This change makes the subcontext processes cleanly exit in the event of
the init's socket being closed. If that was an accident, init will
respawn the process immediately. Otherwise, it will just quietly go
away.
Bug: 80425914
Test: kill -9 $INIT_PID # Outside of an Android container
Change-Id: I664f11d1b3700ea46857abf24857335fe28e92fa
We're moving past a world where static executables are needed,
including watchdogd, so treat this like any other executable and place
it in /system/bin.
Bug: 73660730
Test: watchdogd still runs
Change-Id: I1f7508fd55dce6e9ee72a6ab7a085011a76c0053
This change adds an explicit cleanup for the subcontext processes and
avoids them from respawning, which causes a bunch of LOG(FATAL)s when
the system is going down.
Bug: 80425914
Test: kill -TERM $INIT_PID, no crashes for subcontext inits
Change-Id: I135191d959c1dd921b102af316b24d2bc161d6c9
GetIntProperty() isn't used after
Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93, so it can be removed.
Test: build
Change-Id: I5736f553db1a615d51b8fe3cbf9b4aee89451076
This commit uses vendor sepolicy file version (defined in
`/vendor/etc/selinux/plat_sepolicy_vers.txt`) to determine whether the
source context should be set as `u:r:vendor_init:s0`.
Before this commit, the criterion was `ro.vndk.version` >= 28. However,
the check in `property_service.cpp` will always be true because
`ro.vndk.version` hasn't been loaded from `/vendor/default.prop`.
Furthermore, under some circumstances, `ro.vndk.version` may be
different from `plat_sepolicy_vers.txt` (e.g. O-MR1 vendor does not
define `ro.vndk.version`).
Bug: 78605339 # high-level bug to combine O-MR1 and P GSI
Bug: 79135481 # the usage of `ro.vndk.version` in init
Test: vts-tradefed run vts -m VtsTrebleVintfTest # tetheroffload
Change-Id: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93
Do not restrict vendor_init restrictions on vendor images that were
built before P, as they will not have the correct permissions.
Bug: 77732028
Test: test new devices and see vendor_init still works
Change-Id: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9
We should only allow vendor-init-settable properties to be set from
.prop files on /vendor and /odm.
Bug: 73905119
Test: test on walleye that disallowed properties are rejected
Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831
Currently we only report why a property set call has failed but drop
the context of what was trying to set the property. This change
adds information about why a property was trying to be set when it
fails.
It also unifies property_set() within init to go through the same
HandlePropertySet() function as normal processes do, removing unneeded
special cases.
Test: boot bullhead
Test: attempt to set invalid properties and see better error messages
Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.
Bug: 36970783
Test: run the parser on init files on host
Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
Finishing a TODO from vendor_init, check SELinux permissions before
setting properties in vendor_init.
Bug: 62875318
Test: N/A
Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19
Currently init expands properties in arguments only when those
commands are run in a subcontext. This creates a hole where
properties that should not be accessible from a given subcontext of
init can be accessed when running a command in the main init
executable (for example `start`).
This change creates a callback in subcontext init that simply expands
and returns arguments back to the main init process, to ensure that
only those properties that a subcontext can access get expanded.
Bug: 62875318
Test: boot bullhead, new unit tests
Change-Id: I2850009e70da877c08e4cc83350c727b0ea98796
Children of init that use any of the SELinux wrapper functions,
including make_dir(), mkdir_recursive(), and plenty others, need to
first initialize the sehandle with SelabelInitialize().
I wish there were a better solution, but early init doesn't actually
want this handle initialized, so that is a valid use case. Ueventd
needs to initialize this before fork()'ing, so lazy initialization is
not universally acceptable either. Likely we won't have other
children that fork() then exec() init again, so this should be okay.
Bug: 62875318
Test: init unit tests
Test: sailfish creates directories with correct SELabel after wipe
Change-Id: I6de937604a060e18945427418f15b90e0b9d5c37
As SEPolicy is developed, use this property to enable/disable
subcontexts.
Bug: 62875318
Test: boot device with/without subcontexts
Change-Id: Ieb879836a71c72d4de1bb16514d083d52480bf9a
'object_r' is supposed to be simply 'r'.
Test: boot sailfish with SELinux fully enabled and subcontexts enabled
Change-Id: I7eb8b2dd18e66f23c09863e8961da339f72d25c5
One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.
This change is meant to close that gap. It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to. Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.
Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.
Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish
Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee