This change adds a "verify" fs_mgr flag specifying that
the device in question should be verified.
Devices marked with this flag are expected to have a
footer immediately after their data containing all
the information needed to set up a verity instance.
Change-Id: I10101f2c3240228ee0932e3767fe35e673d2e720
Restarting ueventd upon policy reloads has reportedly created
stability problems for some users and could cause events to be lost.
Stop restarting ueventd and instead handle policy reloads within ueventd.
Also stops restarting installd upon policy reloads.
Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We have several partitions with underscores in their names
which would not be properly linked in:
/dev/block/platform/msm_sdcc.1/by-name/
With this change more characters (_-.) are allowed in
partition name links. Also, any other character is
replaced with '_' so the resulting link names have the
same length as the partition name.
Change-Id: I746566c03db98b10326c755692362d2c10e528ae
Create a new "androidboot.selinux" option, to control how userspace
handles SELinux. This kernel command line can have three options:
* disabled
* permissive
* enforcing
"disabled" completely disables userspace support for SELinux. No
policy is ever loaded, nor is the SELinux filesystem /sys/fs/selinux
ever mounted.
"permissive" loads the SELinux policy, but puts SELinux into
permissive mode. SELinux policy violations are logged, but not rejected.
"enforcing", the default, loads the SELinux policy, and places
SELinux into enforcing mode. Policy violations are rejected.
This change addresses post review comments for change
b710ed21de .
Change-Id: I912583db8e6a0e9c63380de32ad8ffc47a8a440f
When init starts up, immediately put SELinux into enforcing mode.
This is currently a no-op. We currently have everything in the
unconfined domain, so this should not break anything.
(if it does, I'll roll it back immediately)
If the kernel doesn't have SELinux support compiled in, then
don't try loading a policy and continue without SELinux protections.
Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
* commit 'b1a9f8cf4b15a861ab998a4c5f0c69068f22c62a':
init: move initial property area allocation into bionic
property_service: make /dev/__properties__ readable
bionic's __system_property_add() now expands the property area as needed
by mapping in more pages. Rather than duplicate the mapping code, move
it inside bionic and have bionic's __system_property_area_init() set up
the first page.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit f14eef0c3c)
Change-Id: Ieb94caab1527c71f2155efe3795490b0ea215a29
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Make the /dev/__properties__ file accessible, so an app can
get properties directly from the file, rather than relying on
environment variables.
Preserve the environment variable for compatibility with pre-existing
apps.
Bug: 8045561
(cherry picked from commit 7ece0a862c)
Change-Id: I762da21ef4075f288745efed0ec7d16c2b71303c
bionic's __system_property_add() now expands the property area as needed
by mapping in more pages. Rather than duplicate the mapping code, move
it inside bionic and have bionic's __system_property_area_init() set up
the first page.
Change-Id: If9917d5f775c1a82eb89be55b84635395145ca49
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The previous patch "init: verify size of property buffers passed
to property_get" incorrectly modified one of the callers,
resulting in ro.serialno, ro.bootmode, ro.baseband, and
ro.bootloader always being set to their default values.
Bug: 9469860
(cherry picked from commit 67e3663fc9)
Change-Id: Ia7b337e1fab6e334729f47ee1269e6c736615177
Verify that the buffer passed as the value parameter to property_get
is always big enough.
(cherry picked from commit 88ac54a4e8)
Change-Id: Iacc2b42bfe4069e0bfcbb1c48474f30126a93139
Move the system property writer implementation into bionic to keep
it next to the reader implementation and allow for better testing.
(cherry picked from commit 9f5af63501)
Change-Id: Idf6100d1d0170751acd5163a22597912bff480f0
The previous patch "init: verify size of property buffers passed
to property_get" incorrectly modified one of the callers,
resulting in ro.serialno, ro.bootmode, ro.baseband, and
ro.bootloader always being set to their default values.
Bug: 9469860
Change-Id: Id45bd8dd657e8d61f4cfaf7e6b2559d2bfd05181
Move the system property writer implementation into bionic to keep
it next to the reader implementation and allow for better testing.
Change-Id: I9026e604109e30546b2849b60cab2e7e5ff00ba5
Property triggers may cause an action to be queued twice, resulting
in a loop in the action queue. Keep actions that are not on the queue
in the list_empty state (act->qlist->next == act->qlist), and only
add them to the list if they are in that state.
Bug: 8335133
Change-Id: I3a3ec18176cf19cbaa3a45220a03c7560eacfe79
This helps to ensure that when a new system image is installed,
old userdata policy isn't applied over the top of it.
Bug: 8841348
Change-Id: I135af32250aa62979763e775842ce0af3c8b6f9f
This forces a policy reload + fixcon to deal with dynamically
delivered policy changing labels on device nodes.
