Load sysprops from /odm_dlkm/etc/build.prop. Note that no
property contexts are loaded from odm_dlkm.
Test: getprop | grep odm_dlkm
Bug: 156020364
Change-Id: I90c3a54a110462736d9888101d4281100d586632
There is documentation for how AIDL works with ctl commands or
interface_start commands, however it seems we were missing documentation
on declaration of interfaces.
Bug: N/A
Test: N/A
Change-Id: I0e5d2350b6b847a870eafbc69828e75f1f6ca4f0
Load sysprops from /vendor_dlkm/build.prop. Note that
no property contexts are loaded from vendor_dlkm.
Test: getprop | grep vendor_dlkm
Bug: 156020364
Change-Id: Ib0e8ba1791e1d2c11d055ef496208993e11d9b0f
This restriction is only added for devices launching with R or later.
Bug: 160663765
Test: this test runs when appropriate
Change-Id: I2353bfa7f598bd19ba57498cc5bbad7a3ed34707
This allows init to easily ensure misc devices other than device-mapper
are present.
Bug: 154536437
Test: manual test
Change-Id: I49495684edee322f9787ce7ab7f79d0e8060171d
Now we have more things e.g. loading kernel modules, initialize
selinux. And before all these, system cannot make further progress. It
should be beneficial to boost this critical peroid in init.
Benchmark on a Pixel device shows this saves 100+ms on early boot
ToT release + This CL (P15538587)
D/BaseBootTest: init_stage_second_START_TIME_avg : 1563.4
D/BaseBootTest: ueventd_Coldboot_avg : 219.0
D/BaseBootTest: action_init_/system/etc/init/hw/init.rc:114_START_TIME_avg : 2103.7
ToT release (6654154)
D/BaseBootTest: init_stage_second_START_TIME_avg : 1639.0
D/BaseBootTest: ueventd_Coldboot_avg : 238.2
D/BaseBootTest: action_init_/system/etc/init/hw/init.rc:114_START_TIME_avg : 2226.0
Bug: 143857500
Bug: 147997403
Bug: 160271169
Bug: 160696502
Test: Boottime
Signed-off-by: Wei Wang <wvw@google.com>
Change-Id: I21c9e051f4ae3e953d991c031f151b2779702548
build.prop files under system_ext, product, and odm partitions are moved
to the ./etc subdirectory. This is to be in-line with the established
practice of having all configuration files under ./etc subdir.
build.prop doesn't need to be an exception.
However, system/build.prop and vendor/build.prop were not moved because
there are a lot of apps and tools that depend on the path.
Bug: 158735147
Test: device has build.prop under ./etc and is bootable
Change-Id: I26300574c23c78cc4e5bc20f98fc9702838465e1
If a device doesn't support unflattened APEXes, init activates flattened
APEXes instead of apexd.
Because apexd dumps apex-info-list.xml after it activates all APEXes,
init should do the same thing.
Bug: 159585065
Test: lunch aosp_cf_x86_phone_noapex & m & boot
adb more /apex/apex-info-list.xml
adb shell ls -lZ /apex/apex-info-list.xml
-> -rw-rw-rw- 1 root root u:object_r:apex_info_file:s0 ..
Change-Id: I74a4d0ee363761564225097c5949e5ce335ac6dc
AMBA specification from Arm is a freely available open
standard for the connection and management of functional
blocks in a system-on-chip.
AMBA devices create a device kernel object in /sys/devices/platform
and a kernel object of the bus for the respective device in
/sys/bus/amba. For e.g. for pl180 mmc:
device: /sys/devices/platform/1c050000.mmci
bus: /sys/bus/amba/devices/1c050000.mmci
In first stage init, android creates a symlink from /sys/devices/platform/...
to /dev/block/platform/... for all partitions and then to
/dev/block/by-name for the boot_device used. However this is only done
for devices that "attach" to bus/platform. This patch adds support for
platform devices that attach to bus/amba.
Signed-off-by: Usama Arif <usama.arif@arm.com>
Change-Id: I9da7456407c4f62335c959502d8b2d16026fddfc
Having mounted apexes with loop back devices backing files on /data
partition will prevent clean unmount of it. Unmounting them and tearing
down loop devices should minimize the risk of that.
Note that it won't fix the issue completely, as there are a few (~2-3)
processes that keep restarting even after SIGKILL is sent. Which means
that they can still hold references to apexes on /data partition. But
in practice probability of this is quite low.
Test: adb reboot
Test: put tzdata apex in /data/apex/active && adb reboot
Bug: 158152940
Change-Id: I4624567b3d0f304dba4c6e37b77abd89e57411de
Regardless of whether a system property is "ro." or not, it can be
overridden by build.prop from the more specific partition. i.e.
foo.bar=true in system/build.prop can be overridden by
foo.bar=false in vendor/build.prop. However, the warning message
was referring the overridden property as "ro." causing confusion
when reading the log. Fix it by not mentioning "ro.".
Bug: 117892318
Test: N/A
Change-Id: I13014522d0c6b507b30c8754e2087fd71cc39971
Init starts ueventd in the default mount namespace to support loading
firmware from APEXes.
Bug: 155023652
Test: devices boots
adb$ nsenter -t (pid of ueventd) -m ls /apex
=> shows all APEXes
Change-Id: Ibb8b33a07eb014752275e3bca4541b8b694dc64b
While mount_all and umount_all were updated to use ro.boot.fstab_suffix,
I neglected to update swapon_all. Trivially copied from umount_all.
Bug: 142424832
Change-Id: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
Merged-In: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
While mount_all and umount_all were updated to use ro.boot.fstab_suffix,
I neglected to update swapon_all. Trivially copied from umount_all.
Bug: 142424832
Change-Id: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
The mount_all and swapon_all commands are documented, but umount_all
is not. Add some documentation.
Bug: 142424832
Change-Id: I7e4dcb4d222b787350a79c9e312062cac9eeb4d8
The mount_all and swapon_all commands are documented, but umount_all
is not. Add some documentation.
Bug: 142424832
Change-Id: I7e4dcb4d222b787350a79c9e312062cac9eeb4d8
Kernel modules may be located within directories in /lib/modules.
