Commit graph

4065 commits

Author SHA1 Message Date
Thiébaud Weksteen
50f03fd58e Revert "Use Apex sepolicy if it's available"
This reverts commit baeece6d0c.

Test: boot aosp_cf_x86_64_phone-userdebug
Bug: 297794885
Change-Id: I0515bc30eba42589c407deb587684b4da011aead
2023-09-06 10:52:49 +10:00
Thiébaud Weksteen
9fb6b49131 Merge "Remove SeamendcHostTest from TEST_MAPPING" into main 2023-09-05 05:10:01 +00:00
Kelvin Zhang
dba385edda Ignore 16K kernel modules when running on 4K kernel
Test: th
Bug: 293313353
Change-Id: I02ea01c8e67b9ded164c7492eea3be0aead75de1
2023-09-01 09:55:35 -07:00
Thiébaud Weksteen
18ff56d8d7 Remove SeamendcHostTest from TEST_MAPPING
Bug: 297794885
Test: TH
Change-Id: I49c6caa575ccd570085de15ddf51ea9a71abe90f
2023-08-31 14:22:48 +10:00
Yinchu Chen
3343ca2380 Increase the number of service supplementary group
OEM can add self-owned groups, but the system init cannot support if the group numbers are over than 12, relax some restrictions as appropriate.

Bug: b/296826987

Signed-off-by: Haichao Li <liuhc3@motorola.com>
Change-Id: I231d9f6c82e93c08bc97ca32df70e5b28760acbc
2023-08-25 04:24:48 +00:00
Jooyung Han
d6b65fb307 init: reset errno in do_start
do_start() ignores ENOENT intentionally to avoid logspam. It's
implemented in ErrorIgnoreEnoent. However, without resetting errno,
ErrorIgnoreEnoent will ignore unrelated errors from Service::Start() due
to the sticking errono set from other commands.

Bug: 296821716
Test: launch_cvd
Change-Id: I71d3113bdb69bdca82e2ff4f3a793301749f6c08
2023-08-22 09:59:26 +09:00
Jooyung Han
fdbf5a5eac Merge "init: clean up DelayService()" into main 2023-08-21 22:52:01 +00:00
Jooyung Han
646e001bb5 init: clean up DelayService()
ServiceList's services_update_finished flag was overlapped with the
global flag: is_default_mount_namespace_ready. Now DelayService() relies
on the is_default_mount_namespace_ready flag.

Add a service description with 'updatable' flag and invoke 'start
<name>' in 'on init' block (which comes before APEX activation).
See the log for "Cannot start an updatable service".

Bug: 293535323
Test: see the comment
Change-Id: I9341ba1a95d9b3b7c6081b530850d61f105f0a56
2023-08-21 18:37:23 +09:00
Kelvin Zhang
d479afa037 Load kernel modules from /lib/modules/uname -r_$(page_size) if present
To support booting from both 4k/16k kernels, init need to tell which
kernel we are currently booting and load the right modules. To resolve
this issue, we store 16K modules into /lib/modules/`uname -r`_16k
directory.

Test: th
Bug: 293313353
Change-Id: I4a8296384537a71e16cd20e76e6c5dfb9074f574
2023-08-18 17:04:39 -07:00
Kelvin Zhang
4b503b968c Fix uninitialized var compiler warnings
Test: th
Bug: 293313353
Change-Id: I87420a21a9c2ce1987179bf70767ea15b26cd5a5
2023-08-17 15:12:49 -07:00
Eric Biggers
87d6c8a1d5 Merge "Avoid two SELinux related error messages at boot time" into main 2023-08-14 17:33:15 +00:00
Eric Biggers
141c6a886c Avoid two SELinux related error messages at boot time
It is expected that /metadata/ota/rollback-indicator and /metadata/gsi
don't always exist, so don't call selinux_android_restorecon() on them
when they don't exist.  This eliminates the following error messages:

0     0 E selinux : SELinux: Could not get canonical path for /metadata/ota/rollback-indicator restorecon: No such file or directory.
0     0 E selinux : SELinux:  Could not stat /metadata/gsi: No such file or directory.

