Commit graph

190 commits

Author SHA1 Message Date
Colin Cross
2a62d42704 Merge "Use libcrypto_static instead of libcrypto" 2019-09-26 14:32:33 +00:00
Martin Stjernholm
2ad47f35a7 Must use libdexfile_support_static in a static executable.
The other one compiles in dlopen() calls that won't work.

Test: Build & boot
Bug: 141485154
Change-Id: I8ab697cfbe41bd21ad47655e47a0218d52738b58
2019-09-24 17:36:30 +01:00
Colin Cross
f117f34aed Use libcrypto_static instead of libcrypto
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.

Bug: 141248879
Test: m checkbuild
Change-Id: I5f0b9acfb57f68570f6f58f2395f2bb1bc015365
2019-09-18 11:04:35 -07:00
Elliott Hughes
f3a5ab8b1d Merge "Remove the global seccomp option." 2019-09-17 20:21:09 +00:00
Colin Cross
58505923e5 Set LOCAL_INJECT_BSSL_HASH for init_first_stage
init_first_stage is built in Make and statically links libcrypto,
so it needs to set LOCAL_INJECT_BSSL_HASH to make the FIPS self
test pass.

Bug: 137267623
Test: m checkbuild
Change-Id: Icd8ec07b731228a162db9a13d7304bf1d73127aa
2019-09-13 03:31:42 +01:00
Elliott Hughes
4e6bf2510f Remove the global seccomp option.
Added in af1a9bfb8f, but it's never been
used in practice because of the performance impact, and it's incompatible
with our ability to add new system calls via a bionic module update
because it defaults to disabling all unknown syscalls, and init will
still be using the non-updated bootstrap libc from when it first shipped.

Test: treehugger
Change-Id: I8e396675fcfaf0218a92f464d15e613f43319305
2019-09-04 21:16:26 -07:00
David Anderson
c8edf84d45 init: Add first-stage init support for snapshot-based partitions.
Note that /metadata must now be mounted before CreateLogicalPartitions()
is called. This is because SnapshotManager overrides the default
partitioning scheme, and the only way to tell if a SnapshotManager is
needed is via the metadata partition.

Bug: 139204329
Test: manual test
Change-Id: I812df6c4c0d4d8753b1516f63dc70c5bc3e1c09c
2019-08-21 12:27:56 -07:00
David Anderson
924858cd18 libdm: Improve the reliability of dm device paths.
This fixes a race condition where WaitForFile() after
GetDmDevicePathByName appears to succeed, but a subsequent operation on
the path fails. This can happen when CreateDevice() is called
immediately after a call to DeleteDevice (from any process), and the
path is re-used, enqueuing udev events to remove and re-add the block
device.

The fix for this is to introduce a new variant of CreateDevice() that
has a timeout parameter. When the timeout is positive, CreateDevice()
will wait for a /dev/block/mapper/by-uuid symlink to be created, which
signals that ueventd has finished processing the operation.

ueventd will now create these by-uuid symlinks for device-mapper nodes.
Unfortunately, the uuid is only available during "change" events, so we
have to special case device-mapper symlink creation. And since the uuid
is not available during "remove" events, we simply find matching links
to remove them.

This ensures that callers of CreateDevice() can use the device path
knowing that no asynchronous removals are pending. Code that uses the
old CreateDevice+WaitForFile pattern will be transitioned to the new
method.

Note that it is safe to ignore the timeout, or to use the "unsafe"
CreateDevice, if the caller ensures the path by other means. For example
first-stage init has no device removal, and regenerates uevents until
it has acquired all the paths it needs.

Finally, since libdm now inspects sysfs unconditionally, libdm consumers
need r_dir_file perms for sysfs_dm in their sepolicy. Additionally
linking to libdm now requires linking to libext2_uuid.

Bug: 135771280
Test: libdm_test
      device flashes, boots
Change-Id: If5a7383ea38f32a7fbbcf24842dce6a668050a70
2019-07-11 15:39:52 -07:00
Steve Muckle
d75f30a4f0 first_stage_init: add console
Start and wait on a console if androidboot.first_stage_console=1 is
present on the kernel command line. This only works on eng and
userdebug builds.

Change-Id: I978e9390a89509431b399ea58b284736b27eeb1b
2019-07-08 09:33:24 -07:00
Steve Muckle
18b981ea7c create libmodprobe, integrate into first_stage_init
Modprobe functionality is required both within first stage init and also
as a standalone binary. Create a library for this using and extending
the logic in modalias_handler.cpp.

