Commit graph

3298 commits

Author SHA1 Message Date
David Anderson
f12ea1ed1b Merge "init: Forcefully mount system_ext on DAP devices if not present in fstab." 2020-03-25 17:01:38 +00:00
Treehugger Robot
58f35246cf Merge "init: add more logging around reboots" 2020-03-25 15:48:24 +00:00
TreeHugger Robot
3553c5ea4c Merge "init: add missing TEMP_FAILURE_RETRY" into rvc-dev 2020-03-25 15:40:26 +00:00
David Anderson
d0ce5303e3 init: Forcefully mount system_ext on DAP devices if not present in fstab.
Bug: 150315914
Test: cuttlefish boots with system_ext missing from fstab
Change-Id: I99f292a070678b8a98500258af98129fbd81dfa7
2020-03-24 22:24:32 -07:00
Tom Cherry
494cffb26c init: add missing TEMP_FAILURE_RETRY
Bug: 150863651
Test: boot
Change-Id: I09e86e08a716c2c2933e090d57818a9aad6486f8
2020-03-24 18:17:53 -07:00
Tom Cherry
1c688365ac init: add more logging around reboots
Particularly in the case of the device failing to reboot.  Some test
devices are showing that they've received the reboot message but
without rebooting.

Bug: 150863651
Test: prevent init from handling reboot and see a stacktrace
Test: reboot works normally
Change-Id: Ide001dadbb9e9cd235ea509066e6ae6664bb429b
2020-03-24 18:01:50 -07:00
Treehugger Robot
2d90168f80 Merge "Add vts10 suite to existing vts tests" 2020-03-24 21:49:44 +00:00
Martin Stjernholm
ae695c9fad Remove use of static libdexfile to avoid linking in ART internal code.
- Create a static library libunwindstack_no_dex without DEX support.
- Use it in libdebuggerd_handler_fallback, whose only use is in the
  linker, which shouldn't need that support.
- Use it in init_first_stage, which doesn't need DEX support either.
- Also need a libbacktrace_no_dex since it's in the dependency chain
  from init_first_stage to libunwindstack_no_dex.

Also restrict the *_no_dex libs and libdebuggerd_handler_fallback as
much as possible to avoid inadvertent use of these reduced
functionality libs.

Test: m init_first_stage on Cuttlefish
  where BOARD_BUILD_SYSTEM_ROOT_IMAGE=false
Test: m system_image com.android.runtime
Test: Build & boot
Test: atest linker-unit-tests libunwindstack_unit_test debuggerd_test
Bug: 142944931
Bug: 151466650
Change-Id: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
Merged-In: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
2020-03-24 21:48:00 +00:00
Dan Shi
5d8d73c440 Add vts10 suite to existing vts tests
This is to prepare renaming vts to vts10.

Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL adds all tests in vts to a new
suite vts10. vts10 will be the new name of existing vts suite. This CL
won't change test logic or behavior.

Change-Id: I3c7ccef142de30f02a59046cecba121480f6e436
2020-03-24 13:04:53 -07:00
David Anderson
b80b654b1b Merge "init: Factor out first-stage uevent handling into a separate class." 2020-03-24 18:19:15 +00:00
David Anderson
4117559746 init: Factor out first-stage uevent handling into a separate class.
This will make it possible to re-use in second-stage init.

Bug: 150315914
Test: first-stage init boots
Change-Id: I6a0f13d5c71ab5529a76751f68ac0f15834323d1
2020-03-23 18:49:51 -07:00
Martin Stjernholm
6d4e47a165 Merge "Remove use of static libdexfile to avoid linking in ART internal code." 2020-03-23 20:15:14 +00:00
David Anderson
0053acd11c Merge "init: Remove special-case hacks for the super partition." 2020-03-23 19:19:22 +00:00
Tom Cherry
c297d6034d init: add ctl.oneshot_on/ctl.oneshot_off
Some services are lazy HALs on some platforms and not lazy HALs on
others; this is known at runtime by hwservicemanager, so this change
adds these properties to allow hwservicemanager to turn one oneshot
(for lazy HALs).  It may also be required to make a lazy HAL not lazy
anymore, and oneshot_off is provided for this.

Bug: 147841742
Test: new unit test that turn on and off oneshot on a service (bootanim)
      and observes that it follows the expected behavior
Merged-In: I79524e2c9a5008f90c8d3bc40920fde00602a439
Change-Id: I79524e2c9a5008f90c8d3bc40920fde00602a439
(cherry picked from commit bdbf5047c9)
2020-03-23 08:03:01 -07:00
David Anderson
b78a632ab7 init: Remove special-case hacks for the super partition.
Rather than special-casing super in the uevent listener, call Realpath()
after we've generated its symlink. This allows us to generalize the
uevent listener code.

Also, rename "metadata partition" to "super partition" in a few places,
as this terminology is a bit dated.

Bug: 150315914
Test: first-stage init boots
Change-Id: I2bf3bebf3360f097582df7fba95f3c1753feb2e2
2020-03-20 19:48:46 -07:00
Martin Stjernholm
a2cc893044 Remove use of static libdexfile to avoid linking in ART internal code.
- Create a static library libunwindstack_no_dex without DEX support.
- Use it in libdebuggerd_handler_fallback, whose only use is in the
  linker, which shouldn't need that support.
- Use it in init_first_stage, which doesn't need DEX support either.
- Also need a libbacktrace_no_dex since it's in the dependency chain
  from init_first_stage to libunwindstack_no_dex.

Also restrict the *_no_dex libs and libdebuggerd_handler_fallback as
much as possible to avoid inadvertent use of these reduced
functionality libs.

Test: m init_first_stage on Cuttlefish
  where BOARD_BUILD_SYSTEM_ROOT_IMAGE=false
Test: m system_image com.android.runtime
Test: Build & boot
Test: atest linker-unit-tests libunwindstack_unit_test debuggerd_test
Bug: 142944931
Bug: 151466650
Change-Id: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
2020-03-19 22:23:54 +00:00
Tom Cherry
bdbf5047c9 init: add ctl.oneshot_on/ctl.oneshot_off
Some services are lazy HALs on some platforms and not lazy HALs on
others; this is known at runtime by hwservicemanager, so this change
adds these properties to allow hwservicemanager to turn one oneshot
(for lazy HALs).  It may also be required to make a lazy HAL not lazy
anymore, and oneshot_off is provided for this.

Bug: 147841742
Test: new unit test that turn on and off oneshot on a service (bootanim)
      and observes that it follows the expected behavior
Change-Id: I79524e2c9a5008f90c8d3bc40920fde00602a439
2020-03-19 12:54:25 -07:00
Tom Cherry
2bf886afc2 init: use a no-op signal handler instead of SIG_IGN for SIGPIPE
We want to ignore SIGPIPE within init, but if we use SIG_IGN, that
would be inherited by child processes through exec(), which we do not
want to have happen.  We instead set up a real signal handler with a
no-op handler function, that will ignore SIGPIPE within init, but will
not be inherited across exec().

This fixes c29c2baa69 ("init: Add support for native service
registration with lmkd"), when SIG_IGN was introduced.
Note that we caught this issue before shipping a release with that
change, so the major motivation here is to not cause a behavior change
in init.

Bug: 151581751
Test: children of init that don't explicitly block SIGPIPE exit when
      sent SIGPIPE
Test: children of init that do explicitly block SIGPIPE do not exit
      when sent SIGPIPE
Test: init does not exit when sent SIGPIPE
Test: init exits when sent SIGABRT
Merged-In: Ieda8555fd03836bcd672a422fe673a8369ad9beb
Change-Id: Ieda8555fd03836bcd672a422fe673a8369ad9beb
(cherry picked from commit fd470e87cc)
2020-03-18 09:42:56 -07:00
Steven Moreland
df78c43412 Merge "init: init_kill_services_test" 2020-03-17 20:30:49 +00:00
Steven Moreland
6cce3f7f90 init: init_kill_services_test
Kill processes and make sure the phone recovers. This adds a basic level
of testing, but it could be improved by:
- trying to kill all running processes on the device
- improving metrics for 'recovery'

Bug: 148236233
Test: init_kill_services_test
Change-Id: I8aaca7bf4bb0be588decf741d1f6e1c5787cea84
2020-03-17 10:58:02 -07:00
David Anderson
8a178c184f Merge "init: Fix restorecon for /metadata." 2020-03-16 23:40:16 +00:00
David Anderson
054e6a388e init: Fix restorecon for /metadata.
Since new files can be introduced to /metadata after the initial
restorecon, we need to skip hashing.

Bug: 150907679
Test: rollback, ls -lZ /metadata/ota
Change-Id: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
Merged-In: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
2020-03-16 14:00:54 -07:00
Tom Cherry
fd470e87cc init: use a no-op signal handler instead of SIG_IGN for SIGPIPE
We want to ignore SIGPIPE within init, but if we use SIG_IGN, that
would be inherited by child processes through exec(), which we do not
want to have happen.  We instead set up a real signal handler with a
no-op handler function, that will ignore SIGPIPE within init, but will
not be inherited across exec().

This fixes c29c2baa69 ("init: Add support for native service
registration with lmkd"), when SIG_IGN was introduced.
Note that we caught this issue before shipping a release with that
change, so the major motivation here is to not cause a behavior change
in init.

Bug: 151581751
Test: children of init that don't explicitly block SIGPIPE exit when
      sent SIGPIPE
Test: children of init that do explicitly block SIGPIPE do not exit
      when sent SIGPIPE
Test: init does not exit when sent SIGPIPE
Test: init exits when sent SIGABRT
Change-Id: Ieda8555fd03836bcd672a422fe673a8369ad9beb
2020-03-16 10:31:34 -07:00
Tom Cherry
0c19d6c99f init: handle property messages asynchronously #2
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property.  This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.

This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties

A previous version of this change was reverted and added locks around
all service operations and allowed the property thread to spawn
services directly.  This was complex due to the fact that this code
was not designed to be multi-threaded.  It was reverted due to
apparent issues during reboot.  This change keeps a queue of processes
pending control messages, which it will then handle in the future.  It
is less flexible but safer.

Bug: 146877356
Bug: 148236233
Bug: 150863651
Bug: 151251827
Test: multiple reboot tests, safely restarting hwservicemanager
Merged-In: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
Change-Id: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
(cherry picked from commit 802864c782)
2020-03-16 09:21:18 -07:00
Tom Cherry
0188274148 Revert "init: handle property service callbacks asynchronously"
This is apparently causing problems with reboot.

This reverts commit d2dab830d3.

Bug: 150863651
Test: build
Merged-In: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
Change-Id: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
2020-03-16 09:20:22 -07:00
Tom Cherry
802864c782 init: handle property messages asynchronously #2
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property.  This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.

