So far, we have used `instalable: false` to avoid collision with the
other modules that are installed to the same path. A typical example was
<foo> and <foo>.microdroid. The latter is a modified version of the
former for the inclusion of the microdroid image. They however both have
the same instalation path (ex: system/bin) and stem (ex: foo) so that we
can reference them using the same path regardless of whether we are in
Android or microdroid.
However, the use of `installable: false` for the purpose is actually
incorrect, because `installable: false` also means, obviously, "this
module shouldn't be installed". The only reason this incorrect way has
worked is simply because packaging modules (ex: android_filesystem)
didn't respect the property when gathering the modules.
As packaging modules are now fixed to respect `installable: false`, we
need a correct way of avoiding the collision. `no_full_install: true` is
it.
If a module has this property set to true, it is never installed to the
full instal path like out/target/product/<partition>/... It can be
installed only via packaging modules.
Bug: 338160898
Test: m
Change-Id: I37380c19232f2c497bdf492a83cdc16616f0ae8d
We're shutting down anyway, so the service is either dead already
or about to be killed, and callers get upset (and don't have a good
response themselves) if we reject the request.
This was seen by a partner where adbd was asked to stop during
shutdown.
Bug: https://issuetracker.google.com/336223505
Change-Id: If09feeef2e0f2d1be9ff84a88cca6ed593a35362
when introducing instrumentation for MTE stack history buffer, we cannot
use stack MTE in early init
Bug: 309446520
Change-Id: I0921ae4ffe03ed971697f8daff4215c9b3772e35
This change introduces a new mode to `subsystem.devname` in `ueventd.rc`
configuration files, which sets the file name to the contents of
`/sys/DEVNAME/name`.
The objective of this change is to help Cuttlefish distinguish between
console devices, which are only different in uevents by initialization
order. Cuttlefish currently relies on `/dev/hvc##` devices which are
created for non-multiport virtio-console devices.
https://cs.android.com/android/platform/superproject/main/+/main:device/google/cuttlefish/shared/config/ueventd.rc;l=18;drc=5204f119d859d3ae5f1a2ee1c6a05ee68d6a28ed
On Cuttlefish we're considering moving to multiport virtio-console
devices ( https://fedoraproject.org/wiki/Features/VirtioSerial ). It
would be possible to rely on device order here as well, but using names
to distinguish devices makes it possible to drop unused devices in the
future, rather than reserving indexes indefinitely.
Multiport virtio-console devices create uevents with DEVNAME=vport#p#
and DEVPATH=.../vport#p#, only exposing the name in a sysfs file.
Bug: 336663898
Test: Attach multiport console, run with `-DLOG_UEVENTS=1`
Test: Introduce ueventd policy using `devname sys_name`
Change-Id: I59632b556db4a47883eab97e90c0e6ca81a9c650
std::array<T, N> takes exactly N * sizeof(T) bytes, leaving no room for
the null terminator.
Bug: 335047945
Test: re-run the GSI test
Change-Id: Ic3aca5f409021c78a7eb965c5ed610e6a51e42cb
init_second_stage_defaults provides properties that are common to both
Android's init and Microdroid's init. Before this CL, it included
target.product.required and target.recovery.required properties. The
required dependencies were Android-specific; the dependencies included
Android-only init.rc. Microdroid has its own init.rc (microdroid_init_rc
module).
This was problematic but so far it didn't cause an issue because those
Android-only dependencies were not installed to Microdroid due to a bug
in the build system.
As we fix the build system bug, the Android-only dependencies started
get installed to Microdroid, effectively overriding the Microdroid-only
init.rc file. This made Microdroid fail to boot.
Fixing this issue by moving the Android-only dependencies out of the
defaults module and putting them on the Android's init.
In addition to that, this CL removes the recovery variant for the
Microdroid's init because it's not used.
Bug: N/A
Test: run AVF tests
Change-Id: I09748f1123125cac74ce54fd5c360c9a3ba2f996
Found out that increasing the threshold to 20 crashes pushes the file
system based rollbacks as well. So introducing a throttling behaviour
instead. Now native watchdog performs reboot with ramdump at 5 restarts.
After that packageWatchdog/ RescueParty takes over to perform other
mitigations. Ram dump + reboot will not be performed more than once
in 24hrs.
Test: manual
Bug: 291137901
Change-Id: Ia192411dad94e8e25c26f700d2fe7f94d41439b8
The main reason for running restorecon of /microdroid_resources during
the setup_selinux stage is to avoid granting init some weird permissions
like `allow init tmpfs:file relabelfrom;`.
Instead we add such permissions to kernel domain in which setup_selinux
runs. This feels better since kernel domain already has similar
permissions like `allow kernel rootfs:file relabelfrom;`.
Bug: 287593065
Test: run microdroid vm with vendor partition
Change-Id: I82ef5499392e90f53655f7582e887d0b6cb3a5f0
The native watchdog performs a complete reboot on 5 system server
restarts even before packageWatchdog/RescueParty can perform any of the
mitigations. Increasing the thrsehold at which native watchdog kicks in
to 20 instad of 4.
Test: manual
Bug: 291137901
Change-Id: I9166f6555020e8bf26cc86994b13c53745a9934b
When HIDL is not supported, hwservicemanager will not be running and may
not even be installed on the device.