Attempt to load kernel modules from each directory that has a name starting with
the major and minor version of the currently running kernel. If a single
kernel module is successfully loaded from a directory, that directory is
treated as the correct kernel module directory for the system. No other
kernel module directories are searched and any kernel module load errors
in that directory are fatal. If the attempt to load the first kernel
module from a directory fails, or if there are no kernel modules in a
directory, then the search proceeds to the next directory.
If no kernel module is successfully loaded from any directory as above,
an attempt is made to load kernel modules from the top level at
/lib/modules/.
Bug: 157645635
Change-Id: I92eadd8617f03a645da460ccb776bc04fa541f00
Merged-In: I92eadd8617f03a645da460ccb776bc04fa541f00
Kernel modules may be located within directories in /lib/modules.
Attempt to load kernel modules from each directory that has a name starting with
the major and minor version of the currently running kernel. If a single
kernel module is successfully loaded from a directory, that directory is
treated as the correct kernel module directory for the system. No other
kernel module directories are searched and any kernel module load errors
in that directory are fatal. If the attempt to load the first kernel
module from a directory fails, or if there are no kernel modules in a
directory, then the search proceeds to the next directory.
If no kernel module is successfully loaded from any directory as above,
an attempt is made to load kernel modules from the top level at
/lib/modules/.
Bug: 157645635
Change-Id: I92eadd8617f03a645da460ccb776bc04fa541f00
To ensure we can shutdown cleanly, and don't hang an outstanding
requests to a FUSE host daemon that has already exited.
Bug: 153411204
Test: inspect logs during shutdown
Change-Id: I8e6479bd54dbc1fc85b087617aa6b16be9f15a3b
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
Merged-In: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.
The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.
On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".
This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.
Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
A one second timeout is so coarse and can affect boot time when
the possibility that the file does not exist. Switch to accepting
a floating point number for seconds for the wait for file command.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 151950334
Test: wait_for_file sleep 0.05 reports an appropriate delay
Change-Id: I8d8ed386519ab54270b05ce91663d0add30f12e7
A one second timeout is so coarse and can affect boot time when
the possibility that the file does not exist. Switch to accepting
a floating point number for seconds for the wait for file command.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 151950334
Test: wait_for_file sleep 0.05 reports an appropriate delay
Change-Id: I8d8ed386519ab54270b05ce91663d0add30f12e7
See details in comment inside. This is to increase stability of the
device. There are some thing we might not detect (yet) but which cause
the test to fail.
Bug: 156380383
Test: run on walleye
Change-Id: Ic0189af7e818916665a2b709d440c517a04c587f
With GKI we find in certain situations the timing of the drivers
loading is delayed as compared to a monolithic kernel. This
introduces a race where during second stage init, the attributes
inside /sys/class/udc/ might not be set by the time
SetUsbController() is called.
To address this, we also call SetUsbController() until the property
sys.usb.controller is set at the bottom of the event loop.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 151950334
Test: make sure user space fastbootd comes up reliably for a GKI kernel
Change-Id: Iececd8ffa3e6641554d215d622d8dab72d85d34d
The file is removed. init no longer needs to read it.
Bug: 117892318
Test: TH passes on non-Treble devices.
Change-Id: Idc4127bad66db24c7033b47c41b9eb85a5e0a5cd
Contents that were in /system/etc/prop.default are now in
/system/build.prop.
The content is placed at the top of build.prop to keep the existing
order between the two files.
Caveat #1: /prop.default still remains for non-Treble devices.
Caveat #2: ReadFileSymbolicLink test was changed to read /system/bin/ps
because /prop.default is no longer guaranteed to exist.
Bug: 117892318
Test: TH passes
Test: inspect /system/build.prop and check if it has contents from
the old /system/etc/prop.default file
Change-Id: I0d3f96c1656dfe02bfa0e801680f7fa887afd1d9
It is merged to /vendor/build.prop. However, for backwards
compatibility, the old file is read on devices running R or earlier.
Bug: 117892318
Test: TH passes
Test: inspect /vendor/build.prop and check if it has contents from
the old /vendor/default.prop file
Change-Id: I994cc85fc0765bc9233e9799bcb670a23180f068
With GKI we find in certain situations the timing of the drivers
loading is delayed as compared to a monolithic kernel. This
introduces a race where during second stage init, the attributes
inside /sys/class/udc/ might not be set by the time
SetUsbController() is called.
To address this, we also call SetUsbController() until the property
sys.usb.controller is set at the bottom of the event loop.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 151950334
Test: make sure user space fastbootd comes up reliably for a GKI kernel
Change-Id: Iececd8ffa3e6641554d215d622d8dab72d85d34d
The exit of init panics the system *after* process context (mm, stack,
...etc.) are recycled, according to Linux kernel's 'do_exit'
implementation. To preserve most init process context for debugging,
triggers the panic via proc-sysrq explicitly.
Note: after this change, there will be no "Attempt to kill init" panic
when androidboot.init_fatal_panic is set.
Test: Insert data abort fault in init, the full process context is
preserved in memory dump captured after panic.
Bug: 155940351
Change-Id: I3393bd00f99b8cb432cfa19a105b7d636b411764
(cherry picked from commit be1cf9006a)
The exit of init panics the system *after* process context (mm, stack,
...etc.) are recycled, according to Linux kernel's 'do_exit'
implementation. To preserve most init process context for debugging,
triggers the panic via proc-sysrq explicitly.
Note: after this change, there will be no "Attempt to kill init" panic
when androidboot.init_fatal_panic is set.
Test: Insert data abort fault in init, the full process context is
preserved in memory dump captured after panic.
Bug: 155940351
Change-Id: I3393bd00f99b8cb432cfa19a105b7d636b411764
Extend androidboot.first_stage_console cmdline property to enable
skipping module load failures without stopping at a serial console. This
is useful for GKI development.
Set androidboot.first_stage_console=2 for this behavior.
Bug: 155296582
Test: verify behavior for values 0, 1, and 2
Merged-In: I068c631a22c848e45a421b297b1acae1b3deb3c1
Change-Id: I068c631a22c848e45a421b297b1acae1b3deb3c1
(cherry picked from commit 6c5f82642b)
Extend androidboot.first_stage_console cmdline property to enable
skipping module load failures without stopping at a serial console. This
is useful for GKI development.
Set androidboot.first_stage_console=2 for this behavior.