It's implemented as a new keyword in init.
Bug: 8702843
Change-Id: I803cf1ecf6ff8318ce25dcc5cda4f292adc9738c
Failing to set properties due to an exhausted pool leads
to difficult to debug problems. This change adds an
error log to make the situation a bit easier to handle.
Change-Id: Icc1d97a80882fb23e74428a0195f1d28dba68fa8
Move the responsibility for rebooting the system from the
reboot command to init. Init is in a better position to take
actions to bring the system down cleanly, including making sure
filesystems are mounted read-only.
The only UIDs which can perform an init triggered reboot are
root, system, and shell.
Modify the reboot command so that it calls into init to perform
the reboot. The reboot command no longer requires CAP_SYS_BOOT.
Remove the -n reboot option and code which supports it. Anyone needing
to do an unclean shutdown can just do a 'echo c > /proc/sysrq-trigger'.
Modify adb so that it calls into init to perform a shutdown.
Bug: 8646621
Change-Id: I84c0513acb549720cb0e8c9fcbda0050f5c396f5
Currently, the output of e2fsck is not saved, and we have no insight
into how many errors e2fsck is finding and fixing. Using the new
abbreviated logging feature in liblogwrap, up to the first 100 lines,
and last 4K bytes of the output of e2fsck is captured by fs_mgr, and
added to the kernel log.
Usually, the filesystem will be clean, and this will only add a few
lines to the kernel log on boot, but when things go wrong, it should
save enough to indicate what the problem is, without potentially
filling the kernel log with only e2fsck output if the filesystem is
really corrupted.
Change-Id: I9c264798e6fe721c8f818b5ce15d0975027ddbdd
This change enables labeling of dynamically created sysfs nodes
with specific SELinux security contexts.
Change-Id: If8b8d66120453123c1371ce063b6f20e8b96b6ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With the old strdup() mechanism, it may return NULL if insufficient memory was
available. So we check the return value or do not use strdup to avoid null
pointer issue.
Change-Id: Id684948d6cb6c2f06327f29a2ba692f9542fce80
Signed-off-by: Hong-Mei Li <a21834@motorola.com>
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
When using device tree, platform devices may not have a
/devices/platform/ path prefix, but can be rooted in
/devices/.
Modify the platform device tracking code to store the device
path as well as the name. This way, when we create symlinks, we
can correctly skip the base platform device prefix and get to the
proper device node path.
Change-Id: I939ef8fbcb45c5c803cd9a054e40136a912efc72
Signed-off-by: Dima Zavin <dima@android.com>
This logic has been moved to platform/frameworks/base commit
8a0a929422682ba3eb6a205dc6c0638e68b909de and is no longer needed
here.
This reverts commit 01b1dee0ab.
When using device tree, platform devices may not have a
/devices/platform/ path prefix, but can be rooted in
/devices/.
Modify the platform device tracking code to store the device
path as well as the name. This way, when we create symlinks, we
can correctly skip the base platform device prefix and get to the
proper device node path.
Change-Id: I939ef8fbcb45c5c803cd9a054e40136a912efc72
Signed-off-by: Dima Zavin <dima@android.com>
Property triggers may cause an action to be queued twice, resulting
in a loop in the action queue. Keep actions that are not on the queue
in the list_empty state (act->qlist->next == act->qlist), and only
add them to the list if they are in that state.
Bug: 8335133
Change-Id: I3a3ec18176cf19cbaa3a45220a03c7560eacfe79
This reverts commit 87980b5c9f
Getting more reports of app crashes (e.g. 7990090), so given timeline for MR2, want to revert.
Change-Id: Ic2d101d2d1156b3864d5c9b88aa8c94cd5aa345f
# By Stephen Smalley
# Via Android Git Automerger (1) and others
* commit '7480c0079d8c7fcfd5b3d9decfdabfebde162781':
Label sockets consistently with the seclabel value if specified.
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Make the /dev/__properties__ file accessible, so an app can
get properties directly from the file, rather than relying on
environment variables.
Preserve the environment variable for compatibility with pre-existing
apps.
Bug: 8045561
Change-Id: If81e2b705eca43ddd8b491871aceff59c0e00387
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable.
Related to bug: 8029617
Change-Id: I18610128e11c4037ed6f4dec6eba20f69fa647eb
As it turns out, no, 64K is not enough. A device provisioning
tool was generating many uevents as it manipulated the GPT,
causing events near the end of the process (including events
as a result of the final BLKRRPART ioctl()) to get lost.
It's not clear what the best value for this should be, but
increasing to 256K fixed the problem in this case.
Change-Id: I4883b34e96c89e8a6fa581bc9cd121bb021b5694
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Change setsebool syntax from name=value to name value.