This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties

A previous version of this change was reverted and added locks around
all service operations and allowed the property thread to spawn
services directly.  This was complex due to the fact that this code
was not designed to be multi-threaded.  It was reverted due to
apparent issues during reboot.  This change keeps a queue of processes
pending control messages, which it will then handle in the future.  It
is less flexible but safer.

Bug: 146877356
Bug: 148236233
Bug: 150863651
Bug: 151251827
Test: multiple reboot tests, safely restarting hwservicemanager
Change-Id: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
2020-03-12 17:15:07 -07:00
Tom Cherry
0c3d4843de Revert "Stop & Resume property service when switching to bootstrap namespace"
Dependent change was reverted.

This reverts commit 352ae2d225.

Bug: 150863651
Test: build
Merged-In: I2e11b782fcd2b7baded133a841fdcf519f702b84
Change-Id: I2e11b782fcd2b7baded133a841fdcf519f702b84
2020-03-10 16:38:44 -07:00
David Anderson
4bb500fa9a init: Fix restorecon for /metadata.
Since new files can be introduced to /metadata after the initial
restorecon, we need to skip hashing.

Bug: 150907679
Test: rollback, ls -lZ /metadata/ota
Change-Id: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
2020-03-10 14:16:12 -07:00
Tom Cherry
832f9f1dbd Revert "init: handle property service callbacks asynchronously"
This is apparently causing problems with reboot.

This reverts commit 7205c62933.

Bug: 150863651
Test: build
Change-Id: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
2020-03-10 11:53:11 -07:00
Tom Cherry
459ca0be74 Revert "Stop & Resume property service when switching to bootstrap namespace"
Dependent change was reverted.

This reverts commit 352ae2d225.

Bug: 150863651
Test: build
Change-Id: I2e11b782fcd2b7baded133a841fdcf519f702b84
2020-03-10 11:48:24 -07:00
Yifan Hong
d91998f1c4 init: restorecon libsnapshot rollback indicator
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.

Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
2020-03-06 22:50:08 -08:00
Yifan Hong
dd4e7ef6ce init: restorecon libsnapshot rollback indicator
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.

Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
2020-03-05 21:56:03 -08:00
David Anderson
960a81f4a1 init: Make sure ImageManager status files are labelled.
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.

Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
Merged-In: I72949fca2889f9e5612049844a78bf9355b48797
2020-03-05 21:55:12 -08:00
PO HUNG CHEN
7fc6052fd3 Merge "Refine the exported DSU status" into rvc-dev 2020-03-06 02:25:21 +00:00
Tom Cherry
6ad4d0a601 Remove EXCLUDE_FS_CONFIG_STRUCTURES
Long overdue clean up; there is no reason to include fs_config.h in
android_filesystem_config.h, and the fact that it causes problems if
it's done, necessitating EXCLUDE_FS_CONFIG_STRUCTURES to exist, is a
good reason to fix it.

Bug: 149785767
Test: build
Change-Id: I5ba2541cd1045c22486140649c90db39163081fd
2020-03-04 15:34:09 -08:00
Howard Chen
026adf0864 Refine the exported DSU status
The new exported DSU status removes the need to make blocking binder
calls out of system server during device boot.

Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
    -n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
    -a android.os.image.action.START_INSTALL \
    -d file:///storage/emulated/0/Download/system.raw.gz \
    --el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
    --el KEY_USERDATA_SIZE 8589934592
Change-Id: I27fae316214498407a73474ca8b93aec3518e4b5
Merged-In: I27fae316214498407a73474ca8b93aec3518e4b5
(cherry picked from commit 2e1c6b26a1)
2020-03-04 18:24:00 +08:00
Howard Chen
14ce87c7da Merge "Refine the exported DSU status" 2020-03-04 09:16:47 +00:00
Nikita Ioffe
352ae2d225 Stop & Resume property service when switching to bootstrap namespace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148236233
Bug: 149745936
Merged-In: I9d30b75f4b4177175ce086c3b6a7c0bba9a17396
Change-Id: I9d30b75f4b4177175ce086c3b6a7c0bba9a17396
(cherry picked from commit 6963f81a2b)
2020-03-02 11:09:42 -08:00
Tom Cherry
d2dab830d3 init: handle property service callbacks asynchronously
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property.  This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.

There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock.  The only complete solution
is to handle these messages asynchronously.

This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
   through thread annotations, particularly since this code was not
   designed with the intention of being multi-threaded.

Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Merged-In: I84108e54217866205a48c45e8b59355012c32ea8
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
(cherry picked from commit 7205c62933)
2020-03-02 11:08:50 -08:00
Tom Cherry
eb04526a1e Refactor libinit_test_utils to not use libinit and expose its libraries
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included.  To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources.  Additionally, expose these sources as a
default for users of libinit_test_utils.

Bug: 148236233
Test: build
Merged-In: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
(cherry picked from commit a2f9136b2c)
2020-03-02 11:08:26 -08:00
Bernie Innocenti
8d144f6612 Merge "Fix missing Result::ok() call in init" 2020-03-01 15:14:39 +00:00
Nikita Ioffe
284d0cf746 Reset post_data_ and services_update_finished_ on userspace reboot
Test: adb reboot userspace
Bug: 143970043
Change-Id: I77d47a8460b1526337a318547a59141334e11cdd
Merged-In: I77d47a8460b1526337a318547a59141334e11cdd
(cherry picked from commit 3ad292025c)
2020-02-29 13:18:39 +00:00
Bernie Innocenti
50dfcb02c8 Fix missing Result::ok() call in init
Test: m init
Change-Id: Ifc11f856704e6f8d08764b6ba2876423992fb8c2
2020-02-29 05:57:04 +00:00
Nikita Ioffe
dffbb4f148 If userspace reboot watchdog triggers, don't store reason in persistent property
If init is wedged, then the write will never succeed and reboot won't
happen.

Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.

Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
Merged-In: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
2020-02-28 11:40:10 +00:00
Nikita Ioffe
6963f81a2b Stop & Resume property service when switching to bootstrap namespace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 149745936
Change-Id: I9d30b75f4b4177175ce086c3b6a7c0bba9a17396
2020-02-28 11:37:22 +00:00
Nikita Ioffe
3ad292025c Reset post_data_ and services_update_finished_ on userspace reboot
Test: adb reboot userspace
Bug: 143970043
Change-Id: I77d47a8460b1526337a318547a59141334e11cdd
2020-02-27 20:46:27 +00:00
Nikita Ioffe
d485bbbb51 If userspace reboot watchdog triggers, don't store reason in persistent property
If init is wedged, then the write will never succeed and reboot won't
happen.

Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.

Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
2020-02-27 13:06:37 +00:00
Howard Chen
2e1c6b26a1 Refine the exported DSU status
The new exported DSU status removes the need to make blocking binder
calls out of system server during device boot.

Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
    -n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
    -a android.os.image.action.START_INSTALL \
    -d file:///storage/emulated/0/Download/system.raw.gz \
    --el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
    --el KEY_USERDATA_SIZE 8589934592
Change-Id: I27fae316214498407a73474ca8b93aec3518e4b5
2020-02-27 16:34:30 +08:00
Howard Yen
bb578203a6 init: prevent persist.sys.usb.config initalized as none,adb
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.

Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
Merged-In: I3b5de6fd102e252019e843f39f0875f5aaea7486
2020-02-27 07:53:48 +08:00
David Anderson
a31834a4b6 Merge "init: Make sure ImageManager status files are labelled." 2020-02-26 17:56:03 +00:00
Howard Yen
446c4fbed0 init: prevent persist.sys.usb.config initalized as none,adb
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.

Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
2020-02-26 22:02:08 +08:00
David Anderson
c991f347b2 init: Make sure ImageManager status files are labelled.
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.

Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
2020-02-25 09:09:08 -08:00
Tom Cherry
0fcb22868d Merge "init: handle property service callbacks asynchronously" 2020-02-25 16:22:28 +00:00
Tom Cherry
d9de138e47 Merge "Refactor libinit_test_utils to not use libinit and expose its libraries" 2020-02-24 16:10:56 +00:00
Elliott Hughes
f77f6f003c Remove various bits of dead code and unused workarounds.
Test: treehugger
Change-Id: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e
Merged-In: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e
2020-02-22 16:53:24 +00:00
Tom Cherry
7205c62933 init: handle property service callbacks asynchronously
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property.  This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.

There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock.  The only complete solution
is to handle these messages asynchronously.

This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
   through thread annotations, particularly since this code was not
   designed with the intention of being multi-threaded.

Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
2020-02-20 14:58:06 -08:00
Tom Cherry
a2f9136b2c Refactor libinit_test_utils to not use libinit and expose its libraries
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included.  To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources.  Additionally, expose these sources as a
default for users of libinit_test_utils.

Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
2020-02-20 11:31:35 -08:00
Nikita Ioffe
d0bc0b6f1e Store reason in case of userspace-reboot watchdog reboot
Test: adb reboot userspace
Bug: 148767783
Change-Id: I58cf103fd5ce47eadae334376109492d0cc1c1c6
2020-02-19 20:12:07 +00:00
Mark Salyzyn
ee016ce0b3 bootstat: enhance last reboot reason property with file backing
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.

Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
2020-02-14 13:24:16 -08:00
Bowgo Tsai
196cc58781 Preserving /avb/* keys to /metadata
Those keys will be used for key revocation check by DSU installation
service. Note that failing to copy those keys to /metadata is NOT fatal,
because it is auxiliary to perform public key matching prior to booting
into DSU images on next boot. The actual key matching will still be done
on next DSU boot.

Bug: 146910547
Test: boot device, checks the avb keys are copied to /metadata/gsi/dsu/avb/.
Change-Id: I25a4eba82e84288bac7a859205c920628a063651
2020-02-13 15:15:20 +08:00
Steven Moreland
504e6647ff libinit_test_utils: -= libhidl-gen-utils header
Bug: N/A
Test: N/A
Change-Id: Idd558c395dfe19af9fe654941cd77bc94d3d74f4
2020-02-10 10:41:29 -08:00
Steven Moreland
579e4b3d2b Merge "libinit_test_utils: don't assume interface format" 2020-02-10 17:44:05 +00:00
Nikita Ioffe
15e4f6fe5a Merge "Don't log userspace_reboot.started/finished properties from init" 2020-02-10 17:22:03 +00:00
Tom Cherry
2157b2065e Merge "init: group source files better in Android.bp" 2020-02-10 14:49:02 +00:00
Steven Moreland
bb44cd6ea1 libinit_test_utils: don't assume interface format
These can be AIDL or HIDL interfaces. Avoiding assuming the format here.

Bug: 141008902
Test: vts_ibase_test
Change-Id: If60367e3a46c74a1d28548379655f5e211f58b73
2020-02-07 13:39:35 -08:00
Nikita Ioffe
85ff4ab9a4 Don't log userspace_reboot.started/finished properties from init
Instead they will be logged from system_server. This CL just prepares
grounds for logging CL to land.