Bug: 155296582
Test: verify behavior for values 0, 1, and 2
Change-Id: I068c631a22c848e45a421b297b1acae1b3deb3c1
Introduce new command to allow setting task profiles from inside .rc
script. This is to replace usage of writepid when a service is trying
to join a cgroup. Usage example from a .rc file:
service surfaceflinger /system/bin/surfaceflinger
task_profiles HighPerformance
Bug: 155419956
Test: change .rc file and confirm task profile is applied
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I0add9c3b363a7cb1ea89778780896cae1c8a303c
Merged-In: I0add9c3b363a7cb1ea89778780896cae1c8a303c
Introduce new command to allow setting task profiles from inside .rc
script. This is to replace usage of writepid when a service is trying
to join a cgroup. Usage example from a .rc file:
service surfaceflinger /system/bin/surfaceflinger
task_profiles HighPerformance
Bug: 155419956
Test: change .rc file and confirm task profile is applied
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I0add9c3b363a7cb1ea89778780896cae1c8a303c
There are devices stuck waiting for vendor_init to finish a command,
without giving much more information. Instead of setting aside the
last run command, it's more valuable to store and dump the last 30
logs seen.
Bug: 155203339
Test: these logs appear during hung reboots
Test: normal reboots have no difference.
Change-Id: I99cae248eb81eaf34ef66b910fa653a9fa135f68
When the subcontext code was redone to allow only one subcontext
(vendor_init), the code for restarting it and for terminating it
during shutdown was not updated, resulting in it not working.
Bug: 155203339
Test: kill subcontext init and notice it restart
Test: subcontext init stops during shutdown
Merged-In: Ib77f59d1e7be0ffcfd3f31c8450dc022c20bb322
Change-Id: Ib77f59d1e7be0ffcfd3f31c8450dc022c20bb322
(cherry picked from commit e3e77d382f)
When the subcontext code was redone to allow only one subcontext
(vendor_init), the code for restarting it and for terminating it
during shutdown was not updated, resulting in it not working.
Bug: 155203339
Test: kill subcontext init and notice it restart
Test: subcontext init stops during shutdown
Change-Id: Ib77f59d1e7be0ffcfd3f31c8450dc022c20bb322
Bug: 153540919
Test: Able to boot without errors
Change-Id: If206e5e3d76a7919b7468bc2d9666b3aff296b3b
Merged-In: If206e5e3d76a7919b7468bc2d9666b3aff296b3b
Since this function is used in userspace reboot, we need to be more
diligent with error handling, e.g.:
* If init fails to read /sys/block/zram0/backing_dev, then fail and
fallback to hard reboot.
* Always call swapoff.
* Always reset zram.
* Tear down loop device only if zram is backed by a loop device.
Test: adb reboot userspace
Bug: 153917129
Change-Id: I4709da1d08cf427ad9c898cfb2506b6a29f1d680
Merged-In: I4709da1d08cf427ad9c898cfb2506b6a29f1d680
(cherry picked from commit a840d405eb)
Since this function is used in userspace reboot, we need to be more
diligent with error handling, e.g.:
* If init fails to read /sys/block/zram0/backing_dev, then fail and
fallback to hard reboot.
* Always call swapoff.
* Always reset zram.
* Tear down loop device only if zram is backed by a loop device.
Test: adb reboot userspace
Bug: 153917129
Change-Id: I4709da1d08cf427ad9c898cfb2506b6a29f1d680
libsnapshot* uses update_metadata-protos. This
used to be optimized out, but now that SnapshotManager is
virtual, CreateUpdateSnapshots can no longer be optimized out.
Bug: 148956645
Test: compiles
Change-Id: Ib67cafd156308bf5a477996ec32eb786f8e896db
If the first stage console is being used, attempt to run /first_stage.sh
immediately before the console is created.
Bug: 154126020
Change-Id: I8b7431e7b8219afea295b120d7ea91751804bda6
Merged-In: I8b7431e7b8219afea295b120d7ea91751804bda6
If the first stage console is being used, attempt to run /first_stage.sh
immediately before the console is created.
Bug: 154126020
Change-Id: I8b7431e7b8219afea295b120d7ea91751804bda6
tl,dr;
Increase the attempts to 50 to reduce the chances of failing
to load the serial console. This will only happen if the cmdline
parameter "androidboot.first_stage_console=1" is enabled.
Details:
10 attempts only amounts to about 1 second of trying to open the serial
console. I tested booting an ACK GKI image 5x with 20 vendor modules and
found the serial console loaded on attempt 17 for all five boot
tests.
Bug: 153354917
Test: boot ACK image 5x and verify serial console comes up
Change-Id: I161a4176b2c6cf7b0bc1eefe072ff38b894add5d
Merged-In: I161a4176b2c6cf7b0bc1eefe072ff38b894add5d
Some of the test cases in CtsInitTestCases and CtsFsMgrTestCases require
root. This CL makes it possible to run such tests cases on userdebug
builds, which in turn means that they will be run on presubmit.
New option was implemented in
https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1283834
Test: atest CtsInitTestCases
Test: atest CtsFsMgrTestCases
Change-Id: I3d29789ddd7ac549e40ac193c58d986670c49285
Similarly to other recovery mechanisms, timeout is controlled by a
read-only property that can be configured per-device.
Test: adb root
Test: adb shell setprop init.userspace_reboot.started.timeoutmillis 2
Test: adb reboot userspace
Bug: 152803929
Change-Id: Id70710b46da798945ac5422ef7d69265911ea5ef
Merged-In: Id70710b46da798945ac5422ef7d69265911ea5ef
(cherry picked from commit d05535485f)
Similarly to other recovery mechanisms, timeout is controlled by a
read-only property that can be configured per-device.
Test: adb root
Test: adb shell setprop init.userspace_reboot.started.timeoutmillis 2
Test: adb reboot userspace
Bug: 152803929
Change-Id: Id70710b46da798945ac5422ef7d69265911ea5ef
1) There's no reason or way to support boot_clock for waiting for
property changes, since the underlying futex_wait uses
CLOCK_MONOTONIC. We probably wouldn't want boot_clock even if it
did, since it doesn't make sense to consider the time a device was
suspending in the timeout for waiting for a property to change.
2) The init tokenizer has been essentially unchanged for a decade,
there's no motivation to 'fix' it to not require a trailing
newline.