First stage init will attempt to load modules from /lib/modules.

Bug: 129780532
Change-Id: Ie3582358fd839c2f64e1b386b30ed551a86aef5d
2019-06-18 13:24:56 -07:00
Vic Yang
92c236e41b init: Refactor selinux.h/cpp
This change factors out functions that handle selabels from
selinux.h/cpp into selabel.h/cpp.  This allows util.cpp to be used by
the upcoming native zygote without a bunch of define flags that are
required for selinux.cpp.

Bug: 133443795
Test: Build and boot cuttlefish.
Change-Id: Ie238a96c6407c6698a605dd8803c1727abfaae7b
2019-05-29 15:09:39 -07:00
Tom Cherry
59656fb377 init: dump stack when aborting
Dump init stacks when aborting either due to LOG(FATAL) or in
userdebug/eng builds due to signals, including signals from
sanitizers.

Doesn't work for static first stage init yet, b/133450393 tracks
that.

Also, ensure that LOG(FATAL) in child processes calls abort() in all
stages of init, not just 2nd stage init.

Bug: 131747478
Test: abort init in various ways and see stacks
Test: hang or crash in backtrace handler and see child reboot
Change-Id: Ib53b5d3e7e814244203f875de016ada9900dfce8
2019-05-29 08:58:29 -07:00
Treehugger Robot
2ddb8df2ef Merge "Adding adb_debug.prop into debug ramdisk" 2019-04-23 02:01:36 +00:00
Bowgo Tsai
05f07d89a6 Adding adb_debug.prop into debug ramdisk
The debug ramdisk can only be used if the device is unlocked.
When it's used, init will load adb_debug.prop and the userdebug
sepolicy from the debug ramdisk, to allow adb root on a user build.

Bug: 126493225
Test: 'make' and checks the file is installed
Change-Id: Id6962414197fc8f47f7c07818e8fb16107dc17a3
2019-04-20 06:08:51 +00:00
Bowgo Tsai
30afda71c0 Copying debug ramdisk files to /debug_ramdisk/*
In previous implementation, userdebug sepoilcy and property files are
loaded from the system.img. This CL changes this to:

  - first-stage init copies userdebug files from ramdisk to /debug_ramisk/*
  - second-stage init loads files from /debug_ramdisk/*.

Note: same as before, the above can only be triggered, if the device
is UNLOCKED

With this, we don't have to put userdebug related files into the USER
system.img.

Bug: 126493225
Test: boot device with a ramdisk with /force_debuggable, checks related
      files are loaded
Change-Id: I63f5f846e82ba78427062bf7615c26173878d8f3
2019-04-19 09:56:14 +08:00
Jeff Vander Stoep
402e4a6615 init: make sepolicy dependency optional
Test: make system/core/init
Change-Id: Ie2e7ba57fe885baf017ef12334aea7f2f9f8f0c1
2019-03-19 17:01:09 -07:00
Jeffrey Vander Stoep
e21d07fbab Merge "selinux: use the policy version defined in sepolicy" 2019-03-19 21:44:59 +00:00
Jiyong Park
e5dc674a95 Make /apex on ramdisk
Bug: 127576519
Bug: 127653919
Test: build hikey, check ramdisk has /apex directory
Change-Id: I4e844caa032c0717bd36d323675852ce3681fb01
2019-03-07 11:17:44 +09:00
Jiyong Park
8502ed308d Access apex sysprops via the generated API
Bug: 125549215
Test: m
Change-Id: Ie9b0aa5eec5931da3512d77613b034e5bd760f3e
2019-03-05 16:22:55 +09:00
Jeff Vander Stoep
724eda5503 selinux: use the policy version defined in sepolicy
In the current setup, init uses the highest policy version supported
by the kernel, instead of the policy version defined in policy. This
results in inconsistency between precompiled (version 30) and
on-device compiled policy (version 30 or 31). Make these consistent.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: I0ce181916f43db17244c4d80f5cf5a91bbb58d3a
2019-02-25 10:47:29 -08:00
Jiyong Park
6866041ff0 Proper mount namespace configuration for bionic
This CL fixes the design problem of the previous mechanism for providing
the bootstrap bionic and the runtime bionic to the same path.

Previously, bootstrap bionic was self-bind-mounted; i.e.
/system/bin/libc.so is bind-mounted to itself. And the runtime bionic
was bind-mounted on top of the bootstrap bionic. This has not only caused
problems like `adb sync` not working(b/122737045), but also is quite
difficult to understand due to the double-and-self mounting.