Test: adb reboot userspace
Bug: 148767783
Change-Id: Ie9482ef735344ecfb0de8a37785d314a3c0417ff
2020-02-07 14:41:39 +00:00
Treehugger Robot
39e990d477 Merge "Convert system/core to Result::ok()" 2020-02-07 06:14:16 +00:00
Tom Cherry
66196495f2 init: group source files better in Android.bp
Test: build
Change-Id: I780a82122a08840257c44bff0b93ea6b25f0b2f0
2020-02-06 12:03:05 -08:00
Tom Cherry
62662cf189 Merge "init: use ErrnoErrorf() instead of ErrnoError() << StringPrintf()" 2020-02-06 19:14:37 +00:00
Tom Cherry
91bbe9ef56 Merge "Check Errorf()/ErrnoErrorf() format string at compile time" 2020-02-06 19:14:15 +00:00
Bernie Innocenti
cecebbbacc Convert system/core to Result::ok()
No functionality changes, this is a mechanical cleanup.

Test: m
Test: cd system/core && atest
Change-Id: Ifdaa3ce1947ed578f656d5a446978726eb416c36
2020-02-06 17:04:27 +00:00
Tom Cherry
57b9428471 init: use ErrnoErrorf() instead of ErrnoError() << StringPrintf()
Test: force init to print this line and see the log message
Change-Id: Ibb74572347f915cd76cc50f4c19126b66f562810
2020-02-05 07:57:14 -08:00
Tom Cherry
f8e6bf6d81 Check Errorf()/ErrnoErrorf() format string at compile time
fmtlib provides compile time checking of format strings that we're not
currently using.  This change makes Errorf() and ErrnoErrorf() into
macros such that we can take advantage of this capability.

Test: build successfully normally
Test: fail the build if using an invalid format string
Change-Id: Icb8ba8cb973bbd1fa4755a62e7598bdbb0113757
2020-02-05 07:57:14 -08:00
Bowgo Tsai
e0f5c10691 first_stage_mount: reading all avb_keys before chroot
Avb keys used to verify a partition are stored in the first-stage
ramdisk. However, after /system is mounted, init will chroot into it.
This makes those keys inaccessible for later mounts, e.g., /vendor or
/product.

This change retains avb keys by reading all of them before chroot
into /system.

Note that it is intentional to perform public matching for both
preload_avb_key_blobs and fstab_entry.avb_keys in libfs_avb.
As some keys might only be availble before init chroots into /system,
e.g., /avb/key1 in the first-stage ramdisk, while other keys might
only be available after the chroot, e.g., /system/etc/avb/key2.

Bug: 147585411
Test: specify avb_keys for a partition and checks the keys are preloaded
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I6bd490c4215480db2937cdfc3fea0d616e224a91
2020-02-05 15:51:41 +08:00
Bernie Innocenti
1cc76dfe84 Delete dangerous comparison operators from base::expected
These operators were included because they're present in the draft
standard proposal of std::expected, but they were deemed to lead to
bugs, particularly when T is implicitly convertible to bool.

Change-Id: Ib149decf1f230198f358dc1ae0eaed71961363f6
Test: m
2020-02-04 12:55:23 +00:00
Tom Cherry
db8881b769 Merge "init: handle process actions when waiting for exec services" 2020-02-03 14:02:40 +00:00
Tom Cherry
44d5ec37a7 init: handle process actions when waiting for exec services
We currently do not handle process actions (restarting services or
exiting timedout services) when we are waiting for an exec service,
but this seems to be the wrong behavior.  Particularly, an exec
service may depend on a previously started service and if that service
crashes, we will deadlock unless init restarts it.

Bug: 146920034
Test: build, boot
Change-Id: Id2fc936b8a7b989862ba4c32c398a544941e0e76
2020-01-31 08:33:36 -08:00
Nikita Ioffe
abe52dcb88 Merge "Whitelist reboot reasons related to userspace reboot failure" 2020-01-31 15:11:12 +00:00
David Anderson
21dcbd15bc Merge "remount: Use /data for backing scratch storage." 2020-01-29 17:55:06 +00:00
David Anderson
c13586faea remount: Use /data for backing scratch storage.
Currently, this is only enabled for Virtual A/B devices. When /data uses
F2FS, then proper pinning support must be enabled.

Because /data cannot be mounted in recovery, we can't delete the scratch
image backed by /data while in fastbootd. Instead, we mark it as
disabled in /metadata. The remount command now has an init script that
checks for and removes a disabled scratch partition.

Bug: 134949511
Test: adb remount on V A/B device with patched F2FS
Change-Id: Ifc8720378259654472d3822e97059b6c366f601d
2020-01-28 12:04:38 -08:00
Nikita Ioffe
764c1ac8ba Trigger boot animation on userspace reboot
Also reset some more properties to make bootanimation work properly.

Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
2020-01-28 10:42:44 +00:00
Nikita Ioffe
4a787d96ce Whitelist reboot reasons related to userspace reboot failure
Test: system/core/bootstat/boot_reason_test.sh
Bug: 135984674
Change-Id: I31422329f1109273909293a83913ae801eb1fe52
2020-01-23 00:12:02 +00:00
Ryan Savitski
cdebef1d2b Merge "init: add builtin check for perf_event LSM hooks" 2020-01-21 20:40:50 +00:00
Satoshi Niwa
1eb300dca5 init: Fix a bug in MountDir
mkdir always returns -1 for any types of errors.
errno should be checked for actual error type.

Test: m
Change-Id: I1b56d48ba48992a2f9629dc09d795c277b5b774d
2020-01-20 18:00:49 +09:00
Oli Lan
90c523b30b Give x permission on apex data directories.
This gives search (x) permission on the parent apex data
directory /data/misc/apexdata so that directories below it
may be opened. It also gives that permission on the apex
data directories themselves.

Bug: 147848983
Test: Build & flash, check perms are correct
Change-Id: I27c4ea01602002c89d0771a144265e3879d9041a
2020-01-17 11:41:04 +00:00
Howard Chen
62f35129d4 Merge "Refine the first stage mount for DSU" 2020-01-16 05:33:09 +00:00
Ryan Savitski
f0f7e70186 init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458

As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.

If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.

This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
  if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
  is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
  test binary/domain felt excessive.

I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.

Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-15 20:58:15 +00:00
Nikita Ioffe
05506f05b6 Don't reboot into recovery during userspace reboot
In case one of the cryptfs calls to vdc fails, first try a normal
reboot.

Test: manual
Bug: 135984674
Bug: 143970043
Change-Id: I5706d9cd6c3a08fa06329ffb7d141de632620e3d
2020-01-15 16:27:39 +00:00
Nikita Ioffe
60ddf3a29a Merge "Change scope of ro.init.userspace_reboot.is_supported to public" 2020-01-15 14:14:08 +00:00
Nikita Ioffe
10cdc17283 Change scope of ro.init.userspace_reboot.is_supported to public
Test: atest CtsUserspaceRebootHostSideTestCases
Test: m checkbuild
Bug: 135984674
Change-Id: Ie11c6720ee21afef99b4b53415da00d8c1e446ca
2020-01-14 12:42:48 +00:00
Treehugger Robot
b7c68f777b Merge "init: document interface_* commands and ctl.* actions" 2020-01-13 22:41:44 +00:00
Tom Cherry
504eb85f9d init: document interface_* commands and ctl.* actions
Test: n/a
Change-Id: Ided7e16a00142e7235edeef3be2eddb6bb751bfc
2020-01-13 09:45:08 -08:00
Treehugger Robot
644d6a1e2e Merge "init: Bind mount /mnt/installer early for scoped storage." 2020-01-13 08:27:44 +00:00
Martijn Coenen
c70c0665fc init: Bind mount /mnt/installer early for scoped storage.
Scoped storage has some unique requirements that are hard to implement
with the two mount namespaces, because the daemon that does the mounting
(vold) lives in a different namespace than the processes using those
mounts.

In particular, /mnt/installer is a special bind mount that should
receive mount events under /mnt/user, but at the same time only
only propagate mount events under /mnt/installer to /mnt/installer in
the other namespace. More details in the code.

Bug: 134706060
Test: /mnt/installer shows up and is setup correctly.
Change-Id: I6dab5ace5a345d9d684a9f1ae94c833fc294d49e
2020-01-11 15:07:21 +01:00
Howard Chen
a841bd48f8 Refine the first stage mount for DSU
* Open the ImageManager according to the saved DSU slot.
* Load the saved install_dir when it presents. This is required
  when installing to an external storage and the current code
  seems to break it.
* Remove an unnecessary C++ using.

Test: gsi_tool install
Bug: 144247097

Change-Id: I5b7be25787f235518a25abacefa612c33861f6ef
2020-01-09 07:47:35 +00:00
Woody Lin
d377ad8b06 Merge "InitFatalReboot: Panic the system if init_fatal_panic is "true"" 2020-01-09 02:11:52 +00:00
Tom Cherry
a4b446d766 Merge "init: Fix writing "reboot recovery" to BCB" 2020-01-08 17:15:08 +00:00
Woody Lin
6bbfa26813 InitFatalReboot: Panic the system if init_fatal_panic is "true"
While handling the fatal signals and abort, exits from the signal
handler to panic the system if "androidboot.init_fatal_panic" in cmdline
is configured as "true".

Bug: 146818493
Change-Id: I59fffb7598ce981383ae24961a97fd2fd8e8d64e
2020-01-08 11:43:51 +08:00
Treehugger Robot
4d82b283dd Merge "Support AVB chain partitions for HASH descriptors" 2020-01-08 00:16:20 +00:00
Bowgo Tsai
a61c3ab44f Support AVB chain partitions for HASH descriptors
Commit Ida1a6da988c10d364b3ccdaa6c5d63e5264d1b27 allows specifying
AVB-related partitions to be probed in first-state mount, e.g.,
"avb=vbmeta_system" in the fs_mgr_flags will make init wait uevents
for vbmeta_system partition, which is required for AVB verification.

However, when specifying "avb=dtbo" to chain a /dtbo partition, first-stage
init will emit the following error as it assumes all partitions are
verified by Hashtree descriptors.

  init: [libfs_avb]Hashtree descriptor not found: dtbo

This change fixes this by skipping raw partitions for first-stage mounting,
where raw partitions should already be verified by bootloader with Hash
descriptors. Although first-stage init does not perform Hash verification,
it still reads all Hash/Hashtree descriptors to calculate then compare
the "VBMeta Digest" passed from bootloader.

  https://android.googlesource.com/platform/external/avb/#The-VBMeta-Digest

The following is an example of a fstab entry to chain /dtbo partition:

  /dev/block/bootdevice/by-name/dtbo  /dtbo  emmc  defaults  slotselect,avb=dtbo,first_stage_mount

Bug: 146935233
Test: enable /dtbo as a chain partition, then boot the device
Change-Id: I590f1d9b78ef89b5aef21cb7bf19fdb90b27f808
2020-01-07 22:17:27 +08:00
Bookatz
18a7a5bd89 CtsInitTestCases secondary_user
Marks this CTS test module as supporting secondary_user, meaning that
the tests are eligible to be run from a regular Android user other
than the system user (i.e. other than user 0).