3) The ueventd TODO regarding moving vendor specific ueventd.rc
entries out of rootdir has been fixed.
Test: n/a
Change-Id: I3b68e3d2f25cbd539f9f8ff526669b8af04d833d
Structured bindings with templated containers work now, so no need for
the workaround or TODO.
Test: init unit tests
Change-Id: I6a286de9859d8a97df480a7ac2862a3a10bd9fb3
There was an email thread about this recently, and I've been asked many
times.
For instance, if this error wasn't attributed, denials a service is
hitting would be attributed to init, and that's a recipe for disaster.
Secondarily, thinking about SELinux whenever you write a new service is
good.
Bug: N/A
Test: N/A
Change-Id: Ib9d2c5d8947375a0d4c33ecf3d075caef6b41f70
This test is killing critical device services, and if it runs
repeatedly or some of the critical services have already died, it'll
force the device to reboot again and potentially consider the test a
failure.
This forces the test to reboot first, so that it is in a fresh state and
we can avoid this type of flake on the device.
Bug: 153444614
Test: atest init_kill_services_test
Change-Id: Ia81a319af1d209f58e70f824bb8eb7f11973637c
In recovery mode, load modules from modules.load.recovery if it
exists. Otherwise load from modules.load as usual.
Bug: 150825361
Change-Id: I7636bb5958ed10ae9a66015f04f168129618272f
Merged-In: I7636bb5958ed10ae9a66015f04f168129618272f
The tests are only needed in vts10 suite, as they are part of CTS
package and no longer needed in vts 11.
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL removes vts10 tests from vts suite.
It won't change test logic or behavior.
Change-Id: I4d468be075b54213b56c7e1aa94af94f2bdce9ff
Merged-In: I4d468be075b54213b56c7e1aa94af94f2bdce9ff
tl,dr;
Increase the attempts to 50 to reduce the chances of failing
to load the serial console. This will only happen if the cmdline
parameter "androidboot.first_stage_console=1" is enabled.
Details:
10 attempts only amounts to about 1 second of trying to open the serial
console. I tested booting an ACK GKI image 5x with 20 vendor modules and
found the serial console loaded on attempt 17 for all five boot
tests.
Bug: 153354917
Test: boot ACK image 5x and verify serial console comes up
Change-Id: I161a4176b2c6cf7b0bc1eefe072ff38b894add5d
In recovery mode, load modules from modules.load.recovery if it
exists. Otherwise load from modules.load as usual.
Change-Id: I7636bb5958ed10ae9a66015f04f168129618272f
Devices in the lab are hitting an issue where they're getting stuck
likely in the sync() call in DoReboot() before we start the reboot
monitor thread and before we shut down services.
It's possible that concurrent writing to RW file systems is causing
this sync() call to take essentially forever. To protect against
this, we need to remove this sync(). Note that we will still call
sync() after shutting down services.
Note that the service shutdown code has a timeout and there is a
reboot monitor thread that will shutdown the device if more than 30
seconds pass above that timeout. This change increases that timeout
to 300 seconds to give the final sync() calls explicitly more time to
finish.
Bug: 150863651
Test: reboot functions normally
Test: put an infinite loop in DoReboot and the the reboot monitor thread
triggers and shuts down the device appropriately
Merged-In: I6fd7d3a25d3225081388e39a14c9fdab21b592ba
Change-Id: I6fd7d3a25d3225081388e39a14c9fdab21b592ba
(cherry picked from commit 10615eb397)
Previously, after `adb reboot userspace` is called on a device that
doesn't suppor it, init would've logged an error and quietly exit the
shutdown sequence. This was leaving adb handing forever.
With this approach, init will fail setprop
"sys.powerctl=reboot,userspace" in case userspace reboot is not
supported.
Test: adb root
Test: adb setprop init.userspace_reboot.is_supported 0
Test: adb reboot userspace
Test: atest CtsInitTestCases
Bug: 146639622
Change-Id: I1264078f53ed3ff54638c7f3b6846b7437f98ee5
Merged-In: I1264078f53ed3ff54638c7f3b6846b7437f98ee5
(cherry picked from commit 92116e4129)
General recommendation is to avoid read-only properties, and instead control
"read-onlines" by only allowing init/vendor_init to set the property.
Since ro.init.userspace_reboot.is_supported was added in this release, and
nobody outside of the platform is querying it directly, it should be fine to
simply rename it.
Test: adb shell getprop init.userspace_reboot.is_supported
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 152803929
Change-Id: I7552d5ccc6e9b750a6081947eef8fcb027be13e1
Merged-In: I7552d5ccc6e9b750a6081947eef8fcb027be13e1
(cherry picked from commit 663cd35030)
Previously, after `adb reboot userspace` is called on a device that
doesn't suppor it, init would've logged an error and quietly exit the
shutdown sequence. This was leaving adb handing forever.
With this approach, init will fail setprop
"sys.powerctl=reboot,userspace" in case userspace reboot is not
supported.
Test: adb root
Test: adb setprop init.userspace_reboot.is_supported 0
Test: adb reboot userspace
Test: atest CtsInitTestCases
Bug: 146639622
Change-Id: I1264078f53ed3ff54638c7f3b6846b7437f98ee5
Devices in the lab are hitting an issue where they're getting stuck
likely in the sync() call in DoReboot() before we start the reboot
monitor thread and before we shut down services.
It's possible that concurrent writing to RW file systems is causing
this sync() call to take essentially forever. To protect against
this, we need to remove this sync(). Note that we will still call
sync() after shutting down services.
Note that the service shutdown code has a timeout and there is a
reboot monitor thread that will shutdown the device if more than 30
seconds pass above that timeout. This change increases that timeout
to 300 seconds to give the final sync() calls explicitly more time to
finish.
Bug: 150863651
Test: reboot functions normally
Test: put an infinite loop in DoReboot and the the reboot monitor thread
triggers and shuts down the device appropriately
Change-Id: I6fd7d3a25d3225081388e39a14c9fdab21b592ba
Userspace reboot resets sys.powerctl to an empty string once it
starts, which was inadvertently triggering the backtrace of the main
init thread.
