Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Test: Cuttlefish + atest 'CtsInitTestCases'
Change-Id: I4c55790c2dcde8716b860aecd57708d51a081086
Signed-off-by: Bart Van Assche <bvanassche@google.com>
It is essential for correct operation of ReapAnyOutstandingChildren()
that ReapOneProcess() does not modify 'pid'. Make it easier to verify
for humans that ReapOneProcess() does not modify the 'pid' local
variable. Document the value of siginfo.si_signo with DCHECK_EQ()
statements.
Bug: 213617178
Change-Id: I14baaa7adbe5416b7f777f32fb76896f2ae27b4e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The newly logged information includes the pending signals bitmask (SigPnd).
That information allows to determine whether kill() did not deliver a
signal or whether SIGCHLD has not been processed in time. This patch is
expected to help with root-causing b/254878413.
Bug: 254878413
Change-Id: Id33d1fb724163f8e5d4b3edfeb6c4be5321c0d95
Signed-off-by: Bart Van Assche <bvanassche@google.com>
There are two bugs in HandleSignalFd():
* If the one_off argument is true and if no data is read from the
signalfd, 'siginfo' is left uninitialized and used in the switch
statement in HandleSignalFd().
* The PLOG() statement in the switch statement should be a LOG()
statement since it does not report a failed system call.
This CL has been tested by changing kDiagnosticTimeout locally from 10s
into 100ms.
Change-Id: I0e488dd95bc13e1befaef770c0748d1d47f6e431
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This change prevents that a later CL will trigger the following warning:
parameter 'test_context' is passed by value and only copied once; consider
moving it to avoid unnecessary copies
Change-Id: If5837ee6438efdf194781de041779c1089897789
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Allow us to check if check_at_most_once is set for any partitions.
This property should be false for any device with a reasonable amount of
RAM and a modern CPU. Enabling check_at_most_once violates AVB best
practices, it should only be allowed on performance limited devices.
Bug: 253033920
Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes
and that partition.system.verified.check_at_most_once is set.
Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Prepare for introducing a second interprocess communication channel by
introducing the class InterprocessFifo. Stop using std::unique_ptr<> for
holding the pipe file descriptors. Handle EOF consistently.
Bug: 213617178
Change-Id: Ic0cf18d3d8ea61b8ee17e64de8a9df2736e26728
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The documentation added by commit c9c0bbac53 ("init: Add task_profiles
init command") mentions that the task_profiles keyword sets process
attributes. Make the implementation of that keyword match the
documentation.
Change-Id: Ia080132f16bfc2488f8c25176d6aed37a2c42780
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Bring the host_init_stubs.h header file in sync with the
<android/api-level.h> header file.
Change-Id: I0d344b5f89f909e5315a0075773efd0b725a72a4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We are planning to remove cgroups from the Micrdroid kernel, since the
entire VM belongs exclusively to a single owner, and is in the control
of the cgroups on the host side.
This patch expoxes CgroupAvailable API from libprocessgroup, and changes
init to query the CgroupAvailable API before doing any
cgroups/task_profiles related work.
Bug: 239367015
Test: run MicrodroidDemoApp
Test: atest --test-mapping packages/modules/Virtualization:avf-presubmit
Change-Id: I82787141cd2a7f9309a4e9b24acbd92ca21c145b
Change the type of 'handler' from std::shared_ptr<Handler> into Handler.
This change is safe since a previous CL moved the handler calls from the
Epoll::Wait() caller into Epoll::Wait() itself.
Bug: 213617178
Change-Id: Ife79e6863536b96ee4bb3cd778f6b0b164a95fed
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Invoke the callback functions from inside Epoll::Wait() instead of
returning a vector with pointers to callback functions. Remove handlers
after handler invocation finished to prevent that self-removal triggers
a use-after-free.
The CL that made Epoll::Wait() return a vector is available at
https://android-review.googlesource.com/c/platform/system/core/+/1112042.
Bug: 213617178
Change-Id: I52c6ade5746a911510746f83802684f2d9cfb429
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make it easier to verify for humans that all data structure members are
initialized. No functionality is changed.
Bug: 213617178
Change-Id: I1ce2af566dba51f2032f2e7518576a67e666d12e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change the type of epoll_timeout from
std::optional<std::chrono:milliseconds> into std::chrono::milliseconds.