Note that 'user' here refers to the concept of users in Android
Multiuser; it is NOT the same as a uid.

Bug: 141773058
Test: module passed with secondary_user params
 (--enable-optional-parameterization --module-parameter secondary_user)

Change-Id: Ic8d29cabe2542d75c8f873b677550db9f11b3050
2020-01-06 09:54:20 -08:00
Oli Lan
dc5167205d Change ownership of apex data directories to root.
The apex data directories must be accessed by apexd in order for it to
perform snapshot and restore as part of the rollback process. As apexd
runs as root, this CL changes the apex data directories under /data/misc
to be owned by root.

Bug: 141148175
Test: Build and flash; check permissions are set correctly.

Change-Id: Ib534e705802c06900884a15f39fee257d4987f4c
2020-01-03 16:47:38 +00:00
Sam Protsenko
2c7c3c7402 init: Fix writing "reboot recovery" to BCB
When BCB (bootloader message structure inside of misc partition) is
malformed (contains some non-printable characters in its fields),
"reboot recovery" command won't be able to write required string to
"command" field. It can happen for example when partition table was
created anew and 'misc' partition area contains some garbage. Also this
behavior can be emulated with this command:

    $ fastboot erase misc

which leads to 'misc' partition to be filled with 0xFF characters. Hence
this code:

    if (boot.command[0] == '\0') {

won't let us to set new string to "command" field. Let's check if
"command" field is malformed and fix it, before actually checking for
previously set content.

"fastboot erase" shouldn't be used for testing purposes though, as it
doesn't work sometimes due to alignment, on bootloader side:

    Erasing blocks 6144 to 6144 due to alignment
    ........ erased 0 bytes from 'misc'

Instead one might use "dd" command to fill 'misc' with 0xFF's:

    $ dd if=/dev/zero ibs=2k count=1 | tr "\000" "\377" >misc.img
    $ fastboot flash misc misc.img

Test: Fill 'misc' partition with 0xFF's, then do "adb reboot recovery"
Change-Id: Ica8ca31012b9b2249645e7305830c07a20dd013c
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
2020-01-03 18:03:04 +02:00
Kiyoung Kim
24ccfc244b Merge "Update linkerconfig to target out directory" 2020-01-02 04:18:31 +00:00
Kiyoung Kim
3b2dbe9d75 Update linkerconfig to target out directory
Current linkerconfig targets for specific output file. However,
linkerconfig will generate more than 1 file based on APEX modules, so it
should take argument for target directory rather than target file. This
change updates linkerconfig's argument to point output directory.

Bug: 146993126
Test: m -j passed & Cuttlefish succeeded to boot
Change-Id: I3a720a047077688582436aabd307adafeafc5398
2019-12-30 18:44:41 +09:00
David Anderson
bdaa9afbf2 Merge "init: Use ImageManager for DSUs." 2019-12-27 21:13:51 +00:00
Nikita Ioffe
018ddd7a6f Unify logic for resetting properties before userspace reboot
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.

Also fixed a typo in what HandleUserspaceReboot function.

Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
2019-12-20 17:55:13 +00:00
Kiyoung Kim
80416f7a80 Merge "Generate linkerconfig per mount namespaces" 2019-12-20 03:30:33 +00:00
Kiyoung Kim
e4d3f2123f Generate linkerconfig per mount namespaces
There are two namespaces from init - bootstrap and default - and those
will have different set of APEX modules. To support difference between
two namespaces, linker config should be generated per namespace and each
namespace should use its own linker configuration. As a first step of
the work, this change will create different mount point for each
namespace, and re-generate linker config after APEX mount from each
namespaces.

Bug: 144664390
Test: m -j passed & tested from cuttlefish
Change-Id: Iac2e222376ec4b0ced6c29eed18b21d39ff0b1ba
2019-12-20 09:46:59 +09:00
David Anderson
661ad4e54f init: Use ImageManager for DSUs.
The first_stage_mount code for DSUs predates both the DSU name and the
ImageManager abstraction. Move this code to ImageManager, so it can be
shared with overlayfs/scratch handling. And while we're here, rename GSI
to DSU for clarity.

Bug: 134949511
Test: dsu works
Change-Id: I9ef374bccc6cdbe2ada88baef4e7c0bc81b1e85e
2019-12-18 22:03:31 +00:00
Nikita Ioffe
9f473c0579 Don't proceed with userspace reboot if device doesn't support it
Test: set property to false and adb reboot userspace
Bug: 135984674
Change-Id: I11e55243df002dd54e533a6b9fc529866597d4dd
2019-12-18 18:06:47 +00:00
Jiyong Park
648ae3a9d3 Use apex name in apex_manifest.pb as the mount point
When bind-mounting flattened APEX, use the apex name found in
apex_manifest.pb as the mount point, instead of the directory name which
might be different from apex name in case when the apex is overridden.

This allowed us to remove the special casing for the ART apex since we
/system/apex/com.android.art.release will be mounted to
/apex/com.android.art instead of /apex/com.android.art.release.

Bug: N/A
Test: m
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m, device is bootable
Change-Id: Ibdde7002b9078db390e6672b0eb82c474925451d
2019-12-16 11:31:50 +09:00
Tom Cherry
4b077c51f2 Require 'exact', 'prefix', or '' for match operation in property_contexts
The previous code would lazily check for 'exact' and accept any other
value as a prefix match.  This should be a tighter check allowing only
'exact', 'prefix', or an empty string for this option.

Test: build fails if an invalid string is used for the match operation
Test: build succeeds normally
Test: `getprop -Z` shows exact vs prefix is differentiated correctly
Change-Id: I21dcb193810d65f468f8960967eabfd261f71e21
2019-12-11 07:56:51 -08:00
Gavin Corkery
d1f5a817af Merge "Store crashing process name in sysprop" 2019-12-11 11:50:59 +00:00
Kiyoung Kim
597eca8a8c Merge "Move linker config under /linkerconfig" 2019-12-11 02:55:06 +00:00
Gavin Corkery
5d0deb563d Store crashing process name in sysprop
As part of Watchdog-triggered rollback logging, it would
be useful to know the service which has caused
updatable_crashing to be set. Store this in a new property
sys.init.updatable_crashing_process_name.

Test: manual
Bug: 138782888
Change-Id: Iffa38b2b746abbb5d823a8d69b7b8d2456836f4e
2019-12-10 23:00:24 +00:00
Treehugger Robot
5642bd2384 Merge "init: clarify a comment" 2019-12-10 17:07:30 +00:00
Oli Lan
06126e1b6e Merge changes from topics "createapexdirs", "createapexrollbackdirs"
* changes:
  Create directory for snapshots of DE_sys apex data.
  Create DE_sys APEX data directories.
2019-12-10 12:54:43 +00:00
Tom Cherry
cbeaca541c init: clarify a comment
We do not need to set up all directories from system.img for the first
stage ramdisk, only those which first stage init mounts on.

Test: n/a
Change-Id: I877c623bac0b6dd2927ebdefa20da929ff98b341
2019-12-09 07:09:32 -08:00
Tom Cherry
c99d60cbc7 init: add missing O_CLOEXEC
Test: (hopefully) no more denials at boot
Change-Id: I7c20a9bbf27210e0ee5f1bbe69db36bb47c38892
2019-12-09 06:48:37 -08:00
Oli Lan
13e51e7f0b Create DE_sys APEX data directories.
This creates the directory /data/misc/apexdata, at the same time as other
directories under /data/misc. Then, when apexd has finished activating
APEXes, a directory is created under /data/misc/apexdata for every
APEX, with the same name as the APEX module name.

See go/apex-data-directories.

APEXes are discovered by scanning the /apex directory. It may be better
to delegate this process to a library, but it is proposed to defer that
change to a future CL.

Bug: 141148175
Test: Built and flashed, checked directories were created.
Change-Id: I639d6f490ae0b97f116ce38ff3ac348bd73aa20e
2019-12-09 11:10:42 +00:00
Kiyoung Kim
99df54be93 Move linker config under /linkerconfig
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions with chroot. To match system
image and configuration, linker config better stays under /linkerconfig

Bug: 144966380
Test: m -j passed && tested from cuttelfish
Change-Id: Iaae5af65721eee8106311c1efb4760a9db13564a
2019-12-09 19:45:11 +09:00
Tom Cherry
97437a7aae init: fsync() persistent properties directory after rename()
See the inline comment on why this is necessary.

Test: persistent properties work without errors
Change-Id: I820a193fb032a1845791a55a76390d396678f151
2019-12-06 11:16:50 -08:00
Nikita Ioffe
abd504611b Merge "Remove service defined in an APEX during userspace reboot" 2019-12-06 02:35:41 +00:00
Nikita Ioffe
091c4d1439 Remove service defined in an APEX during userspace reboot
Such services will be re-parsed and added back to the service list
during post-fs-data stage.

Test: adb reboot userspace
Test: atest CtsInitTestCases
Bug: 145669993
Bug: 135984674
Change-Id: Ibb393dfe0f101c4ebe37bc763733fd5d981d3691
2019-12-05 17:51:43 +00:00
Tom Cherry
759240289b Merge "init: Replace property_set() with android::base::SetProperty()" 2019-12-05 17:26:30 +00:00
Anton Hansson
572350911a Merge "Point to exec_start from start in init documentation" 2019-12-05 17:04:25 +00:00
Anton Hansson
8c4d930805 Point to exec_start from start in init documentation
Since it mentions a caveat, it's nice to know how to avoid
that caveat.

Test: N/A
Change-Id: I487f1080058bf83a76a725735c6f283f88b0739e
2019-12-05 15:37:09 +00:00
Jooyung Han
028e1d4434 Merge "Bind-mount individual flattened APEXes" 2019-12-05 08:55:31 +00:00
Tom Cherry
c88d8f93cf init: Replace property_set() with android::base::SetProperty()
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().

In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.

Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
2019-12-04 15:43:21 -08:00
Nikita Ioffe
cafa75ca22 Merge "FscryptInstallKeyring: don't re-create keyring if it's already created" 2019-12-04 19:27:52 +00:00
Nikita Ioffe
9f71d6193a Merge "Add basic support for remounting ext4 userdata into checkpoint" 2019-12-04 19:22:50 +00:00
Tom Cherry
8fa4d6c382 Merge "init: always kill oneshot services' process groups." 2019-12-04 18:16:19 +00:00
Nikita Ioffe
1f40c94a1f FscryptInstallKeyring: don't re-create keyring if it's already created
During userspace reboot FscryptInstallKeyring will be called again, this
CL will make it second call a no-op, which IMHO is better than having a
special logic in init to conditionally call FscryptInstallKeyring
depending on whenever it's normal boot, or userspace reboot.

Test: adb reboot userspace
Test: checked in kernel logs that new keyring is not created
Bug: 135984674
Change-Id: I4ad5aee6887b7318fb1cd02bf1c7be8da6ece599
2019-12-04 17:47:37 +00:00
Nikita Ioffe
bee7b8c811 Add basic support for remounting ext4 userdata into checkpoint
Metadata encrypted ext4 userdata and v2 encryption keys will be
supported in follow up CLs.

Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Bug: 135984674
Bug: 143970043
Change-Id: I8dbf3bddd811cf54d3f2b2ee2c1ea64159d8c6e0
2019-12-02 11:59:51 +00:00
Nikita Ioffe
57d7bb695b Fix typo in userspace reboot watchdog
Test: adb reboot userspace
Bug: 135984674
Change-Id: I4003683307a22e8d744748fb1311c16eb5ee1428
2019-11-28 18:25:24 +00:00
Jooyung Han
5bb9d2133a Bind-mount individual flattened APEXes
There are a few directories for builtin APEXes: /system/apex,
/system_ext/apex, /product/apex, /vendor/apex.

For devices with ro.apex.updatable=false, init should bind-mount
"flattened" apexes from all of above.

Bug: 144732372
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m && device boot
Change-Id: If151145e6e3d966b202300ff3a0ddb5ec9fdaa87
2019-11-25 19:53:24 +09:00
Treehugger Robot
1b0ea6c3b3 Merge "init: fix subcontext tests running as non-root." 2019-11-21 05:15:35 +00:00
Tom Cherry
1c005f3a78 init: fix subcontext tests running as non-root.
A recently added subcontext test was failing beause it was running as
non-root, but GTEST_SKIP() didn't work as I expected it to.

In retrospect, all of these tests except for the property one, can
easily run as root, so this changes allows all of these tests to run
as root, while fixing the original issue.

Bug: 144707143
Test: root and nonroot subcontext unit tests
Change-Id: Ia835597701698f6be2101f92d6f4c9450bd3c7dd
2019-11-20 15:55:16 -08:00
Tom Cherry
d89ed132a0 init: always kill oneshot services' process groups.
~2007 a change was added that would allow oneshot services to
daemonize by not killing their process group.  This was a hack at the
time, and should certainly not be needed now.  I've resisted removing
the behavior however, as it hadn't caused any issues.

Recently, it was detected that the cgroups that these processes belong
to, would exist forever and therefore leak memory.  Instead of simply
removing the cgroups when empty, this provides a good opportunity to
do the right thing and fix this behavior once and for all.

The new (correct) behavior only happens for devices with vendor images
built for Android R or later.  Init will log a warning to dmesg when
it detects this difference in behavior has occurred.

Bug: 144545923
Test: boot CF/Coral and see no difference in behavior.
Test: boot CF with a service that daemonizes and see the warning.
Change-Id: I333a2e25a541ec0114ac50ab8ae7f1ea3f055447
2019-11-19 15:13:17 -08:00
Nikita Ioffe
23dbd6dc11 Make userspace_reboot.in_progress sysprop-as-api
sys.init.userspace_reboot.in_progress will be used to notify all
the processes (including vendor ones) that userspace reboot is
happening, hence it should be treated as stable public api.

All other sys.init.userspace_reboot.* props will be internal to /system
partition and don't require any stability guarantees.

Test: builds
Test: adb reboot userspace
Bug: 135984674
Change-Id: Ifb64a6bfae2de76bac67edea68df44e33c9cfe2d
2019-11-15 20:07:58 +00:00
Nikita Ioffe
dc4bd2714c Merge "Add a very basic userspace reboot watchdog" 2019-11-15 15:21:19 +00:00
Tom Cherry
bc1d0b09cc Merge "init: make CheckPropertyTriggers() more efficient" 2019-11-14 23:37:30 +00:00
Nikita Ioffe
82a431eb2f Add a very basic userspace reboot watchdog
Watchdog is just a forked process that is going to fall back to the
full reboot in case device wasn't able to boot in given amount of time.

Currently this amount is hard-coded to 1 minute, but in the future it
will be controlled by a read-only property.

Also added sync calls before and after tearing down services.

Test: adb reboot userspace
Bug: 135984674
Change-Id: Ie6053c9446a6761deae6dc104036bb35b09ef0e2
2019-11-14 23:10:54 +00:00
Tom Cherry
1efc4849d7 init: make CheckPropertyTriggers() more efficient
Previously CheckPropertyTriggers() tried to do the entire property
triggers check with one loop.  However, that would require calling
GetProperty() on all properties for all triggers just in case the
property that is being set is used by a given trigger.

This change first checks that the property being set exists in each
trigger and that its value is set such that the trigger would be
triggered, only then does it check that other property triggers are
set to the right value.

Bug: 143922756
Test: boot
Test: substantially fewer GetProperty() calls from
      CheckPropertyTriggers()

Change-Id: I0228cf47328b31963eaf3fc689fb60f711532df4
2019-11-14 09:19:07 -08:00
Nikita Ioffe
c0df1874ad Add sysprops for start & end of userspace reboot
There will be useful in debugging/logging events to statsd.

Also as part of this CL, sys.init.userspace_reboot.in_progress property
is now used as a mean of synchronization. It is set directly in
DoUserspaceReboot, to make sure that all the setprop actions triggered
by userspace-reboot-requested were processed.

Test: adb reboot userspace
Test: adb shell getprop sys.init.userspace_reboot.last_started
Test: adb shell getprop sys.init.userspace_reboot.last_finished
Bug: 135984674
Change-Id: I9debcd4f058e790855200d5295344dafb30e496a
2019-11-14 01:38:05 +00:00
Tom Cherry
18278d2e9c init: make triggering shutdown from vendor_init better
Previously, we assumed that TriggerShutdown() should never be called
from vendor_init and used property service as a back up in case it
ever did.  We have since then found out that vendor_init may indeed
call TriggerShutdown() and we want to make it just as strict as it is
in init, wherein it will immediately start the shutdown sequence
without executing any further commands.

Test: init unit tests, trigger shuttdown from init and vendor_init
Change-Id: I1f44dae801a28269eb8127879a8b7d6adff6f353
2019-11-13 12:41:34 -08:00
Tom Cherry
e91c76b210 Merge "init: check property type in host_init_verifier" 2019-11-13 18:41:17 +00:00
Tom Cherry
edad2bf9b6 Use PLOG and TEMP_FAILURE_RETRY for uevent socket errors
Use TEMP_FAILURE_RETRY() for recvmsg() to prevent failing
unnecessarily from EINTR.  Use PLOG(ERROR) in ueventd to display the
actual error if reading from the uevent socket does fail.

Test: build
Change-Id: I64a22698ce6ffc7573f75b57803551c7b6940e30
2019-11-13 07:21:42 -08:00
Tom Cherry
47cdf6c078 Merge "Move init and ueventd scripts from / to /system/etc" 2019-11-13 14:36:47 +00:00
Tom Cherry
b5f2ec06f5 init: check property type in host_init_verifier
We have all of the 'type' information for properties available during
build time, so let's check this when setting properties in init.

Test: setprop apexd.status bad results in:
host_init_verifier: Command 'setprop apexd.status bad'
(out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc:927)
failed: Property type check failed, value doesn't match expected type
'enum starting ready'
host_init_verifier: Failed to parse init script
'out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc'
with 1 errors
Test: CF builds without that error

Change-Id: Iaad07747c09f4a10b2b816c455d6e8a485357ab9
2019-11-12 10:19:21 -08:00
Tom Cherry
c9f5353ad3 Move init and ueventd scripts from / to /system/etc
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc.  There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.

Bug: 131087886
Bug: 140313207
Test: build/boot
Merged-In: I043d9a02ba588ca37ceba2c4e28ed631792b2586
Change-Id: I043d9a02ba588ca37ceba2c4e28ed631792b2586
2019-11-08 10:15:49 -08:00
Nikita Ioffe
838f5ccf9b Merge "userspace reboot: don't re-install keyring when remounting userdata" 2019-11-08 17:38:00 +00:00
Suren Baghdasaryan
8106c8e09f Merge changes from topic "native process registration"
* changes:
  init: Add support for native service registration with lmkd
  lmkd: Support process types when registering a process
  lmkd: Add library function to unregister a process
  lmkd: Prepare lmkd to support connection from init process
  lmkd: Restrict process record modifications to the client that created it
2019-11-08 17:25:10 +00:00
Treehugger Robot
be49555bca Merge "Do not run init CTS test on secondary ABI" 2019-11-08 16:29:44 +00:00
Nikita Ioffe
63898aa2b2 userspace reboot: don't re-install keyring when remounting userdata
From the implementation of FscryptInstallKeyring it looks like it will
install a new keyring on each call.

Another approach would be change FscryptInstallKeyring to first call
request_key[0] (http://man7.org/linux/man-pages/man2/request_key.2.html),
and don't add keyring in case request_key succeeded, but it looks like
that libkeyutils doesn't provide such functionality.

Since I was there, I've also added checks that we are not trying to
remount userdata on FDE devices.

Test: adb reboot userspace
Bug: 135984674
Change-Id: I2e063d7d87a3c2c26810e913a33e3a5c0364332b
2019-11-08 16:11:04 +00:00
Tom Cherry
a4eeeadcd3 Do not run init CTS test on secondary ABI
Init unit tests refer to libraries that do not exist for the
secondary ABI, and we'd rather test the libraries on the device than
statically link them, so only test the primary ABI.

Init will only run on the primary ABI in any case, and doesn't have
much arch specific code in it.

Bug: 143560509
Test: build
Change-Id: I3c1883b3b55e5a06391d2885242f38c74eab621d
2019-11-07 16:06:38 -08:00
Paul Crowley
449282c021 Merge "Make encryption action an argument to mkdir" 2019-11-07 20:06:47 +00:00
Suren Baghdasaryan
c29c2baa69 init: Add support for native service registration with lmkd
init should be able to register native services with lmkd so that they
can be killed when needed. Only processes with oom_score_adjust not
equal to the default -1000 will be registered with lmkd because with the
score that low the process is unkillable anyway.
Inform lmkd when a registered process is killed so that the record can be
removed.
Change init.rc to start lmkd during init phase so that it is there to
register other services.
Replace hardcoded oom_score_adj values with appropriate definitions.