Test: no more unexpected backtraces
Change-Id: I35d6f1b37aa31a46ae9266647f41a709f28b6099
Bug: 152630580
Bug: 152637928
Bug: 152662041
Bug: 152662652
Test: this test is skipped when run as non-root
Merged-In: I7118025cc20081a200000bf484a08c9ed0b0d3ec
Change-Id: I7118025cc20081a200000bf484a08c9ed0b0d3ec
(cherry picked from commit 14f4afd2f2)
General recommendation is to avoid read-only properties, and instead control
"read-onlines" by only allowing init/vendor_init to set the property.
Since ro.init.userspace_reboot.is_supported was added in this release, and
nobody outside of the platform is querying it directly, it should be fine to
simply rename it.
Test: adb shell getprop init.userspace_reboot.is_supported
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 152803929
Change-Id: I7552d5ccc6e9b750a6081947eef8fcb027be13e1
This reverts commit d30c51157e.
This test wasn't flaky, it was failing when not run as root, but that
has been fixed.
Bug: 152630580
Bug: 152637928
Test: this test is okay now
Change-Id: I3b20be2839dae90ffc6a8eeea68f36e532060af1
Bug: 152630580
Bug: 152637928
Bug: 152662041
Bug: 152662652
Test: this test is skipped when run as non-root
Change-Id: I7118025cc20081a200000bf484a08c9ed0b0d3ec
We already stop queue'ing new control messages, but we forgot to stop
handling those control messages that are already queued. This CL
fixes that.
Bug: 150863651
Test: CF reboots appropriately
Merged-In: Ifea07a30b868de23eb735db10d8bae410e1b98bb
Change-Id: Ifea07a30b868de23eb735db10d8bae410e1b98bb
(cherry picked from commit 22d6348845)
A typo made this function a no-op.
Bug: 150863651
Test: CF responds to messages appropriately
Merged-In: Iaae0264fae3f2b899ceb5ba0364a4773df1f7ca3
Change-Id: Iaae0264fae3f2b899ceb5ba0364a4773df1f7ca3
(cherry picked from commit 68855276a1)
Bug: 150863651
Test: add delays during critical parts of shutdown and see the
expected debug information
Change-Id: Ida586903fd3eefc32ca9ee34ea2db037896ed9f4
We already stop queue'ing new control messages, but we forgot to stop
handling those control messages that are already queued. This CL
fixes that.
Bug: 150863651
Test: CF reboots appropriately
Change-Id: Ifea07a30b868de23eb735db10d8bae410e1b98bb
Apparently relying on bootanim to restart or not is too flaky.
Bug: 152630580
Bug: 152637928
Test: this test no longer runs
Change-Id: If61b31bad276560a9f0db9811724bbc9efc51d28
The tests are only needed in vts10 suite.
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL removes vts10 tests from vts suite.
It won't change test logic or behavior.
Change-Id: I4d468be075b54213b56c7e1aa94af94f2bdce9ff
This will make it possible to re-use in second-stage init.
Bug: 150315914
Test: first-stage init boots
Change-Id: I6a0f13d5c71ab5529a76751f68ac0f15834323d1
Merged-In: I6a0f13d5c71ab5529a76751f68ac0f15834323d1
Rather than special-casing super in the uevent listener, call Realpath()
after we've generated its symlink. This allows us to generalize the
uevent listener code.
Also, rename "metadata partition" to "super partition" in a few places,
as this terminology is a bit dated.
Bug: 150315914
Test: first-stage init boots
Change-Id: I2bf3bebf3360f097582df7fba95f3c1753feb2e2
Merged-In: I2bf3bebf3360f097582df7fba95f3c1753feb2e2
Particularly in the case of the device failing to reboot. Some test
devices are showing that they've received the reboot message but
without rebooting.
Bug: 150863651
Test: prevent init from handling reboot and see a stacktrace
Test: reboot works normally
Change-Id: Ide001dadbb9e9cd235ea509066e6ae6664bb429b
- Create a static library libunwindstack_no_dex without DEX support.
- Use it in libdebuggerd_handler_fallback, whose only use is in the
linker, which shouldn't need that support.
- Use it in init_first_stage, which doesn't need DEX support either.
- Also need a libbacktrace_no_dex since it's in the dependency chain
from init_first_stage to libunwindstack_no_dex.
Also restrict the *_no_dex libs and libdebuggerd_handler_fallback as
much as possible to avoid inadvertent use of these reduced
functionality libs.
Test: m init_first_stage on Cuttlefish
where BOARD_BUILD_SYSTEM_ROOT_IMAGE=false
Test: m system_image com.android.runtime
Test: Build & boot
Test: atest linker-unit-tests libunwindstack_unit_test debuggerd_test
Bug: 142944931
Bug: 151466650
Change-Id: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
Merged-In: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
This is to prepare renaming vts to vts10.
Bug: 151896491
Test: local build
Exempt-From-Owner-Approval: This CL adds all tests in vts to a new
suite vts10. vts10 will be the new name of existing vts suite. This CL
won't change test logic or behavior.
Change-Id: I3c7ccef142de30f02a59046cecba121480f6e436
This will make it possible to re-use in second-stage init.
Bug: 150315914
Test: first-stage init boots
Change-Id: I6a0f13d5c71ab5529a76751f68ac0f15834323d1
Some services are lazy HALs on some platforms and not lazy HALs on
others; this is known at runtime by hwservicemanager, so this change
adds these properties to allow hwservicemanager to turn one oneshot
(for lazy HALs). It may also be required to make a lazy HAL not lazy
anymore, and oneshot_off is provided for this.
Bug: 147841742
Test: new unit test that turn on and off oneshot on a service (bootanim)
and observes that it follows the expected behavior
Merged-In: I79524e2c9a5008f90c8d3bc40920fde00602a439
Change-Id: I79524e2c9a5008f90c8d3bc40920fde00602a439
(cherry picked from commit bdbf5047c9)
Rather than special-casing super in the uevent listener, call Realpath()
after we've generated its symlink. This allows us to generalize the
uevent listener code.
Also, rename "metadata partition" to "super partition" in a few places,
as this terminology is a bit dated.
Bug: 150315914
Test: first-stage init boots
Change-Id: I2bf3bebf3360f097582df7fba95f3c1753feb2e2
- Create a static library libunwindstack_no_dex without DEX support.
- Use it in libdebuggerd_handler_fallback, whose only use is in the
linker, which shouldn't need that support.
- Use it in init_first_stage, which doesn't need DEX support either.