This is to make it consistent with setprop and similar commands.
Update both the init built-in command and the toolbox command
for consistency.
Change-Id: I2c8e016ba26731c4a2ad4a49ae3b89362bf8f8a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
get_hardware_name() uses a fixed size buffer to slurp the contents of
/proc/cpuinfo into and with newer multicore systems this is not big
enough, leading to the inability to pick up the hardware name.
Fix this by using a dynamically allocated, exponentially growing buffer.
Change-Id: I51c6c276b6e110f462839e205a4428adc6656e75
Signed-off-by: Jon Medhurst <tixy@linaro.org>
This is necessary to ensure that the adbd socket is created in the
adbd domain rather than the init domain.
Change-Id: Id4997d7f074aeefea62b41c87b46a6609e03f527
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In "init: harden property service" patch, dirfd() is invoked
without checking whether opendir() return successfully. It may
fail if load_persistent_properties() is invoked before userdata
partition is mounted; then dirfd(NULL) will make init crash.
This may happen if "is_charger" is true.
Change-Id: I216fb743a3c9fa050f92fcb31b62e766346d84bb
Signed-off-by: Yi-wei Zhao <gbjc64@motorola.com>
Some Android programs have problems with memory which grows
from the top down. Temporarily set ADDR_COMPAT_LAYOUT to
avoid breaking those programs.
Bug: 7188322
Change-Id: I61760500e670b4563838c63b82d4a0b6e354a86e
* commit 'e3bdaeb603ab7ac941b35b41856c6b8ebf47c6bb':
Use sigemptyset to initialise signal mask as it is more portable. Referencing sa_restorer fails on MIPS
On first boot, the directory is created with root:root ownership and
then chowned. chown clears the ISUID and ISGID bits, so we need to chmod
the directory again after chown.
Change-Id: I02dfe7a19a637678256b4e7cc09e6b5431e6f11e
This is a set of changes to the init property service
implementation to apply a SELinux check over who can
change what properties. Also included control hooks
for the 'ctl' keys.
Change-Id: I5a18809bf5536f6459a36b6bf0d622b9f5061aa0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
To support runtime policy management, add support for reloading
policy from /data/system. This can be triggered by setting the
selinux.loadpolicy property to 1, whether from init.rc after
mounting /data or from the system_server (e.g. upon invocation of
a new device admin API for provisioning policy). ueventd and
installd are restarted upon policy reloads to pick up the new
policy configurations relevant to their operation.
Change-Id: I97479aecef8cec23b32f60e09cc778cc5520b691
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When devices are provisioned, bd address path is set in ro.bt.bdaddr_path.
On devices where this property is not present, a random bd address is
generated and saved to the property: persist.service.bdroid.bdaddr
This change allows bluetooth process to update this property
bug 6885309
Change-Id: I2e8a2471a0e890da82e6bbec6a2ef67ec8e1f8f4
Now get_android_id function returns -EINVAL if the uid/gid is not in the list
of android ids. This will allow ueventd to catch invalid ids and report the
error.
Change-Id: I943b04dd64d518891623e1ee2d561b8061af4863
Signed-off-by: Veeren Mandalia <v.mandalia@sta.samsung.com>
Automatically set the SELinux security label on directories created
by init.rc. This avoids the need to separately call restorecon on
each such directory from the init.rc file. Also restorecon /dev
and /dev/socket after initial policy load so that they are labeled
correctly before any other dev nodes or sockets are created.
Change-Id: If6af6c4887cdead949737cebdd673957e9273ead
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change uevents may be triggered after new files are created on a device
in /sys, run the sys permissions fixup when they occur.
Change-Id: Iec2725c9f8a032e5124190444edaf189a766b0b2
The wait command was currently implemented but
undocumented and only used internally. This change
adds a second option toi (optionally) override the default
timeout of 5 seconds.
The wait command can be used to wait for a file to appear
during the boot process, for example a disk or other device,
and is a better alternative than an unconditional sleep.
Change-Id: Ia11d8419c0ea84deec0e1bf5adfca5bc76ff38b7
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This device is required by libdrm for GPUs like IvyBridge.
Change-Id: I0ac47056a9cec2100f3e6eaa5591571fe6bbc145
Signed-off-by: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
"/sbin/watchdogd <interval> <margin>" will open /dev/watchdog, try
to set the timeout to <interval>+<margin> then write to it every
<interval> seconds to reset the watchdog.
Change-Id: I15571980cdb868ec19f20e80bf8274b32107d36d
This change brings init's do_chmod, mkdir, and do_chown into line
with open's O_NOFOLLOW semantics, causing them to fail when the
last element of their target path is a symlink.