Test: Booted Cuttlefish and verified the error messages are gone
Change-Id: I94c998556c85adde5f11f134178219ba7880c2be
2023-08-11 21:12:16 +00:00
Jooyung Han
2982f09d57 Dedup apex-scanning
create_apex_data_dirs() now uses GetApexListFrom(dir) in
apex_init_util.cpp.

This is essentially a refactoring, but there are a few behavioral
changes, which I think make more sense.
- Emits no error when opendir(/apex) fails.
- Emits errors when mkdir fails for each apex.
- Does not abort `perform_apex_config` even though create_apex_data_dirs
  fails.

Bug: 293546778
Test: check /data/misc/apexdata/ after boot
Change-Id: I9d1a9710a6a626eec087c8c0fb1768667ffb036e
2023-08-11 14:14:37 +09:00
Jooyung Han
55ef3d6104 Skip bootstrap APEX RC files for the second round
Reading .rc files from bootstrap APEXes causes "double loading".
This works for services because init just ignores duplicates. But it
emits error logs, which can mislead even though there's no actual
errors. Besides, for actions, duplicates can cause a problem when
commands are not idempotent.

So, when loading RC files from APEXes for the second time, we'd better
skip those bootstrap APEXes.

Bug: 290148081
Test: VendorApexHostTestCases
Change-Id: Ia630dbd14046064b5e5c612c01ebacf57091c8d4
2023-08-11 10:02:08 +09:00
Jooyung Han
5c4217cf6e Read .rc files from bootstrap apexes
To start an early_hal service from a bootstrap vendor apex, init now
reads .rc files from bootstrap apexes as well.

In this change, perform_apex_config command is re-purposed to support
bootstrap mode. Now we have some similarity between two apexd calls:

- for bootstrap apexes (in the bootstrap mount namespace):

  exec_start apexd-bootstrap
  perform_apex_config --bootstrap

- for normal apexes (in the default mount namespace):

  restart apexd
  ...
  wait_for_prop apexd.status activated
  perform_apex_config

Note that some tasks in perform_apex_config are not needed in the
bootstrap.  For example, we don't need to create apexdata directories
for bootstrap apexes.

Bug: 290148081
Test: VendorApexHostTestCases
Change-Id: I8f683a4dcd7cd9a2466a4b1b417d84c025c37761
2023-08-10 15:40:06 +09:00
Jooyung Han
566c65239f Use /bootstrap-apex for bootstrap APEXes
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.

The directory is shared between two mount namespaces, hence visible
in the default mount namespace.

Bug: 290148078
Test: VendorApexHostTestCases
Change-Id: I841480e41be8def5a4c6a4aa874c4e21465a71d3
2023-08-09 17:27:39 +09:00
Yi-Yo Chiang
da5323e2d6 init: Use libfs_mgr kernel cmdline parser
Bug: 293695109
Test: CtsFsMgrTestCases
Change-Id: Ie2567d84cb80c392ad68aef0c438d8acc03a311e
2023-08-02 17:59:05 +08:00
Yi-Yo Chiang
79ad1e2e9b init: Unify kernel bootconfig parser with libfs_mgr
Right now there are two bootconfig parsers that gets linked into `init`.
One is from libinit itself and the other is from libfs_mgr.

The one in libinit removes all space characters between list elements,
so `key = "val1", "val2"` gets unquoted and squeezed into:
  `key=val1,val2`
The one in libfs_mgr doesn't remove spaces, it only unquotes:
  `key=val1, val2`

The libinit behavior is due to existing systems (such as sysprop)
expect the config value to be in the same format as kernel cmdline.
(aosp/1757971)
THe libfs_mgr behavior is due to the `androidboot.boot_device[s]`
format explicitly allows quoted comma appear in its list value, thus
relies on space, not comma, as the list value delimeter.

This commit merges the two parsers into libfs_mgr. Since all usages in
libfs_mgr besides `boot_device[s]` do not care about how list value are
delimited, and most usages in init expects the bootconfig value format
to be the same format as cmdline. We just special case the
`boot_device` scenario.

Also harden the test cases to cover all the different config value
format and expected result.