- Also need a libbacktrace_no_dex since it's in the dependency chain
from init_first_stage to libunwindstack_no_dex.
Also restrict the *_no_dex libs and libdebuggerd_handler_fallback as
much as possible to avoid inadvertent use of these reduced
functionality libs.
Test: m init_first_stage on Cuttlefish
where BOARD_BUILD_SYSTEM_ROOT_IMAGE=false
Test: m system_image com.android.runtime
Test: Build & boot
Test: atest linker-unit-tests libunwindstack_unit_test debuggerd_test
Bug: 142944931
Bug: 151466650
Change-Id: Iaacb29bfe602f3ca12a00a712e2a64c45ff0118b
Some services are lazy HALs on some platforms and not lazy HALs on
others; this is known at runtime by hwservicemanager, so this change
adds these properties to allow hwservicemanager to turn one oneshot
(for lazy HALs). It may also be required to make a lazy HAL not lazy
anymore, and oneshot_off is provided for this.
Bug: 147841742
Test: new unit test that turn on and off oneshot on a service (bootanim)
and observes that it follows the expected behavior
Change-Id: I79524e2c9a5008f90c8d3bc40920fde00602a439
We want to ignore SIGPIPE within init, but if we use SIG_IGN, that
would be inherited by child processes through exec(), which we do not
want to have happen. We instead set up a real signal handler with a
no-op handler function, that will ignore SIGPIPE within init, but will
not be inherited across exec().
This fixes c29c2baa69 ("init: Add support for native service
registration with lmkd"), when SIG_IGN was introduced.
Note that we caught this issue before shipping a release with that
change, so the major motivation here is to not cause a behavior change
in init.
Bug: 151581751
Test: children of init that don't explicitly block SIGPIPE exit when
sent SIGPIPE
Test: children of init that do explicitly block SIGPIPE do not exit
when sent SIGPIPE
Test: init does not exit when sent SIGPIPE
Test: init exits when sent SIGABRT
Merged-In: Ieda8555fd03836bcd672a422fe673a8369ad9beb
Change-Id: Ieda8555fd03836bcd672a422fe673a8369ad9beb
(cherry picked from commit fd470e87cc)
Kill processes and make sure the phone recovers. This adds a basic level
of testing, but it could be improved by:
- trying to kill all running processes on the device
- improving metrics for 'recovery'
Bug: 148236233
Test: init_kill_services_test
Change-Id: I8aaca7bf4bb0be588decf741d1f6e1c5787cea84
Since new files can be introduced to /metadata after the initial
restorecon, we need to skip hashing.
Bug: 150907679
Test: rollback, ls -lZ /metadata/ota
Change-Id: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
Merged-In: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
We want to ignore SIGPIPE within init, but if we use SIG_IGN, that
would be inherited by child processes through exec(), which we do not
want to have happen. We instead set up a real signal handler with a
no-op handler function, that will ignore SIGPIPE within init, but will
not be inherited across exec().
This fixes c29c2baa69 ("init: Add support for native service
registration with lmkd"), when SIG_IGN was introduced.
Note that we caught this issue before shipping a release with that
change, so the major motivation here is to not cause a behavior change
in init.
Bug: 151581751
Test: children of init that don't explicitly block SIGPIPE exit when
sent SIGPIPE
Test: children of init that do explicitly block SIGPIPE do not exit
when sent SIGPIPE
Test: init does not exit when sent SIGPIPE
Test: init exits when sent SIGABRT
Change-Id: Ieda8555fd03836bcd672a422fe673a8369ad9beb
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
A previous version of this change was reverted and added locks around
all service operations and allowed the property thread to spawn
services directly. This was complex due to the fact that this code
was not designed to be multi-threaded. It was reverted due to
apparent issues during reboot. This change keeps a queue of processes
pending control messages, which it will then handle in the future. It
is less flexible but safer.
Bug: 146877356
Bug: 148236233
Bug: 150863651
Bug: 151251827
Test: multiple reboot tests, safely restarting hwservicemanager
Merged-In: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
Change-Id: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
(cherry picked from commit 802864c782)
This is apparently causing problems with reboot.
This reverts commit d2dab830d3.
Bug: 150863651
Test: build
Merged-In: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
Change-Id: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
A previous version of this change was reverted and added locks around
all service operations and allowed the property thread to spawn
services directly. This was complex due to the fact that this code
was not designed to be multi-threaded. It was reverted due to
apparent issues during reboot. This change keeps a queue of processes
pending control messages, which it will then handle in the future. It
is less flexible but safer.
Bug: 146877356
Bug: 148236233
Bug: 150863651
Bug: 151251827
Test: multiple reboot tests, safely restarting hwservicemanager
Change-Id: Ice773436e85d3bf636bb0a892f3f6002bdf996b6
Since new files can be introduced to /metadata after the initial
restorecon, we need to skip hashing.
Bug: 150907679
Test: rollback, ls -lZ /metadata/ota
Change-Id: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
This is apparently causing problems with reboot.
This reverts commit 7205c62933.
Bug: 150863651
Test: build
Change-Id: Ib8a4835cdc8358a54c7acdebc5c95038963a0419
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.
Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.
Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.
Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
Merged-In: I72949fca2889f9e5612049844a78bf9355b48797
Long overdue clean up; there is no reason to include fs_config.h in
android_filesystem_config.h, and the fact that it causes problems if
it's done, necessitating EXCLUDE_FS_CONFIG_STRUCTURES to exist, is a
good reason to fix it.
Bug: 149785767
Test: build
Change-Id: I5ba2541cd1045c22486140649c90db39163081fd
The new exported DSU status removes the need to make blocking binder
calls out of system server during device boot.
Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 8589934592
Change-Id: I27fae316214498407a73474ca8b93aec3518e4b5
Merged-In: I27fae316214498407a73474ca8b93aec3518e4b5
(cherry picked from commit 2e1c6b26a1)
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock. The only complete solution
is to handle these messages asynchronously.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
through thread annotations, particularly since this code was not
designed with the intention of being multi-threaded.
Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Merged-In: I84108e54217866205a48c45e8b59355012c32ea8
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
(cherry picked from commit 7205c62933)
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included. To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources. Additionally, expose these sources as a
default for users of libinit_test_utils.