No functionality is changed.
Bug: 213617178
Change-Id: Ieb150e0aeabdb79c8da4649875ea3ed59297343b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If UnregisterHandler() is called from inside a handler for an event that
has not yet been processed then that will result in a use-after-free.
Fix this by passing file descriptors to epoll_ctl() instead of pointers
to map elements.
Bug: 213617178
Change-Id: Ie62e3a299af964271ec24cd8fc2e794042b77ee6
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for optimizing Epoll::Wait() by moving the
ReapAnyOutstandingChildren() call into Epoll::Wait(). No functionality
is changed.
Bug: 213617178
Change-Id: I280ea0069ed29cf323e4177ec500b30b900f7c8d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Add a move constructor in the CatchDtor class. Check the .emplace()
result. Simplify the destructor. Initialize handler_invoked. Explain the
purpose of this test.
Bug: 213617178
Change-Id: I4d6f97dbb2705a2f2dd78e449ae8de74e90b102f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The new sequence of operation would be:
1: Load sepolicy - Daemon will continue to be alive and serve any I/O request
2: After sepolicy loading is complete - Switch the device-mapper tables.
3: Kill the block device daemon launched in the first-stage init.
4: Re-launch the daemon with the correct selinux labels set.
5: Enforce the sepolicy
Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
Thermal shutdown could be due to tskin temperature or
battery temperature. Pass reason while rebooting the
system to reflect properly in boot.reason
Bug: 238464124
Test: Build and boot on device. Check reboot reason
for thermal shutdown and battery thermal shutdown with
thermal warmreset enabled.
Change-Id: I192562fed48ae7da7843e383362cd22a76ce479f
This variable is always false or empty now, so clean up remaining
references of the variable.
Bug: 241346584
Test: Presubmit
Change-Id: Id5c37a1391239206477fd802d364a2678692f513
Added SPDX-license-identifier-Apache-2.0 to:
init/fuzzer/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I2db55c80799d0a8fc5935d9b07a2ddb17eb7235e
This is to resolve idiosyncracies with test packaging.
Bug: 244284630
Test: ldd -d -r CtsInitTestCases
Change-Id: Iec2c14c3ca5cd359b79d9e1f12e689c0eeffb122
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
Services created during new tests weren't properly cleaned up after tests. It caused slowdown of subsequent tests as described in b/244486404.
This change kills/terminates services after test with apex services.
To provide some context, original change is at https://android-review.googlesource.com/q/topic:vapex_stop_service. The issue was discovered by android test monitor and filed as a P0 bug.
Bug: 244486404
Change-Id: Ie64e0eb1686e94ef543a457ea49d1d7aeab38c97
extra_free_kbytes.sh accepts a parameter representing the number of KB
to add to low and high watermarks. It adds this margin to the current
watermark levels, however this is not how /proc/sys/vm/extra_free_kbytes
knob that it replaces used to work. The old knob would add the margin
relative to the original and not the current level of the watermarks.
Change extra_free_kbytes.sh to add the specified margin to the original
watermark levels to act as correct replacement of the old knob.
Bug: 242837506
Fixes: 642048d969 ("init: Add extra_free_kbytes.sh script to adjust watermark_scale_factor")
Test: repeatedly run 'setprop sys.sysctl.extra_free_kbytes 30375'
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8af603ba00bd4fb8182b80b3c0969fa96cdd7311
Added SPDX-license-identifier-Apache-2.0 to:
init/test_upgrade_mte/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I77b956ed672a2f171b78ab1e7bfddc09bd0dc158
The /dev/selinux folder is normally created by first-stage-init
https://cs.android.com/android/platform/superproject/+/master:system/core/init/first_stage_init.cpp;l=299-300;drc=07c86bace1e7a7cc4dd975f10b077d21c3743749
However, in some cases the first-stage-init comes from a GKI prebuilt
boot.img and doess not create the required folder (see for example
b/217677967), resulting in bugs like b/244793900.
I modified the selinux.cpp code to create the /dev/selinux folder if it
does not exist already, as a safety measure.
To verify these changes for b/244793900, follow gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest, manual verification
Change-Id: I8fe798643b1aeab2b4caac837055348febf70b94