Bug: 129011369
Test: boot and verify native service registration
Change-Id: Ie5ed62203395120d86dc1c8250fae01aa0b3c511
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-11-07 18:19:31 +00:00
Nikita Ioffe
ab91ee986b userspace reboot: unmount apexes and switch to bootstrap namespace
This will bring device to the state closer to the one during normal boot

Bug: 135984674
Test: adb install system/apex/shim/com.android.apex.cts.shim.v1.apex
Test: adb reboot userspace
Test: verified install succeeded
Change-Id: I6ef73bde2ca817c8a62bf19b8f1895dd0d6d2829
2019-11-07 02:13:38 +00:00
Nikita Ioffe
dbee3618be Merge "Make remount into checkpointing for ext4 userdata a no-op" 2019-11-07 02:12:57 +00:00
Treehugger Robot
e4cb2c49e3 Merge "Move comments into selinux.h and fix" 2019-11-07 00:52:42 +00:00
Nikita Ioffe
42697d3f18 Make remount into checkpointing for ext4 userdata a no-op
We are going to teamfood userspace reboot soon, and in order to gather
as much data as possible we are fine with ignoring checkpointing for the
devices with ext4 (teamfood will be a very limited set of people that
are aware what they've signed for).

As result of this, we don't need to reset vold and kill zram backing
device. Added a TODO to restore that functionality if needed.

Since I was there, fixed yet another typo in userspace-reboot-resume -_-

Bug: 135984674
Test: adb reboot userspace
Change-Id: I2b7a93aaf738fe9bec9d606d7e11aefb325550b1
2019-11-06 20:12:08 +00:00
Paul Crowley
68258e8444 Make encryption action an argument to mkdir
FscryptSetDirectoryPolicy no longer tries to infer the action from the
filename. Well mostly; it still assumes top-level directories in /data
should be encrypted unless the mkdir arguments say otherwise, but
it warns.

Bug: 26641735
Test: boot, check log messages
Change-Id: Id6d2cea7fb856f17323897d85cf6190c981b443c
2019-11-05 16:26:43 -08:00
Paul Crowley
f831f10abe Move comments into selinux.h and fix
Make comments imperative, remove redundant words, clarify API level.

Bug: 26641735
Test: treehugger
Change-Id: Icad6001321aa2274b70fdcc74f6fe176f0b2d0db
2019-11-05 09:48:24 -08:00
Mark Salyzyn
283e41de76 Merge "first_stage_init: if console enabled allow for errors in module loading" 2019-11-01 21:52:42 +00:00
Yifan Hong
8fb7f773f0 init: hack for /charger symlink
Legacy symlink from /charger to /system/bin/charger is
removed. Instead, all Android R devices are required
to use /system/bin/charger instead.

See hardware/interfaces/health/2.1/README.md for details.

Bug: 142286265
Test: charger mode
Change-Id: Ib478a864ef68647bc9fc14650ca3d382952b80c8
2019-10-31 18:37:02 -07:00
Mark Salyzyn
a7144f7eb2 first_stage_init: if console enabled allow for errors in module loading
Allow for module load errors if first stage console is enabled, userdebug
development builds, load what you can and continue.

Test: compile
Bug: 141311820
Change-Id: I30f3ee1129373f6ffedcf03807c212c60d4c39aa
2019-10-31 10:30:45 -07:00
Paul Crowley
7160fc1139 fs_mgr: Add stable_inodes flag to encrypted ext4
Also put libfscrypt into fs_mgr via whole_static_libs
since it's now a dependency.

Bug: 143307095
Test: we can use the inline policy on it
Change-Id: I82d7d5330abef76ce82accea25d2663748e87a8b
2019-10-30 13:35:48 -07:00
Nikita Ioffe
8a603a7f9b Merge "Userspace reboot: Support remounting userdata for f2fs" 2019-10-28 16:28:23 +00:00
Paul Crowley
82f1cbea1e Merge "Use new libfscrypt interface" 2019-10-25 18:05:26 +00:00
Nikita Ioffe
12a36076a7 Userspace reboot: Support remounting userdata for f2fs
Test: adb reboot userspace
Test: adb shell /system/bin/vdc startCheckpoint 1;
      adb reboot userspace
Bug: 135984674
Change-Id: I227f2c1cc18495d893decb2df5173fc7a7919df6
2019-10-25 16:27:10 +01:00
Paul Crowley
9107e6f4f1 Use new libfscrypt interface
Bug: 143307095
Test: treehugger
Change-Id: Icc97ff5b32e8d291a75c62640b4d9b8e4f64de09
2019-10-24 20:47:48 -07:00
Nikita Ioffe
e7ec8c81e4 init/reboot.cpp: user lower_snake_case instead of camelCase
Also removed unused parameter from TryUmountAndFsck.

Test: builds
Change-Id: I1a892a0356afb08bf0680476ae1170ea568c65e2
2019-10-25 00:44:26 +01:00
Steven Moreland
5d9cdae3f3 Merge "host_init_verifier: use libhidlmetadata" 2019-10-23 23:07:30 +00:00
Tom Cherry
5310db82b0 init: only provide control message results for devices launching > Q
This is a behavior change and may have unintended consequences,
especially in Java, where failed property sets create exceptions.
Therefore, we only provide this new behavior to devices launching > Q.

Bug: 137070994
Test: build
Change-Id: If0b44aedc5c887ea6ea16dd3ec551ac2bf793cef
2019-10-23 08:09:56 -07:00
David Anderson
c243e19936 Merge "Integrate libsnapshot with the boot control HAL." 2019-10-17 19:57:04 +00:00
David Anderson
dfe6d07a4b Integrate libsnapshot with the boot control HAL.
This patch translates UpdateState states into a MergeStatus from
IBootControl 1.1, and asks the HAL to store it. Unfortunately this patch
has to work around a few issues.

The first issue is that Soong doesn't allow including only the headers
from a HAL. The second issue is that entraining the headers requires
linking to libraries that would otherwise not be needed in init.

To address this, we now have three ways of linking to libsnapshot:
  1. libsnapshot - Has access to gsid and HALs.
  2. libsnapshot_nobinder - Has access to HALs, but not binder (for
                            recovery).
  3. libsnapshot_init - Does not use binder or HALs.

The HAL code is #ifdef'd behind LIBSNAPSHOT_USE_HAL and we make use of
forward declarations and dependency injection to minimize its spread.

Bug: 139154945
Test: libsnapshot_test gtest
Change-Id: I21ffd8a79a43d0589f2f71f346ac1b019584a183
2019-10-16 16:09:38 -07:00
Steven Moreland
422a758568 host_init_verifier: use libhidlmetadata
Since it's available in C++, it's easier to build host_init_verifier
with this than create a new way to export the json file.

Bug: 141567104
Test: manually change hidl interface in a manifest
host_init_verifier: system/core/rootdir/init.rc: 69:
host_init_verifier: Interface is not in the known set of hidl_interfaces: 'android.hardwar.edne@1.0::IFoo'. Please ensure the interface is spelled correctly and built by a hidl_interface target.
Change-Id: Ic73dcb51855cb751734bc497d8e69f379966c511
2019-10-15 14:59:18 -07:00
Tom Cherry
a5a107fb6d Merge "init: trigger shutdown directly from builtins" 2019-10-14 13:48:52 +00:00
Tom Cherry
0dbfea7b07 init: trigger shutdown directly from builtins
Especially now that property_service is a thread, there may be some
delay between when init sets sys.powerctl and when the main thread of
init receives this and triggers shutdown.  It's possible that
outstanding init commands are run during this gap and that is not
desirable.

Instead, have builtins call TriggerShutdown() directly, so we can be
sure that the next action that init runs will be to shutdown the
device.

Test: reboot works
Test: reboot into recovery due to bad /data works
Change-Id: I26fb9f4f57f46c7451b8b58187138cfedd6fd9eb
2019-10-11 13:45:42 -07:00
Nikita Ioffe
aaab596687 Only allow alphanumerical characters, '-' and '_' in event trigger names
This should help in preventing silly typos like "on foo:"

Test: atest CtsInitTestCases
Test: builds
Bug: 135984674
Change-Id: I6e4e18970e957d25dea9f557f0d31a759fbe6150
2019-10-11 17:44:54 +01:00
Nikita Ioffe
3f4b0d6113 userspace reboot: stop post-data services and wait for them to be killed
* Refactored code around stopping services a little bit to reuse it
  between full reboot and userspace reboot.
* Add a scope_guard to fallback to full reboot in case userspace reboot
  fails.
* In case of userspace reboot init will also wait for services to be
  terminated/killed and log the ones that didn't react to
  SIGTERM/SIGKILL in time.
* If some of the services didn't react to SIGKILL, fail userspace reboot.

Test: adb reboot userspace
Bug: 135984674
Change-Id: I820c7bc406169333b0f929f0eea028d8384eb2ac
2019-10-10 18:13:42 +01:00
Elliott Hughes
4d7d903e2b Merge "init: actually report which signal is causing the reboot." 2019-10-08 17:13:59 +00:00
Nikita Ioffe
f1933c910d Merge "Add a skeleton of userspace reboot" 2019-10-08 14:42:36 +00:00
Nikita Ioffe
ba6968e636 Add a skeleton of userspace reboot
This CL only draws boundaries between userspace and full reboots, and
adds some functionality that will be required for userspace reboot:

* Whenever device is shutting down is now controlled in reboot.cpp,
  since during userspace reboot this state can change.
* Now it's also possible to restart handling of control messages inside
  property service. In case of userspace reboot, init will restart it
  after stopping post-data services.
* New userspace-reboot-requested trigger is added similar to shutdown
  one for full reboot.

Test: adb reboot
Test: adb reboot userspace
Bug: 135984674
Change-Id: Id55a53ba781d2b90ce40449037b6d8d47e72c476
2019-10-08 12:16:06 +01:00
Elliott Hughes
636ebc9b3b init: actually report which signal is causing the reboot.
It wasn't clear to me why init was rebooting until I saw that it was
SIGABRT, which then made me read through earlier log spam to work out
what was actually unhappy (the SELinux compiler, in my case).

Test: worked out why init was rebooting my device
Change-Id: I605d8956213c4c23711073fd4b0ff99562b7f351
2019-10-07 18:16:23 -07:00
Treehugger Robot
4ad0da974e Merge "init: drop unused direct dependency on libcrypto.so" 2019-10-07 23:12:56 +00:00
Tobias Thierer
1be2a2ce8d init: drop unused direct dependency on libcrypto.so
When I previously tried this in https://r.android.com/1108553 , it broke on
some targets but I think that may have been fixed. I'm trying it again now
to see if this now passes treehugger and sticks.

Note: There is still an indirect dependency via libfs_mgr.