Note:
The format of kernel bootconfig is described here
https://docs.kernel.org/admin-guide/bootconfig.html

Bug: 293695109
Test: CtsFsMgrTestCases
Change-Id: I42b9bf626e8de38a60e8e09fac0693126b7efd91
2023-08-02 09:57:37 +00:00
Yi-Yo Chiang
0b30e34a04 Merge "init: Unify duplicated get_android_dt_dir with libfs_mgr" into main 2023-08-02 09:56:36 +00:00
Jooyung Han
deff223842 Merge "Revert "Use /bootstrap-apex for bootstrap APEXes"" into main 2023-08-01 10:44:45 +00:00
Yi-Yo Chiang
b8c23259b1 init: Unify duplicated get_android_dt_dir with libfs_mgr
init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)

Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.

Bug: 293695109
Test: Presubmit
Merged-In: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
2023-08-01 10:15:05 +00:00
Jooyung Han
840691be71 Revert "Use /bootstrap-apex for bootstrap APEXes"
Revert submission 2666915-share-bootstrap

Reason for revert: b/293949266 vold_prepare_subdirs fails to create apexdata directories.

Reverted changes: /q/submissionid:2666915-share-bootstrap

Change-Id: I3e97e8511755844de4b54f51ff20afc154bd8e74
2023-08-01 09:06:47 +00:00
Jooyung Han
58ba0b44c2 Merge "Use /bootstrap-apex for bootstrap APEXes" into main 2023-07-31 21:53:57 +00:00
Jooyung Han
201801ce8e Use /bootstrap-apex for bootstrap APEXes
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.

The directory is detached from /apex in the default mount namespace but
still visible in case bootstrap APEXes are needed.

However, there are (mostly, virtual) devices which don't need two mount
namespaces. Those devices don't need to make /bootstrap-apex directory
at all.

Bug: 290148078
Test: atest VendorApexHostTestCases
Test: atest MicrodroidTests
Change-Id: I541cec71d9970b14971d46e01e4808b23590dbed
2023-07-31 18:16:46 +09:00
Jooyung Han
5ffd88f26f init: move MarkServicesUpdate later
MarkServicesUpdate() starts delayed services which are mostly for
APEXes. (e.g. start a service from APEX). But before
"DefaultNamespaceReady", services are started in "bootstrap" mount
namespace, which makes services from non-bootstrap APEXes fail to start.

This is a quick fix for the problem before coming up with better
solution in the future.

Bug: 293535323
Test: add 'start adbd' before 'perform_apex_config' in init.rc
      adbd starts successfully.
Change-Id: I846689f7c38cdca83c1f7faec0106b8174527e09
2023-07-28 17:28:27 +09:00
Yi-Yo Chiang
6b57c885d3 Merge "init_first_stage: Disable ThinLTO" into main 2023-07-21 05:08:13 +00:00
Yi-Yo Chiang
4d6fa8ccaf init_first_stage: Disable ThinLTO
Static executables + x86 target build + ThinLTO produces bug behavior.
Global variables are not constructor initialized, resulting in faulty
runtime behavior.

Bug: 169004486
Bug: 291033685
Test: Treehugger
Change-Id: I777016cceb4851f2b432a37bc4d29aed56c23804
2023-07-20 18:47:16 +08:00
Jakob Vukalovic
e377432924 ueventd: Fix creation of VFIO dev nodes
VFIO nodes, both the container (`vfio`) node and group (numbered)
nodes, should be located in `/dev/vfio`. This change prevents
ueventd from flattening that structure.

Test: Bind a device to VFIO driver to create a VFIO group
Change-Id: I635e9febe6bb52718df263e735479f361eacad4c
2023-07-19 10:03:10 +01:00
Eric Biggers
53ed745e3f init: avoid ERROR log due to missing SEPolicy.zip
One of the first ERROR messages in logcat of a normal boot of Cuttlefish
is from failure to open SEPolicy.zip.  This condition is expected.
Therefore don't try to load SEPolicy.zip when it doesn't exist.  This
replaces the following log messages:

0     0 I init    : Error: Apex SEPolicy failed signature check
0     0 I init    : Loading APEX Sepolicy from /system/etc/selinux/apex/SEPolicy.zip
0     0 E init    : Failed to open package /system/etc/selinux/apex/SEPolicy.zip: No such file or directory

... with just:

0     0 I init    : No APEX Sepolicy found

Change-Id: If3a77407c35130165df5782b9ef91912e8374dbf
2023-07-17 20:45:44 +00:00
Eric Biggers
42164ff920 Merge changes from topic "fsverity-init-cleanup" into main
* changes:
  init.rc: stop using fsverity_init --lock
  init: remove unfinished fsverity signature support for APEX sepolicy
2023-07-17 20:10:28 +00:00
Eric Biggers
ab74dbb197 init: simplify queue_fs_event()
Combine some cases that are handled identically, and remove the
'userdata_remount' parameter which is unused.  No change in behavior.

Test: presubmit
Change-Id: I0567e47d02942af7865c155dab76e6d0e9d71a1f
2023-07-10 17:58:36 +00:00
Nikita Ioffe
df0e96e962 Only allow debuggable Microdroid VMs to mount /vendor
Until the verification of the /vendor partition we restrict the usage of
the feature to only debuggable VMs. If a non-debuggable Microdroid VM
is requested to mount /vendor, first_stage_init will crash and the VM
won't boot.

Bug: 285855436
Test: vm run-microdroid --debug none --vendor test_vendor.img
Change-Id: I9d44ad5c1d971bac1a9173c291ce61b628f2f8e9
2023-07-07 14:46:23 +01:00
Nikita Ioffe
440354afa0 Support for conditionally mounting /vendor partition in Microdroid
first_stage_init will only mount the /vendor partition in Microdroid if
the androidboot.microdroid.mount_vendor=1 is provided in the kernel
cmdline.

Bug: 285855433
Test: atest MicrodroidTestApp
Change-Id: I5b840b5474bc52ec2696a0ba6ead0476acddfb1a
2023-07-07 14:45:58 +01:00
Nikita Ioffe
f17079ff58 Small refactoring in first_stage_mount
The existing approach in first_stage_init/first_stage_mount makes it
harder to add conditional logic that should only be applied for
Microdroid. Additionally, it forces the FirstStageMount object to be
created twice.

This change refactors the control flow to make first_stage_init take the
ownership of the FirstStageMount object. It will help with the follow up
change (which will add logic to conditionally mount /vendor partition
while booting Microdroid). As a nice side effect, this refactoring also
fixes the problem of the FirstStageMount being created twice.

This change also merges the FirstStageMount and FirstStageMountVBootV2
in a single class, since nobody actually uses FirstStageMount.

Bug: 285855433
Test: device boots
Test: atest MicrodroidTestApp
Change-Id: I38a72c0f20e7c1ac70031498aeeca22b091fa827
2023-07-07 14:45:01 +01:00
Eric Biggers
0b2c5cde1f init: remove unfinished fsverity signature support for APEX sepolicy
The APEX sepolicy feature has unfinished support for verifying the
sepolicy file using fsverity with a builtin signature.  However, this
was never finished and doesn't really make sense, since the
already-implemented scheme that uses a full-file hash combined with a
userspace signature check is better suited to the problem.  Therefore,
remove this unfinished code.

Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: I3403a3303bcea32c7340642b843cd1541fe1fd2f
2023-07-06 18:39:01 +00:00
Jooyung Han
c288e14001 Merge "No need to read ro.apex.updatable now" 2023-06-27 00:55:25 +00:00
Nikita Ioffe
a66adf45aa init selinux.cpp: use a better way to detect if we run in Microdroid
We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.

In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.

Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
2023-06-26 16:43:16 +01:00
Jooyung Han
918971c69e No need to read ro.apex.updatable now
Bug: 288202251
Test: m
Test: device boots
Change-Id: I97a3c2fab69489cdfbb5103b148194d7e2ee4d1a
2023-06-23 14:22:44 +09:00
Steven Moreland
14e7b76dcf init_kill_services_test: wait 120s for apexd
This is likely waiting for the Java garbage collector to run,
and due to the lockless implementation of BinderProxyNativeData
and BpBinder, it's very difficult to efficiently force this
object to be deleted.