This is the new design:

Most importantly, these four are all distinct:
1) bootstrap bionic (/system/lib/bootstrap/libc.so)
2) runtime bionic (/apex/com.android.runtime/lib/bionic/libc.so)
3) mount point for 1) and 2) (/bionic/lib/libc.so)
4) symlink for 3) (/system/lib/libc.so -> /bionic/lib/libc.so)

Inside the mount namespace of the pre-apexd processes, 1) is
bind-mounted to 3). Likewise, inside the mount namespace of the
post-apexd processes, 2) is bind-mounted to 3). In other words, there is
no self-mount, and no double-mount.

Another change is that mount points are under /bionic and the legacy
paths become symlinks to the mount points. This is to make sure that
there is no bind mounts under /system, which is breaking some apps.

Finally, code for creating mount namespaces, mounting bionic, etc are
refactored to mount_namespace.cpp

Bug: 120266448
Bug: 123275379
Test: m, device boots, adb sync/push/pull works,
especially with following paths:
/bionic/lib64/libc.so
/bionic/bin/linker64
/system/lib64/bootstrap/libc.so
/system/bin/bootstrap/linker64
Change-Id: Icdfbdcc1efca540ac854d4df79e07ee61fca559f
2019-01-30 19:18:22 +09:00
David Anderson
0e330f12bc init: Add support for GSI installations in first-stage mount.
Bug: 121209697
Test: gsi boots
Change-Id: I69db0f8e999da366e46728b1008602f543cd79f6
2019-01-16 17:45:07 -08:00
Tom Cherry
c12e205ec5 Fix /init -> /system/bin/init symlink creation race
A symlink for TARGET_ROOT_OUT as a post install command of a package
that is also installed to TARGET_ROOT_OUT.  We hijack init.rc which
satisfies this requirement for this symlink.

Bug: 120402274
Bug: 120460755
Bug: 120509320
Bug: 120554662
Test: symlink is created
Test: make bootimage && ls -la $OUT/root/init
Change-Id: I6f1ac06ef152c36d7d7db4618d49a008338da39b
2018-12-05 23:42:07 +00:00
Elliott Hughes
3c59cb8420 C++17 is the default now.
Test: builds
Change-Id: I6814455e9ad2cdcf99ad66de38a3ad0bfb440d80
2018-12-03 09:02:18 -08:00
Treehugger Robot
e43c146eb4 Merge "fs_mgr: move AVB related source into libfs_avb" 2018-11-30 06:59:38 +00:00
Tom Cherry
9843007327 init: always create a symlink from /init to /system/bin/init
Even though it isn't strictly needed when not system-as-root, for
backwards compatibility, it is desired to keep this symlink.

Bug: 119851742
Test: tree-hugger
Change-Id: I47bc25ab257336f56ef09b5db6ebaf6b17daad35
2018-11-29 09:39:30 -08:00
Bowgo Tsai
c1bc2813c9 fs_mgr: move AVB related source into libfs_avb
This CL also adds namespace android::fs_mgr and remove FsManager* prefix
for class names. Note that android::fs_mgr::FsManagerAvbOps will be removed
in later CLs when fs_mgr doesn't rely on libavb->avb_slot_verify() to
parse vbmeta structs.

Some lingering sources for by_name_symlink_map_ are also removed.

Bug: 112103720
Test: boot crosshatch_mainline-userdebug
Change-Id: I2d1a5cc39bcd5a699da8d5539f191d8c7737c4af
2018-11-29 22:21:33 +08:00
Ivan Lozano
055347e564 Disable XOM in init.
init doesn't cooperate with execute-only memory just yet, so disable it
until we can determine the root cause.

Bug: 77958880
Test: Device boots.
Change-Id: Ieb78315ba1e48c9cd0d047a42951bd3fbd36641b
2018-11-27 09:12:16 -08:00
Tom Cherry
7bfea3d59c init: clean up the 1st/2nd stage init split
The first split of 1st/2nd stage init went a bit overboard, since it
split these even in the case of the recovery image and system-as-root,
which don't actually need the split.  This change simplifies this a
bit:

system-as-root and recovery have a single combined /system/bin/init
and a symlink from /init to it.

non-system-as-root has a separate first stage init at /init on the
first stage ramdisk and a combined /system/bin/init on system.img.

Two particular benefits from this:
1) Removal of the rsync of TARGET_RAMDISK_OUT to the recovery image
2) Decrease of overall space on the recovery image since it won't have
   a statically linked first stage init

This also unified the various entry points of init to depend entirely
on the arguments passed to it, instead of the hybrid of arguments and
environment variable used previously.

Bug: 80395578
Test: boot both system-as-root and non-system-as-root
Change-Id: Ic2f29b6f56b7defc80eaa0e7cd0c9107e978816f
2018-11-12 16:08:19 -08:00
Evgenii Stepanov
1f47f4add4 Do not hwasanitize init_first_stage.
Current hwasan implementation breaks when stderr (fd 2) is missing.

Bug: 118776698
Test: hwasan boots without serial console
Change-Id: Id095a87212096526a497563adab3d7f2f9fe8ab0
2018-11-01 13:43:50 -07:00
Eric Biggers
f05da4a4be init: use libfscrypt for file-based encryption setup
The file-based encryption setup code is being refactored into its own
library because it applies to both ext4 and f2fs, not just ext4.  Update
init to use the new location.   For fs_mgr, just remove the include of
ext4_crypt_init_extensions.h since it was unneeded.

Test: built, booted device with f2fs encryption
Change-Id: I392a763e3349f001bdbc09eb9ca975aa3451fd68
2018-10-25 17:10:15 -07:00
Tom Cherry
29e5348f18 init: separate init packaging for mainline
With system-as-root, both first and second stage init belong to
system, but without system-as-root, first stage belongs to vendor and
second stage belongs to system.  This change creates two phony
packages to achieve this correctly in the build system.

Bug: 117606184
Test: mainline builds work properly
Change-Id: I19263e76c217c2e70bc06c180be3a460e9144f18
2018-10-16 09:49:00 -07:00
Xin Li
17216455ad Don't attempt to create 'mkdir' and '-p' directories.
Test: build
Bug: 115920063
Change-Id: I65c60bfe0ca758a4213f10754bc872ea9885ca19
2018-09-17 14:20:16 -07:00
Tom Cherry
4590a2aeb7 Switch root to /system in first stage mount
Bug: 79173823
Bug: 79758715
Test: boot hikey and observe that /system is the new root
Change-Id: I22f58f1332150ebae8e7e24eccfe780ff29eba7f
2018-08-23 11:12:57 -07:00
Anton Hansson
904bbd8405 Remove init_second_stage.recovery dep.
This makes the init module only produce artifacts in
/system. A simultaneous change in the core product
makefiles explicitly adds init_second_stage.recovery.

Bug: 112318375
Test: lunch mainline_arm64 && m nothing
Change-Id: I33f0f0c869dfb1ffe781fc682eeb20589a4ffe90
2018-08-15 08:50:43 +01:00
Tom Cherry
31438489c0 split first stage init into a separate executable
In the future, systems with dm-linear will require a ramdisk to set up
the mount for system.  In this world, first stage init will be a part
of this ramdisk and handle setting up dm-linear, mounting the
necessary partitions, then pivoting to the system image, which will
become the root partition.

This also enables previous devices without system-as-root, to be
unified with system-as-root devices for all aspects of boot after the
pivot_root.

Bug: 79758715
Test: boot hikey
Test: boot sailfish, boot sailfish into recovery
Change-Id: Iefa88a3ec5994e7989aa9f26f2de0351ffa5468b
2018-08-06 10:36:43 -07:00
Tom Cherry
40acb379cd Move watchdogd out of init
We're moving past a world where static executables are needed,
including watchdogd, so treat this like any other executable and place
it in /system/bin.

Bug: 73660730
Test: watchdogd still runs
Change-Id: I1f7508fd55dce6e9ee72a6ab7a085011a76c0053
2018-08-02 12:25:58 -07:00
David Anderson
f792e4163d liblp: Allow building liblp as a shared library.
Bug: 79173901
Test: system image, partition_tools both build
Change-Id: I70f45d4cebfbddc39d03aa3fb3a56b6c48a20d7e
2018-07-27 19:34:56 -07:00
Jiyong Park
012171d3af libselinux is dynamically linked from init
init is now dynamically linked to libselinux. This gives us about 100KB
extra space, which is valuable in the recovery partition.

Bug: 63673171
Test: m -j
Test: adb reboot recovery
Change-Id: I72c4f886cbbb9ce54f8221f05547f5b9f0e1adb0
2018-06-19 16:55:05 +09:00
Jiyong Park
787322c55f Build init with shared libraries
recovery partition now supports shared librarys. Therefore, init can now
be built as a dynamic executable both for normal and recovery modes.