Ignore-AOSP-First: Disabling HIDL internally first. Will cherry-pick
these test CLs after.
Test: init_kill_services_test
Bug: 218588089
Change-Id: Iae41e35e4669dd62c99ab9f138fc419be2f5fa29
The microdroid vendor partition is now verified during Microdroid boot,
so no need for this check.
Bug: 287593065
Test: AVF presubmit
Change-Id: I84811f818ef1140f1fe93d9da5f9ee61341e75dd
system image which is declared in Android.bp should include the module.
Bug: 321000103
Test: m nothing
Change-Id: I6e9d8fa4c1051211ff9ff80c7dfa4a8ee5cbd732
Protobuf 22.x no longer includes <unordered_map>, so it has to
be included explicitly.
Bug: 329747255
Test: presubmit
Change-Id: Icd5055e242e4f58029caf80cbb321222c612a9d0
The derivation happens in the derive_microdroid_vendor_dice_node binary
which first_stage_init forks and execvs.
Since the derivation requires talking to the dice driver, its
initialisation is also moved to the first stage init.
The derivation happens before the microdroid vendor partition is
verified & mounted. This should be safe because the first_stage_init
will fail the boot if the verification of the microdroid vendor
partition fails.
Bug: 287593065
Test: run microdroid with and without vendor partition
Test: atest MicrodroidTests
Change-Id: I0d83772eb98a56c315617e66ec64bd03639cfde6
In the follow up patch this function will also be used in
first_stage_init.
Bug: 287593065
Test: m
Change-Id: Id805f8523596c26ed262d89aa652b27184b612c1
This will be used to store the new dice chain generated during
first_stage_init phase in case Microdroid VM is launched with
microdroid vendor partition.
Bug: 287593065
Test: atest MicrodroidTests
Test: start Microdroid VM & check microdroid_resources exists
Change-Id: I40677376bfed14d813ad51c78db6109b2d76d1d1
Devices may predefine ro.vendor.api_level. Skip calculating the value
if the ro.vendor.api_level is already defined.
Bug: 326164316
Test: getprop ro.vendor.api_level
Change-Id: Ic9fd2a0eef6ba9345f98a5cb1eb790080e19ca19
It's used only by host_init_verifier. This is to remove the unnecessary
dependency from clients of init_host_defaults.
Bug: 326509378
Test: mmma system/core/init
Change-Id: I983fbfe616f0bcb87940c934e19f614d3bf51030
It cannot be assumed that file mappings in /proc/<pid>/maps will be
completely backed by the underlying file. [1]
Use MappedFileSize() to deduce the correct ranges for the mlock()
calls when locking system pages in the OTA path.
While at it also clean up the some unreachable code (mlockall()),
and improve error logging.
[1] SIGBUS at https://man7.org/linux/man-pages/man2/mmap.2.html#RETURN_VALUE
Test: Incremental OTA
Bug: 324952273
Change-Id: Ia2ab150e1b8de8c638f5b1acc1de83deb7ac5cff
Signed-off-by: Kalesh Singh <kaleshsingh@google.com>
Introduce SpawnImage() as a reusable single-argument wrapper around
posix_spawn(), to avoid having to manually manage the child process.
Note that Bionic currently doesn't return the errno from the child's
exec() call to the caller in the parent process, which may temporarily
hide errors such as ENOENT in first_stage_console until Bionic improves.
Also, this introduces a subtle change in behavior as the first_stage.sh
script is now passed directly to the loader, which will only properly
invoke the Shell if the file contains the right shebang.
Inline the call to RunScript() to hopefully make it simpler for readers
to track the lifetime of the various processes on different code paths.
Test: run first_stage_init
Change-Id: Ifaab2be032b2080a039209295d0b5a3759764ea7
From wait(2):
POSIX.1-2001 specifies that if [...] the SA_NOCLDWAIT flag is set for
SIGCHLD, then children that terminate do not become zombies and a call
to [...] waitpid() will block until all children have terminated, and
then fail with errno set to ECHILD.
As we call sigaction(SIGCHLD, { SIG_DFL, SA_NOCLDWAIT }), running
pid_t w = waitpid(pid, &status, 0);
LOG(INFO) << "..." << status << " " << w << " " << errno;
shows that the calls consistently return (status=0, w=-1, errno=ECHILD).
Therefore, clarify the parent code by prefering wait(2) over waitpid(2),
as SA_NOCLDWAIT makes the kernel ignore the passed PID, and stop logging
the irrelevant status, to avoid confusion when the logs say the exit
status was 0 but the child actually returned an error.
Test: run first_stage_console
Change-Id: I54df888e38b947e206e374ad28ebb044c70c6640
If the /first_stage.sh is not present on the system, the child process
which attempted to execv() ends up returning from the function along
with its parent, which can be seen in early logs e.g.
[ 10.747576][ T51] init: Attempting to run /first_stage.sh...
[ 10.757371][ T52] init: unable to execv /first_stage.sh, returned -1 errno 2
[ 10.767527][ T52] init: unable to execv, returned -1 errno 2
[...]
[ 10.789189][ T51] init: unable to execv, returned -1 errno 2
where both T51 and T52 end up executing the "rest" of StartConsole().
Instead, terminate the child if its execv() failed.
Test: run first_stage_init
Change-Id: I20bc0aeae627761a60fb2b55bae39871ad506f69
