/etc/init/vdc.rc took 0.0005s.)
init: (Parsing /system/etc/init/vold.rc took 0.0006s.)
0.0021+0.0006+0.0007+0.0004+0.0005+0.0005+0.0005+0.0005+0.0005+0.0013+
0.0006+0.0013+0.0007+0.0005+0.0009+0.0008+0.0011+0.0005+0.0005+0.0005+
0.0005+0.0005+0.0005+0.0005+0.0005+0.0006 = 0.0181
It's less than a second, but one problem is that the cost of the current
dumping is proportional to the number of init.rc files, so the more
cleanly you factor things, the more it would cost.
Change-Id: Id96f59e7d0b082d8cfdba4bdbff43a922ba4eeee
When auditing setprop denials, it is often unclear of who the process is
in a multi-process domain. To help identify the invoker, log the pid, uid,
and gid of the caller.
Before:
avc: denied { set } for property=wifi.xxx ...
After:
avc: denied { set } for property=wifi.xxx pid=30691 uid=123 gid=345 ...
Change-Id: I5cdcb3d18fbd52e0987b5e1497b9f6620c6c742a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
device.shell() was changed to return a (stdout, stderr) tuple in
the following CL.
https://android-review.googlesource.com/170420
This CL fixes perfboot.py to work with the return value.
Change-Id: I85d72fc63c1f96257fb19c3051482991a7b4049d
Updates are as follows:
A detailed explanation of event triggers and property triggers
including how they can now be used
A new section describing .rc files, their locations, and the
intentions for each of these locations
A new section describing the import keyword and how it is not a
command but rather its own section
Removal of deprecated or incorrect text
Change-Id: If0a37375ac92a857900f3303ada4ba742360daff
Create a Parser class that uses multiple SectionParser interfaces to
handle parsing the different sections of an init rc.
Create an ActionParser and ServiceParser that implement SectionParser
and parse the sections corresponding to Action and Service
classes.
Remove the legacy keyword structure and replace it with std::map's
that map keyword -> (minimum args, maximum args, function pointer) for
Commands and Service Options.
Create an ImportParser that implements SectionParser and handles the
import 'section'.
Clean up the unsafe memory handling of the Action class by using
std::unique_ptr.
Change-Id: Ic5ea5510cb956dbc3f78745a35096ca7d6da7085