Bug: 137267623
Test: Treehugger
Change-Id: I2d8b909e451bb64a1eb0719a145dfd74da1dcbad
2019-10-07 19:34:16 +00:00
Eric Biggers
736557c510 Merge changes from topic "fscrypt-key-mgmt-improvements"
* changes:
  init/fscrypt_init_extensions: support setting v2 encryption policies
  fs_mgr_fstab: support specifying encryption policy version in fstab
2019-10-07 19:09:43 +00:00
Nikita Ioffe
72d249143d Make init.updatable_crashing a read/write property
This property will need to be reset during userspace reboot, so it can't
be a read-only property anymore.

Test: builds
Bug: 135984674
Change-Id: I4e079b537cb5c725ac0b652804fdc801a6facfcf
2019-10-04 16:45:56 +01:00
Yifan Hong
5fcc2b5d71 Convert SnapshotStatus to proto
Also, add a "name" field to SnapshotStatus, and delete
the "name" arg from CreateSnapshot / WriteSnapshotStatus.
ReadSnapshotStatus will warn if the name mismatches from
the file name, and auto-correct it.

Test: libsnapshot_test

Change-Id: I725cf39c07684b100b140a8a21ea9d23ab9d2241
2019-10-03 14:26:01 -07:00
Bowgo Tsai
1a191bf54d Support loading system_ext_property_contexts
Commit I27dd391fc06a3c78e88a65c7931c84de1699f157 makes property_service
no longer load selinux property_contexts by function
selinux_android_prop_context_handle.

So we should load property_contexts from /system_ext as well in
property_service.cpp.

Bug: 137712473
Bug: 141871131
Test: `adb shell getprop -Z` to check system_ext_property_contexts is loaded
Change-Id: I49c5c725784c0d598062ae356be6226446f4942a
2019-10-02 09:24:56 +00:00
Eric Biggers
eaadc9d426 init/fscrypt_init_extensions: support setting v2 encryption policies
Support setting v2 encryption policies on init-created directories.  The
policy version to set is gotten from a new field in
/data/unencrypted/mode, which is the file that's used to pass the
encryption options from vold to init.

Also don't bother falling back to defaults if fields are missing from
this file, since it's re-written on every boot by vold.

Bug: 140500999
Test: tested as series; see If64028d8580584b2c33c614cabd5d6b93657f608
Change-Id: Ia9c5d4b80199686799e3ac80de78a50ed3bdabf4
2019-09-30 10:27:38 -07:00
Treehugger Robot
34aba6a690 Merge "Separate system_ext_sepolicy.cil out of system sepolicy" 2019-09-28 00:28:57 +00:00
Tom Cherry
3699dbe2e0 Merge "init: add tips for debugging linker errors when launching init services" 2019-09-27 15:31:42 +00:00
Tom Cherry
aef269f11b Merge changes from topic "logwrapper-api-update"
* changes:
  Update init/fs_mgr for new logwrapper function
  logwrap: convert to C++, rename function logwrap_fork_execvp().
2019-09-27 15:31:04 +00:00
Tom Cherry
9328021ce7 init: add tips for debugging linker errors when launching init services
Test: we can see linker errors in dmesg when following these tips
Change-Id: I86b65e01d06ed7c0b908c4512d55872cd5595eca
2019-09-26 15:24:40 -07:00
Treehugger Robot
f0d17fb50e Merge changes from topic "remove_ashmemd"
* changes:
  libcutils: route to /dev/ashmem<boot_id> instead of ashmemd
  ueventd: duplicate /dev/ashmem
2019-09-26 17:56:53 +00:00
Tom Cherry
3a803eb2d4 Update init/fs_mgr for new logwrapper function
Test: cuttlefish boots, fsck logs seen
Change-Id: Icbc01161b44e097be813f4af648fa671739078b9
2019-09-26 10:29:57 -07:00
Colin Cross
2a62d42704 Merge "Use libcrypto_static instead of libcrypto" 2019-09-26 14:32:33 +00:00
Martin Stjernholm
4cbf095493 Merge "Must use libdexfile_support_static in a static executable." 2019-09-26 14:24:46 +00:00
Tom Cherry
993d07fc53 Merge changes from topic "boringssl-kmsg"
* changes:
  Redirect boringssl_self_test stdio to kmsg
  init: add stdio_to_kmsg option
2019-09-25 19:56:03 +00:00
Tri Vo
ff89b8d8c2 ueventd: duplicate /dev/ashmem
We want ashmem to only be used via libcutils API, with long-term goal
being deprecation of ashmem with memfd. To do that we route libcutils to
a new source of ashmem fds. We then phase out uses of /dev/ashmem that
doesn't go through libcutils using SELinux.

In Q, we introduced ashmemd as the source of ashmem fds to libcutils.
However, having a separate process and, consequently, binder hops to
handle /dev/ashmem results in performance/memory overhead.

To address the overhead, replace ashmemd with a duplicate of
/dev/ashmem. Name it /dev/ashmem<boot_id>, where boot_id is a random
number generated on each boot. This way we make sure that developers
don't accidentally depend on /dev/ashmem<boot_id>, as that name can't be
hardcoded.

Bug: 139855428
Test: writing "add"/"remove" to /sys/class/misc/ashmem/uevent correctly
adds/removes /dev/ashmem and /dev/ashmem/boot_id
Change-Id: I36d23116048bfcd99903ba46cc133161835a2cfa
2019-09-25 12:49:38 -07:00
Tom Cherry
f74b7f5756 init: add stdio_to_kmsg option
Some services are not native android services and therefore don't log
via the normal mechanisms.  This gives developers an option to have
their stdout/stderr logs sent directly to kmsg.

Test: see test prints to kernel log
Change-Id: I7973ea74d5cab3a90c2cd9a3d5de2266439d0c01
2019-09-24 12:47:14 -07:00
Martin Stjernholm
2ad47f35a7 Must use libdexfile_support_static in a static executable.
The other one compiles in dlopen() calls that won't work.

Test: Build & boot
Bug: 141485154
Change-Id: I8ab697cfbe41bd21ad47655e47a0218d52738b58
2019-09-24 17:36:30 +01:00
lijiazi
513c989908 Uevent: remove useless dir
There are no uevent fils in these dirs, so there's no need to
traverse these dirs.

Test: manual

Change-Id: I57b82846ad863952d8717e6c3ab80c1e243ee4f8
Signed-off-by: lijiazi <lijiazi@xiaomi.com>
2019-09-24 17:36:45 +08:00
Howard Chen
e6d71689bb Merge "Mount multiple DSU partitions when present." 2019-09-21 02:48:37 +00:00
Tom Cherry
03642ad8b8 Merge "init: create sockets before forking" 2019-09-20 14:59:58 +00:00
Bowgo Tsai
f016f256b5 Separate system_ext_sepolicy.cil out of system sepolicy
Currently system sepolicy can be extended via:
  - BOARD_PLAT_PUBLIC_SEPOLICY_DIR
  - BOARD_PLAT_PRIVATE_SEPOLICY_DIR

To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.

System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.

Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: Ib37622271b559d65462de99ff424be831004508a
2019-09-20 18:20:21 +08:00
Howard Chen
1b094939e5 Mount multiple DSU partitions when present.
There might be partitions like product or system_ext in addition
to the system partition. Those partitions can contain dependencies
required by the system so we need to make the init to recognize
these partitions and mount them accordingly.

Bug: 140092208
Test: gsi_tool install & reboot
Change-Id: Ie5ef063292c3656e79cce9f887f23a8faa1ba2be
2019-09-20 14:10:52 +08:00
Tom Cherry
5241d10049 init: create sockets before forking
There is a race condition with Service::Start and socket creation.
Since socket creation currently happens after the fork(), it's
possible that init can continue executing other commands before the
socket is created.  If init starts another service that relies on that
socket, it isn't guaranteed to be available.

Particularly, we've seen this with hwservicemanager starting after
logd, but hwservicemanager's logs sometimes not showing up.

Bug: 140810300
Test: boot and logging functions correctly

Change-Id: Ib2932e836d345830cd38f3b556598508fd953058
2019-09-19 16:10:30 -07:00
Tom Cherry
2436e6b15a init: reboot immediately if /data isn't mounted
All of the logic in reboot.cpp is meant to safely shutdown services,
safely unmount emulated RW file systems, then finally unmount the
remaining RW file systems, particularly /data.  If /data hasn't been
mounted, then none of this logic is required.

Running this logic caused a lock up when shutting down blueline from
early-init.  Vold, or potentially a related HAL, locked up during the
ShutdownVold() calls.  debuggerd separately locked up in the watchdog
thread.

Therefore, this change immediately reboots if /data is not mounted.
It also removes the lines to call into debuggerd.  debuggerd will not
run due to SELinux in any case, so it can only be used when hands-on
debugging a device.

Bug: 141082587
Test: shutdown with /data mounted continues as normal
Test: shutdown from early-init immediately shuts the device down
Change-Id: I79c72346b17c7dfe57e955d9739bcaf559badc14
2019-09-19 14:05:56 -07:00
Tom Cherry
14c2472734 init: degeneralize subcontext init into only vendor_init
This code is more generic than it needs to be and one of the side
effects is that an extra init process is forked for odm_init, despite
it having the same context as vendor_init.  I don't think anything is
going to change regarding that soon, so this change stops forking that
extra process to save its memory and simplifies the code overall.

Bug: 141164879
Test: init still uses vendor_init for vendor_scripts
Test: init unit tests
Test: init only has one subcontext process
Change-Id: I0d224455604a681711e32f89fb20132378f69060
2019-09-18 14:02:14 -07:00
Colin Cross
f117f34aed Use libcrypto_static instead of libcrypto
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.

Bug: 141248879
Test: m checkbuild
Change-Id: I5f0b9acfb57f68570f6f58f2395f2bb1bc015365
2019-09-18 11:04:35 -07:00
David Anderson
0e70ce26b8 Merge "init: Make sure /dev/block/by-name/userdata is created in snapshot mode." 2019-09-18 00:35:55 +00:00
Elliott Hughes
f3a5ab8b1d Merge "Remove the global seccomp option." 2019-09-17 20:21:09 +00:00
David Anderson
1cfcee0e4d init: Make sure /dev/block/by-name/userdata is created in snapshot mode.
When userdata is used to store COW devices, we need to ensure we've
generated uevents for it.

This patch also refactors FirstStageMount to pass required devices
through arguments rather than a member variable.