Change-Id: I4df667b9b47327967a43d75664fb506b8704f905
Fixes: 285458033
Test: N/A
2023-06-22 18:56:09 +00:00
Nikita Ioffe
55dd32538f Introduce microdroid variants of init_first_stage and init_second_stage
These variants will compile with -DMICRODROID flag, which will allow us
to exclude init features that are not needed for Microdroid, and
introduce features that only work in Microdroid.

Bug: 287206497
Test: build com.android.virt APEX
Change-Id: Ib9af0cfcdf06c70fc39e6e6ac8ef07bb69982969
2023-06-21 16:44:40 +01:00
Nikita Ioffe
448b70a268 Merge "Reland "Treat Microdroid as OS with monolithic sepolicy"" 2023-06-15 10:27:39 +00:00
Treehugger Robot
642929f8f8 Merge "init_kill_services_test: binder logs on apexd fail" 2023-06-15 01:57:30 +00:00
Steven Moreland
1501b0c344 init_kill_services_test: binder logs on apexd fail
Print logs necessary to understand why apexd isn't shutting
down when this test fails, due to a rare flake.

Bug: 285458033
Test: init_kill_services_test (and cause this error to be hit)
Change-Id: Ic9cbf7b2b9fa89504e4a53597065e94c32233e12
2023-06-15 00:44:31 +00:00
Nikita Ioffe
fa33f85f52 Reland "Treat Microdroid as OS with monolithic sepolicy"
Bug: 285855150
Test: presubmit
Change-Id: I477e1ef7268ac8e7d0fdae7ffcc611a69bb9d4fe
2023-06-14 20:31:17 +00:00
Pawan Wagh
85f52dd1ac Revert "Treat Microdroid as OS with monolithic sepolicy"
Revert submission 2625691

Reason for revert: b/287283650

Reverted changes: /q/submissionid:2625691

Change-Id: Ie62bbb4d4f1af528f42aafde79407b151bab46f9
2023-06-14 18:28:19 +00:00
Nikita Ioffe
94ef7122d6 Treat Microdroid as OS with monolithic sepolicy
Bug: 285855150
Test: atest MicrodroidTestApp
Change-Id: Idfda3044716a021888017adef801ef67775a3eda
2023-06-14 13:28:05 +01:00
Jiyong Park
acfc93f924 Merge "init: non-crashing service can restart immediately" 2023-06-12 01:02:34 +00:00
Jiyong Park
0d277d777f init: non-crashing service can restart immediately
This CL allows restart_period to be set to a value shorter than 5s.
Previously this was prohibited to rate limit crashing services. That
behavior is considered to be a bit too conservative because some
services don't crash, but exit deliverately.

adbd is the motivating example. When adb root or adb unroot is
requested, it changes its mode of operation (via sysprop), exits itself,
and restarts (by init) to enter into the mode. However, due to the 5s
delay, the mode change can complete no earlier than 5 seconds after adbd
was started last time. This can slow the mode change when it is
requested right after the boot.

With this CL, restart_period can be set to a value smaller than 5. And
services like adbd can make use of it. However, in ordef to rate limit
crashing service, the default is enforced if the service was crashed
last time. In addition, such intended restart is not counted as crashes
when monitoring successive crashes during booting.

Bug: 286061817
Test: /packages/modules/Virtualization/vm/vm_shell.sh start-microdroid \
 --auto-connect -- --protected
* with this change: within 2s
* without this change: over 6s

Change-Id: I1b3f0c92d349e8c8760821cf50fb69997b67b242
2023-06-09 13:06:06 +09:00
David Anderson
07533c520c init: Fix ramdump when enabling shutdown animations.
Fix a bug where services weren't stopped properly if shutdown animations
were enabled.

Bug: 285241485
Test: Pixel w/ ro.init.shutdown_animation=true
Change-Id: I7f35572b5223f03f3f5a341fa7b5e90c01d56ce3
2023-06-05 12:59:54 -07:00
Treehugger Robot
852e22d7c3 Merge "ueventd: Wait for runtime apex before running external firmware handler" 2023-05-25 01:40:10 +00:00