To save save in the recovery mode, not all libs are dynamically linked.
Libs that are only used by init in the recovery mode are still
statically linked.

Note: init is still a static executable for legacy devices where
system-as-root is not on, because the dynamic linker and shared libs
which are in /system are not available when init starts.

Bug: 63673171
Test: `adb reboot recovery; adb devices` shows the device ID
Test: device boots to the UI in normal mode.
Test: do that for both walleye (system-as-root) and bullhead (legacy
ramdisk).
Change-Id: I30c84ae6a8e507e507ad0bb71acad281316d9e90
2018-06-10 08:32:33 +09:00
Tom Cherry
618d3102c9 Move all of init to libinit
I'd be not doing this for a while since some of this code doesn't
compile on host and libinit previously did.  But after realizing
the property_service.cpp (libinit) references symbols in init.cpp
(init) and seeing a new linker error crop up due to that, it's time to
make the fix.

My only hold out previously was that libinit compiled on host bionic
and some of init (builtins.cpp, etc) do not, however given that we
don't actually have host bionic support or host bionic init tests,
that isn't a good reason.  We can and should mock out the libraries
that aren't available with host bionic when ready.

Test: build, unit tests, boot
Change-Id: Ie49362ddb637924efc272540a4f32b693643fcdc
2018-01-19 14:25:48 -08:00
Tom Cherry
2ae2f606f8 Reland "Have property_service create a serialized property_contexts file"
This reverts commit 9822f3c6cc.

Bug: 36001741
Change-Id: I27dd391fc06a3c78e88a65c7931c84de1699f157
2017-12-14 01:58:17 +00:00
Robert Greenwalt
9822f3c6cc Revert "Have property_service create a serialized property_contexts file"
This reverts commit e8181c0f55.

Reason for revert: This is broken.

Bug: 36001741

Change-Id: I458abc23275ecdfadcabacd611b288449196efa0
2017-12-13 14:42:26 -08:00
Tom Cherry
c47dd6b5c0 Merge changes from topic "property-trie"
* changes:
  Have property_service create a serialized property_contexts file
  Parse property contexts via a serialized trie
2017-12-13 01:28:36 +00:00
Tom Cherry
e8181c0f55 Have property_service create a serialized property_contexts file
Instead of requiring each process to parse the property contexts files
in libc initialization, this change has property_service parse these
files one into a serialized trie, which the property code in libc can
then directly interpret for mapping property names to their associated
SELinux context.

Bug: 36001741
Test: boot bullhead, walleye, run unit tests

Change-Id: If67073d56e800b3ca667fb5322e6b993e7d810f6
2017-12-11 16:12:13 -08:00
Jaegeuk Kim
899ad558cd fastboot/fs_mgr/init: add sload_f2fs
Change-Id: Iab1e4037cbb835aba97f941c8840b8971caf38e7
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
2017-12-06 22:40:08 -08:00
Steven Moreland
e055d73396 init language extension for lazy HIDL services.
This associates every service with a list of HIDL services
it provides. If these are disabled, hwservicemanager will
request for the service to startup.

Bug: 64678982
Test: manual with the light service
Change-Id: Ibf8a6f1cd38312c91c798b74574fa792f23c2df4
2017-10-19 20:38:47 -07:00
Tom Cherry
a97faba653 init: use protobuf for serialization of persistent properties
I probably should have done this from the start...  There's a shim to
convert my manually serialized format to protobuf, and since that has
not yet shipped, it'll be reverted in a short period of time.

Test: init unit tests
Test: upgrade from legacy and intermediate property formats successfully
Change-Id: Iad25f6c30d0b44d294230a53dd6876222d1c785b
2017-09-19 09:56:31 -07:00
Luis Hector Chavez
9f97f47940 init: Allow clean system shutdown upon SIGTERM
This allows Android to cleanly shutdown when running in a PID namespace
in a way that does not rely on adbd running. This is useful to allow
Android to be running in a container and its lifetime managed by an
OCI-compliant tool.

Bug: 65415372
Test: `kill -TERM 1` as root is correctly dropped.
Test: `kill -TERM 1` from the init PID namespace causes init to cleanly shutdown.
Change-Id: Ia66ebdb436221919081bc4723337c0c7f1e53b09
2017-09-07 10:47:04 -07:00
Dmitry Shmidt
c3bc509096 init: Fix -DUSER_MODE_LINUX compilation
Bug: 64985489
Test: Manual

Change-Id: Ib37d2b9affe500b66b9243fb24a7dee23b7730f2
Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
2017-08-23 14:57:07 -07:00