Bug: 140761481
Test: manual test
Change-Id: Ie5e1c9699f084da5467a758eea41c7907fecc5ca
2019-09-17 13:19:22 -07:00
Paul Crowley
570d20d2ac Create /data/per_boot
Bug: 140882488
Test: Booted twice, checked logs to ensure encryption
    is different each time, adb created files in directory.
Change-Id: I44f746acd1040f7baa9123d4824ba39b194f287b
2019-09-13 15:50:23 -07:00
Tom Cherry
a550e7f412 Merge "init: add reboot_on_failure service option" 2019-09-13 19:26:49 +00:00
Tobias Thierer
530d8f1d48 Merge "Set LOCAL_INJECT_BSSL_HASH for init_first_stage" 2019-09-13 16:56:06 +00:00
Tom Cherry
60971e6ce2 init: add reboot_on_failure service option
This replaces the recently added `exec_reboot_on_failure` builtin, since
it'll be cleaner to extend service definitions than extending `exec`.
This is in line with what we decided when adding `exec_start` instead
of extending `exec` to add parameters for priority.

Test: `exec_start` a service with a reboot_on_failure option and watch
      the system reboot appropriately when the service is not found and when
      the service terminates with a non-zero exit code.

Change-Id: I332bf9839fa94840d159a810c4a6ba2522189d0b
2019-09-13 16:48:35 +01:00
Colin Cross
58505923e5 Set LOCAL_INJECT_BSSL_HASH for init_first_stage
init_first_stage is built in Make and statically links libcrypto,
so it needs to set LOCAL_INJECT_BSSL_HASH to make the FIPS self
test pass.

Bug: 137267623
Test: m checkbuild
Change-Id: Icd8ec07b731228a162db9a13d7304bf1d73127aa
2019-09-13 03:31:42 +01:00
Tom Cherry
dcb3d15611 ueventd: allow using external firmware handlers
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.

Bug: 138352500
Test: unit tests
Change-Id: Ic5da37268fd78109f83ae52d1b903bf7322a5ee5
2019-09-12 12:57:22 -07:00
Tom Cherry
4e46a33c70 Merge "Reland^2: "init: run property service in a thread"" 2019-09-10 17:04:57 +00:00
Tom Cherry
e351e5ed06 Merge "ueventd: make parallel restorecon functionality optional" 2019-09-10 14:52:31 +00:00
Jon Spivack
16fb3f9e42 Allow AIDL interfaces in service parsing
Bug: 138756857
Test: Manual (using mediaextractor as a test service)
Change-Id: Ice2c695fca7062d6a115df13a6ac1d6fe82a3a98
2019-09-09 15:24:42 -07:00
Tom Cherry
4233ec7f66 ueventd: make parallel restorecon functionality optional
5aa6197d5f added the ability to
parallelize restorecon to speed up boot for devices that have not
completely moved to genfscon.  This parallel restorecon happens after
the parallel ueventd handling.

This causes a performance regression for devices that have moved to
genfscon, since previously, the restorecon() was done in the main
ueventd thread in parallel with the uevent handlers.

I also tried to run the fully parallelized restorecon in parallel with
the uevent handlers, but that did not make any change to the cold boot
time, likely due to the additional overhead of parallelizing the work.

Bug: 140458170
Test: blueline coldboot time returns to pre-regression time.
Change-Id: I3cd6a869cc9b62792466813d94ad6c69834e854e
2019-09-09 09:02:48 -07:00
Tobias Thierer
983f76b3c6 Merge "Init: Run boringssl self test via separate binaries." 2019-09-07 23:46:00 +00:00
Wei Wang
d5dff26049 Merge "init: boot into thermal shutdown target on supported devices" 2019-09-06 22:59:07 +00:00
Wei Wang
5f181bc503 init: boot into thermal shutdown target on supported devices
Bug: 137982557
Test: thermal shutdown
Change-Id: I4c7c4647e340be6be7a37a3dde6324b4d7903007
(cherry picked from commit 271014e832)
2019-09-06 11:26:43 -07:00
Treehugger Robot
7b968315ee Merge "init/fscrypt_init_extensions: remove redundant log message" 2019-09-06 17:34:05 +00:00
Tom Cherry
1ab3dfcab4 Reland^2: "init: run property service in a thread"
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command.  This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.

This change has init run property service in a thread, which
eliminates the above issue.

This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.

Reland: during reboot, init stops processing property_changed messages
from property service, since it will not act on these anyway.  This
had an unexpected effect of causing future property_set calls to block
indefinitely, since the buffer between init and property_service was
filling up and the send() call from property_service would then
block.  This change has init tell property_service to stop sending it
property_changed messages once reboot begins.

Test: CF boots, walleye boots, properties are set appropriately
Change-Id: I26902708e8be788caa6dbcf4b6d2968d90962785
2019-09-05 14:42:58 -07:00
Eric Biggers
7a5f6c5912 init/fscrypt_init_extensions: remove redundant log message
On every boot, there is a "duplicate" message logged at INFO level for
every system device-encrypted directory, e.g.:

    1     1 I init    : Setting policy on /data/app-private
    1     1 I init    : Encryption policy of /data/app-private set to 3a19970b1aa3abed modes 127/4

Or:

    1     1 I init    : Setting policy on /data/app-private
    1     1 I init    : Verified that /data/app-private has the encryption policy 3a19970b1aa3abed modes 127/4

(Before I51ee70706bc9ccb216ccefd7bdfbbfc57faae14d the second messages
were slightly different, but were similar and still at INFO level.)

The issue is that set_system_de_policy_on() prints its own log message,
then calls fscrypt_policy_ensure() which prints a message too; and the
second message is essentially a superset of the first.

Clean this up by removing the message from set_system_de_policy_on().

Test: Booted and checked the log.
Change-Id: I2786ba7e2dbb355f159ac9d8fe5ad1f0a4cdbfea
2019-09-05 13:20:25 -07:00
Elliott Hughes
4e6bf2510f Remove the global seccomp option.
Added in af1a9bfb8f, but it's never been
used in practice because of the performance impact, and it's incompatible
with our ability to add new system calls via a bionic module update
because it defaults to disabling all unknown syscalls, and init will
still be using the non-updated bootstrap libc from when it first shipped.

Test: treehugger
Change-Id: I8e396675fcfaf0218a92f464d15e613f43319305
2019-09-04 21:16:26 -07:00
Tobias Thierer
1136f1592a Init: Run boringssl self test via separate binaries.
Instead of init.cpp knowning about the boringssl self
test, use init.rc to exec dedicated self test executables.

Advantages:
 - The self test is run not only both the copy of libcrypto
   in /system but also /apex/com.android.conscrypt.
 - The self test is run not only for the primary (e.g. 64bit)
   ABI but also for a secondarry (e.g. 32bit) ABI.
 - The dependency on libcrypto is kept to the self test binary.
 - The self test binary abstracts the exact native API for
   running the self test (this will change soon because the
   self test will be run when the library is loaded).

Bug: 137267623
Test: Check that logcat shows both binaries being started as root,
      and finishing with exit code 0.

Change-Id: I1e716749ee2133993f0f7b2836483391fd1a62f0
2019-09-05 01:41:08 +01:00
Tom Cherry
7896e7adcc init: add exec_reboot_on_failure builtin
Add exec_reboot_on_failure builtin and refactor the VDC commands that
had similar functionality.  These will now also reboot in the case
that the program cannot be found or run for any reason.

Test: boots normally, reboots if command is not found or if command
      returns status '1'

Change-Id: I1c99498c2b741512a50188e1a325c25e9ec8fba0
2019-09-04 16:23:15 -07:00
Tom Cherry
0589aa4265 Merge "init: Always reap processes before handling properties" 2019-09-03 16:35:27 +00:00
Martin Stjernholm
0c100685dc Merge changes from topic "art-without-bionic"
* changes:
  Include com.android.runtime in the "runtime" linker namespace.
  Update logic for detecting pre-apexd services to check that the ART APEX is mounted.
  Update paths and names for the new ART APEX.
2019-09-02 10:28:30 +00:00
Treehugger Robot
dec467f271 Merge "Fix typo" 2019-08-31 13:39:37 +00:00
Tom Cherry
905a5df83d init: Always reap processes before handling properties
There is a race that manifests like this:

1) A service dies (not processed by init yet).
2) service_manager processes death notification.
3) service_manager gets checkService and calls init to start service.
4) init gets the ctl.start / ctl.interface_start for the service
   but the service already appears started, so it does nothing.
5) init gets sigchld, but doesn't do anything else to restart the
   service

We can avoid all of this if we already reap pending processes before
handling properties in the main loop of init.  Since reaping the
services calls waitid(), there's no race even if the signalfd for
sigchld hasn't triggered yet.  It also won't cost us much efficiency,
since it's only a single system call.

Test: CF boots, init unit tests pass
Change-Id: Ie24ef406055b283797b41b1821c8ebcccead4db4
2019-08-30 14:20:05 -07:00
Paul Lawrence
b2c2d6907f Fix typo
Test: builds
Change-Id: I4b48e8b3d457382579216482249e734f74768c71
2019-08-30 11:15:58 -07:00
Martin Stjernholm
cacf04351f Update logic for detecting pre-apexd services to check that the ART APEX is
mounted.

Necessary to make e.g. bootanimation work, which depends on (at least)
libandroidicu.so in the ART APEX.

Test: Build & boot
Bug: 135753770
Exempt-From-Owner-Approval: Approved internally
Change-Id: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
Merged-In: Ibab4f5f7a243d0815b9c70a537bae8d77dee2fbb
2019-08-30 17:47:31 +01:00
Martin Stjernholm
df96e1f25c Update paths and names for the new ART APEX.
Test: Build & boot
Test: atest CtsJniTestCases
Bug: 135753770
Exempt-From-Owner-Approval: Approved internally
Change-Id: Ic59b7bc8aae7ce521cf3ec9df4ab72aa611d0b75
Merged-In: Ic59b7bc8aae7ce521cf3ec9df4ab72aa611d0b75
2019-08-30 17:47:31 +01:00
Steven Moreland
9800ad839a init: -1 log for control message error paths.
Fixes: 140136969
Test: check logs
Change-Id: Id80f59927b44d1026c6e3389c80ca96baf0733c4
2019-08-29 16:08:36 +00:00
Tom Cherry
4adbd2905a Merge "Revert "Reland: "init: run property service in a thread""" 2019-08-28 17:50:00 +00:00
Tom Cherry
3da2ba6d4a Revert "Reland: "init: run property service in a thread""
This reverts commit 8efca4bbb3.

Reason for revert: Still broken

Change-Id: I3b37b1b00ff4b19f2eec2d8bd72042463d47cee3
2019-08-28 17:47:49 +00:00
Treehugger Robot
88bba95989 Merge "init: set SetKptrRestrict before early-init" 2019-08-28 17:44:55 +00:00
Tom Cherry
34f2537393 Merge "Reland: "init: run property service in a thread"" 2019-08-28 15:01:34 +00:00
Tom Cherry
15c8760403 Merge "ueventd: parallelize restorecon /sys" 2019-08-28 14:58:12 +00:00