Bug: 148236233
Test: build
Merged-In: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
(cherry picked from commit a2f9136b2c)
If init is wedged, then the write will never succeed and reboot won't
happen.
Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.
Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
Merged-In: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
If init is wedged, then the write will never succeed and reboot won't
happen.
Also, in case of normal reboot, move call to PersistRebootReason to the
top of DoReboot() function, to make sure we persist it even if /data is
not mounted.
Test: builds
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 148767783
Change-Id: I4ae40e1f6fdc41cc0bcae57020fa3d3385dda1b4
The new exported DSU status removes the need to make blocking binder
calls out of system server during device boot.
Bug: 149790245
Bug: 149716497
Test: adb shell am start-activity \
-n com.android.dynsystem/com.android.dynsystem.VerificationActivity \
-a android.os.image.action.START_INSTALL \
-d file:///storage/emulated/0/Download/system.raw.gz \
--el KEY_SYSTEM_SIZE $(du -b system.raw|cut -f1) \
--el KEY_USERDATA_SIZE 8589934592
Change-Id: I27fae316214498407a73474ca8b93aec3518e4b5
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.
Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
Merged-In: I3b5de6fd102e252019e843f39f0875f5aaea7486
Prevent appending ",adb" to persist.sys.usb.config if "none" is
explicitly defined in default prop.
Bug: 150130503
Test: persist.sys.usb.config initalized correctly
Change-Id: I3b5de6fd102e252019e843f39f0875f5aaea7486
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.
Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock. The only complete solution
is to handle these messages asynchronously.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
through thread annotations, particularly since this code was not
designed with the intention of being multi-threaded.
Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included. To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources. Additionally, expose these sources as a
default for users of libinit_test_utils.
Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
Helps with support of recovery and rollback boot reason history, by
also using /metadata/bootstat/persist.sys.boot.reason to file the
reboot reason.
Test: manual
Bug: 129007837
Change-Id: Id1d21c404067414847bef14a0c43f70cafe1a3e2
Those keys will be used for key revocation check by DSU installation
service. Note that failing to copy those keys to /metadata is NOT fatal,
because it is auxiliary to perform public key matching prior to booting
into DSU images on next boot. The actual key matching will still be done
on next DSU boot.
Bug: 146910547
Test: boot device, checks the avb keys are copied to /metadata/gsi/dsu/avb/.
Change-Id: I25a4eba82e84288bac7a859205c920628a063651
These can be AIDL or HIDL interfaces. Avoiding assuming the format here.
Bug: 141008902
Test: vts_ibase_test
Change-Id: If60367e3a46c74a1d28548379655f5e211f58b73
Instead they will be logged from system_server. This CL just prepares
grounds for logging CL to land.
Test: adb reboot userspace
Bug: 148767783
Change-Id: Ie9482ef735344ecfb0de8a37785d314a3c0417ff
fmtlib provides compile time checking of format strings that we're not
currently using. This change makes Errorf() and ErrnoErrorf() into
macros such that we can take advantage of this capability.
Test: build successfully normally
Test: fail the build if using an invalid format string
Change-Id: Icb8ba8cb973bbd1fa4755a62e7598bdbb0113757
Avb keys used to verify a partition are stored in the first-stage
ramdisk. However, after /system is mounted, init will chroot into it.
This makes those keys inaccessible for later mounts, e.g., /vendor or
/product.
This change retains avb keys by reading all of them before chroot
into /system.
Note that it is intentional to perform public matching for both
preload_avb_key_blobs and fstab_entry.avb_keys in libfs_avb.
As some keys might only be availble before init chroots into /system,
e.g., /avb/key1 in the first-stage ramdisk, while other keys might
only be available after the chroot, e.g., /system/etc/avb/key2.
Bug: 147585411
Test: specify avb_keys for a partition and checks the keys are preloaded
Test: atest libfs_avb_test
Test: atest libfs_avb_internal_test
Change-Id: I6bd490c4215480db2937cdfc3fea0d616e224a91
These operators were included because they're present in the draft
standard proposal of std::expected, but they were deemed to lead to
bugs, particularly when T is implicitly convertible to bool.
Change-Id: Ib149decf1f230198f358dc1ae0eaed71961363f6
Test: m
We currently do not handle process actions (restarting services or
exiting timedout services) when we are waiting for an exec service,
but this seems to be the wrong behavior. Particularly, an exec
service may depend on a previously started service and if that service
crashes, we will deadlock unless init restarts it.
Bug: 146920034
Test: build, boot
Change-Id: Id2fc936b8a7b989862ba4c32c398a544941e0e76
Currently, this is only enabled for Virtual A/B devices. When /data uses
F2FS, then proper pinning support must be enabled.
Because /data cannot be mounted in recovery, we can't delete the scratch
image backed by /data while in fastbootd. Instead, we mark it as
disabled in /metadata. The remount command now has an init script that
checks for and removes a disabled scratch partition.
Bug: 134949511
Test: adb remount on V A/B device with patched F2FS
Change-Id: Ifc8720378259654472d3822e97059b6c366f601d
Also reset some more properties to make bootanimation work properly.
Test: adb reboot userspace
Bug: 148172262
Change-Id: I0154d4fe9377c019150f5b1a709c406925db584d
mkdir always returns -1 for any types of errors.
errno should be checked for actual error type.
Test: m
Change-Id: I1b56d48ba48992a2f9629dc09d795c277b5b774d
This gives search (x) permission on the parent apex data
directory /data/misc/apexdata so that directories below it
may be opened. It also gives that permission on the apex
data directories themselves.
Bug: 147848983
Test: Build & flash, check perms are correct
Change-Id: I27c4ea01602002c89d0771a144265e3879d9041a
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458
As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.
If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.
This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
test binary/domain felt excessive.
I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.
Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
In case one of the cryptfs calls to vdc fails, first try a normal
reboot.
Test: manual
Bug: 135984674
Bug: 143970043
Change-Id: I5706d9cd6c3a08fa06329ffb7d141de632620e3d
Scoped storage has some unique requirements that are hard to implement
with the two mount namespaces, because the daemon that does the mounting
(vold) lives in a different namespace than the processes using those
mounts.
In particular, /mnt/installer is a special bind mount that should
receive mount events under /mnt/user, but at the same time only
only propagate mount events under /mnt/installer to /mnt/installer in
the other namespace. More details in the code.