Change-Id: If00e1a25cfe17ef6f738af4bf0541abd0c1b084b
The new fs_mgr library moves much of the knowledge of what filesystems
to mount into a new fstab.<device> file, and just calls one function to
mount all the filesystems.
Change-Id: If3db37530a0676000cba3e679db27aca734227e5
The new fs_mgr library moves much of the knowledge of what filesystems
to mount into a new fstab.<device> file, and just calls one function to
mount all the filesystems.
Change-Id: If3db37530a0676000cba3e679db27aca734227e5
Modify init to set the umask to 077 when forking processes.
This helps protect against inadvertant information disclosure
in init's child processes.
ueventd: Keep umask at 000. uevent needs to be able to
create device nodes with exactly the permissions it
indicates.
Testing:
1) Do an "ls -lR /data /dev" on the device before and after
the umask change and diff the output. Verified by hand
that the permission change wouldn't cause any problems.
2) Verify that package installation works, and the permissions
are as expected, when installing a program from market and
"adb install".
Bug: 3272072
Change-Id: Ie4f7f06c0ee9da8d9b6fce25d71d8991a9bce406
Adds an SVC_RESTART state that's used for an explicit "restart" of a
running service. This retains the traditional restart behavior for
critical and oneshot services (previously altered by 7e36edd8), whereby
these services are "simply restarted" instead of counting as a crash (for a
critical serivce) or going into the disabled state (for a oneshot service).
Previously, service restarts (either an explicit "restart", or a "stop,
start" pair) exhibited a race condition whereby the new (restarting)
service process was often spawned before the old (stopping) process had
terminated. This may have resulted in the new service process failing to
acquire a limited resource (file lock, socket bind, etc.) that the old
process had not yet released.
Now, a stopping service remains in the SVC_RUNNING state until its exiting
process has been reaped by waitpid. This prevents a "stop, start" sequence
from spawning a second service process before resources held by the first
are released. This enables safe service restarts by stopping the service,
waiting for the old service process to terminate, and (only then) starting
the new service process. In the event of "restarting" an already stopped
service, the previous behavior is maintained whereby the service is simply
started.
This scenario could be special-cased by the restart command, however, we
have observed instances where services are, unintentionally, stopped and
started "too quickly," and so simultaneous processes for the same service
should never be allowed.
Note that this commit alters the behaviors for explicit restarts of
critical and oneshot services. Previously these serivces would simply be
restarted, whereas now, an explicit restart of a critical service counts as
a crash (which may result in a recovery reboot) and oneshot services go
into the disabled state.
This change brings init's do_chmod, mkdir, and do_chown into line
with open's O_NOFOLLOW semantics, causing them to fail when the
last element of their target path is a symlink.
Change-Id: If00e1a25cfe17ef6f738af4bf0541abd0c1b084b
Normally, calling open on a tty will set that tty as the process
group controlling tty if none already exists. However, if the tty
is /dev/console, the kernel will never automatically set it as the
controlling tty. Call the TIOCSCTTY manually on the fd, which will
always attempt to set it as the controlling tty.
Fixes ctrl-c on the console shell when androidboot.console is not
passed on the kernel command line and the default /dev/console is
used.
Change-Id: I449cc41b47e93ac38ad6987413bb54131e1ec0cd
Add SE Android support for init and ueventd.
init:
- Load policy at boot.
- Set the security context for service daemons and their sockets.
- New built-in commands: setcon, setenforce, restorecon, setsebool.
- New option for services: seclabel.
ueventd:
- Set the security context for device directories and nodes.
Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac
Creating a root owned /data/local.prop is one of the most common
ways to root an Android device. /data/local.prop is only intended
to assist developers on debuggable devices, and is never
intended to be used on production devices.
Change-Id: Ifcfa21c2ee9914b0b54445218b4cf0fea0a98e9c
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
The class_reset command used to reset services that had been set to
"disabled" in the init.rc file to a non-disabled state. Now, if the
service was originally set to "disabled", have the reset command set
it back to disabled. Otherwise, set it to the "reset" state as it
currently does.
Change-Id: I0c10582e46a8e443d4748d9d893ae762b19b653a
x86 emulator passes hardware name through the androidboot.hardware kernel cmd option, and
ueventd must pick up on it to locate proper ueventd.rc file for that hardware.
Change-Id: Id61c5b67fe6275a15c7aa62556e0b89eda7968f8
Introduces a 'charger' section that is processed when androidboot.mode
supplied on the kernel commandline is "charger".
In this mode, sections such as fs, post-fs, etc are skipped. Only the
'early-init' and 'init' sections of the init rc files are processed before
processing the 'charger' section.
Change-Id: If9eb6334de18f04cbcf2aab784578e2993615242
Signed-off-by: Dima Zavin <dima@android.com>