Bug: 134706060
Test: /mnt/installer shows up and is setup correctly.
Change-Id: I6dab5ace5a345d9d684a9f1ae94c833fc294d49e
* Open the ImageManager according to the saved DSU slot.
* Load the saved install_dir when it presents. This is required
when installing to an external storage and the current code
seems to break it.
* Remove an unnecessary C++ using.
Test: gsi_tool install
Bug: 144247097
Change-Id: I5b7be25787f235518a25abacefa612c33861f6ef
While handling the fatal signals and abort, exits from the signal
handler to panic the system if "androidboot.init_fatal_panic" in cmdline
is configured as "true".
Bug: 146818493
Change-Id: I59fffb7598ce981383ae24961a97fd2fd8e8d64e
Commit Ida1a6da988c10d364b3ccdaa6c5d63e5264d1b27 allows specifying
AVB-related partitions to be probed in first-state mount, e.g.,
"avb=vbmeta_system" in the fs_mgr_flags will make init wait uevents
for vbmeta_system partition, which is required for AVB verification.
However, when specifying "avb=dtbo" to chain a /dtbo partition, first-stage
init will emit the following error as it assumes all partitions are
verified by Hashtree descriptors.
init: [libfs_avb]Hashtree descriptor not found: dtbo
This change fixes this by skipping raw partitions for first-stage mounting,
where raw partitions should already be verified by bootloader with Hash
descriptors. Although first-stage init does not perform Hash verification,
it still reads all Hash/Hashtree descriptors to calculate then compare
the "VBMeta Digest" passed from bootloader.
https://android.googlesource.com/platform/external/avb/#The-VBMeta-Digest
The following is an example of a fstab entry to chain /dtbo partition:
/dev/block/bootdevice/by-name/dtbo /dtbo emmc defaults slotselect,avb=dtbo,first_stage_mount
Bug: 146935233
Test: enable /dtbo as a chain partition, then boot the device
Change-Id: I590f1d9b78ef89b5aef21cb7bf19fdb90b27f808
Marks this CTS test module as supporting secondary_user, meaning that
the tests are eligible to be run from a regular Android user other
than the system user (i.e. other than user 0).
Note that 'user' here refers to the concept of users in Android
Multiuser; it is NOT the same as a uid.
Bug: 141773058
Test: module passed with secondary_user params
(--enable-optional-parameterization --module-parameter secondary_user)
Change-Id: Ic8d29cabe2542d75c8f873b677550db9f11b3050
The apex data directories must be accessed by apexd in order for it to
perform snapshot and restore as part of the rollback process. As apexd
runs as root, this CL changes the apex data directories under /data/misc
to be owned by root.
Bug: 141148175
Test: Build and flash; check permissions are set correctly.
Change-Id: Ib534e705802c06900884a15f39fee257d4987f4c
When BCB (bootloader message structure inside of misc partition) is
malformed (contains some non-printable characters in its fields),
"reboot recovery" command won't be able to write required string to
"command" field. It can happen for example when partition table was
created anew and 'misc' partition area contains some garbage. Also this
behavior can be emulated with this command:
$ fastboot erase misc
which leads to 'misc' partition to be filled with 0xFF characters. Hence
this code:
if (boot.command[0] == '\0') {
won't let us to set new string to "command" field. Let's check if
"command" field is malformed and fix it, before actually checking for
previously set content.
"fastboot erase" shouldn't be used for testing purposes though, as it
doesn't work sometimes due to alignment, on bootloader side:
Erasing blocks 6144 to 6144 due to alignment
........ erased 0 bytes from 'misc'
Instead one might use "dd" command to fill 'misc' with 0xFF's:
$ dd if=/dev/zero ibs=2k count=1 | tr "\000" "\377" >misc.img
$ fastboot flash misc misc.img
Test: Fill 'misc' partition with 0xFF's, then do "adb reboot recovery"
Change-Id: Ica8ca31012b9b2249645e7305830c07a20dd013c
Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Current linkerconfig targets for specific output file. However,
linkerconfig will generate more than 1 file based on APEX modules, so it
should take argument for target directory rather than target file. This
change updates linkerconfig's argument to point output directory.
Bug: 146993126
Test: m -j passed & Cuttlefish succeeded to boot
Change-Id: I3a720a047077688582436aabd307adafeafc5398
Since I was there, added two more properties to reset, and switched
ordering of sys.init.updatable_crashing and
sys.init.updatable_crashing_process_name setprops to make sure that
process name is already set when apexd/PackageWatchdog get's notified
about sys.init.updatable_crashing.
Also fixed a typo in what HandleUserspaceReboot function.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I954ec49aae0734cda1bd833ad68f386ecd808f73
There are two namespaces from init - bootstrap and default - and those
will have different set of APEX modules. To support difference between
two namespaces, linker config should be generated per namespace and each
namespace should use its own linker configuration. As a first step of
the work, this change will create different mount point for each
namespace, and re-generate linker config after APEX mount from each
namespaces.
Bug: 144664390
Test: m -j passed & tested from cuttlefish
Change-Id: Iac2e222376ec4b0ced6c29eed18b21d39ff0b1ba
The first_stage_mount code for DSUs predates both the DSU name and the
ImageManager abstraction. Move this code to ImageManager, so it can be
shared with overlayfs/scratch handling. And while we're here, rename GSI
to DSU for clarity.
Bug: 134949511
Test: dsu works
Change-Id: I9ef374bccc6cdbe2ada88baef4e7c0bc81b1e85e
When bind-mounting flattened APEX, use the apex name found in
apex_manifest.pb as the mount point, instead of the directory name which
might be different from apex name in case when the apex is overridden.
This allowed us to remove the special casing for the ART apex since we
/system/apex/com.android.art.release will be mounted to
/apex/com.android.art instead of /apex/com.android.art.release.
Bug: N/A
Test: m
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m, device is bootable
Change-Id: Ibdde7002b9078db390e6672b0eb82c474925451d
The previous code would lazily check for 'exact' and accept any other
value as a prefix match. This should be a tighter check allowing only
'exact', 'prefix', or an empty string for this option.
Test: build fails if an invalid string is used for the match operation
Test: build succeeds normally
Test: `getprop -Z` shows exact vs prefix is differentiated correctly
Change-Id: I21dcb193810d65f468f8960967eabfd261f71e21
