This now combines all the "libsparse" libraries into the same soong
target. A minor side-effect of this change is that the libsparse
static library depends on the libz shared library instead of the libz
static library. This minor change has no effect since targets using
the static libsparse library need to explicitly include either the
static libz or the shared one.
Bug: 34220783
Change-Id: I8f41586cf4c3336791cfa57ab4f5ae59a76d7ffa
SoC vendors and ODMs need a way to run different init scripts under
different boot modes. This patch adds a new ro.boot.init_rc kernel
cmdline argument to support this.
This patch also changes late-init trigger. Now late-init is only
triggered in "normal" boot (where boot mode is not specified). This is
to make AOSP init.rc re-usable in other boot modes as the operations
in late-init are less common.
Bug: 26639863
Test: Tested on bullhead with
androidboot.init_rc = {non-existent .rc file}
and/or
androidboot.init_rc = {none empty string}
both of which lead to expected boot failures.
Boot succeeds if androidboot.init_rc is not specified.
Change-Id: Ie5f08c3914f2f825ad3c401fde6741459668c523
Since splitting tracefs out from debugfs, we now need to set the
attributes explicitly on tracing folder.
Test: Run adb shell atrace -c -b 16000 -t 5 gfx
Bug: 34197733
Change-Id: If2a962332b6d1ec227e289bdf952213756e26186
Everything should be using the functionfs interface instead by now.
Bug: http://b/34228376
Test: grepping for f_adb, android_adb in source tree
Test: m
Change-Id: I6bc41049c49a867499832588dac8ed108c636c11
This allows a remount to be performed on partitions which have been
verified at boot, without causing the verity service to complain of
"corrupted" blocks that could have been modified as a result of a
remount (while the verity checksum remained unchanged).
(cherry picked from commit dd78ae75ff)
Bug: 32638755
Test: Compile
Change-Id: I77cf7dd20ee5c5f5dac80f73f292e32583fe5906
Running dm-verity on heavily accessed partitions leads to performance
slowdowns, especially on low-RAM and slow-CPU devices.
This patch introduces a flag to allow an entire verified partition to be
read once at boot, to check for corruptions. If the reads are
successful, we can mount the partition as raw & read-only, and if not,
we can revert to mounting it as a verity partition, just like before.
Usage of this flag will entail a slowdown of time-to-boot, but should
lead to improvements in runtime performance.
(cherry picked from commit 34543c03e6)
Bug: 32433608
Test: Compile
Change-Id: I97717683a00ad6fa347e63b72b1a9bf1d2946315
- Drop forced (-f) e2fsck check when the product has
enabled new ext4 generation by setting TARGET_USES_MKE2FS.
- The new generation tool is supposed to give better stability,
thus justifying dropping -f.
- This should help reducing boot-up time as full check (-f) can
increase boot-up time significantly depending on amount of data.
bug: 32246772
Test: many reboots
Change-Id: I631525bf7504bbfb025e170c8d24ad9d3ef3532e
Test: Ran script to test performance - https://b.corp.google.com/issues/32313202#comment3
Saw no significant regression with this change on or off
Removed chroot from SYSCALLS.TXT - chroot blocked
Boot time appears reasonable
Device boots with no SECCOMP blockings
Measured per syscall time of 100ns
Empirically counted <100,000 syscalls a second under heavy load
Bug: 32313202
Change-Id: Icfcfbcb72b2de1b38f1ad6a82e8ece3bd1c9e7ec
Change tzdatacheck to account for bundle format changes:
The update bundle now contains a bundle_version file to enable
us to detect changes to the format of the files in addition to
just checking the IANA rules version. The version will be
incremented as we make incompatible changes to the structure
of the bundle (e.g. the files present or their names), the
file formats or the file contents.
The old assumption was that a system image would typically
contain newer rules than had been pushed via ConfigUpdater
and we'd never get rid of the tzdata file from the bundle
content.
If Android makes rule updates routinely or makes substantial
changes to the timezone data files between major releases
then this assumption becomes (even more) untenable.
The bundle_version file in the bundle is expected to contain
the ASCII bytes for "001". This could be extended
in a future version to include minor versioning information
(e.g. "002.001") and so the code here only reads the first
three bytes. This allows for a future change to add the minor
version suffix and optionally increment the major version if
required.
Some error conditions that were previously treated as fatal
are now handled more elegantly. Generally if things are not
as expected with the installed bundle in /data tzdatacheck
will attempt to delete it. The return code of the binary is
used to distinguish between failure cases, which will be
used in a future automated test.
Some of the ConfigUpdater deletion code has been temporarily
retained (with a TODO) so the v2 of the installer code can be
used with ConfigUpdater/ConfigInstaller and keep something
like the existing process working until we have replaced it
with some thing better.
Using the v2 installer code with ConfigInstaller is one
possible fallback if the new distribution approach is not
completed in time.
Bug: 31008728
Test: Manual testing
Change-Id: Ib253f7d4c9cd72d3e392754f4b787a98ec22bc53
Deal with recovering after transitory failures surrounding logd
crash or recovery. Improve the chances that the logging functions
can work in a signal handler, not officially supported, but making
sure logging is not blamed for system lockups when misused.
Reorder gTests so that setuid(AID_SYSTEM) is performed after
liblog.enoent test, and that this occurs after other tests that
like to see buffers with content in them as we stop logd.
Test: gTest liblog-unit-tests --gtest_filter=liblog.enoent
Bug: 33755074
Change-Id: I66f88599534614b7b61da6b2ae5fe099ebaced3a
This helps to avoid tearDownInterfaces call from WiFiStateMachine's
constructor.
Bug: 33752168
Test: on device
(cherry picked from commit 0db195d0757e36c73b9da5a95d9b9986386f0f2e)
Change-Id: I55f56dd8daa5089073ff8dd424e92d09326c7d00
Some tests use hard-coded offsets to interpret the binary
events buffers. Switch to using the private event structures
to access the components of common event messages.
Test: gTest liblog-unit-tests
Bug: 33755074
Change-Id: I17447814583099d5ec417a54389e962158456005
We used to write the command file (/cache/recovery/command) to trigger
the sideload mode. A/B devices don't support that (may not have /cache
paritition). This CL switches to using libbootloader_message which
writes the command to BCB (bootloader control block) instead.
Test: "adb root && adb reboot sideload" reboots sailfish into recovery
sideload mode.
Change-Id: I158fd7cbcfa9a5d0609f1f684a2d03675217628f
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: I62689b229a67e319c65bf034da804f660f82bd35
Signed-off-by: Sandeep Patil <sspatil@google.com>
Processing overhead for selinux violation messages is costly. We want
to deal with bursts of violations, but we have no intent of allowing
that sustained burst to go unabated as there is a cost of processing
and battery usage.
Tunables in libaudit.h are:
AUDIT_RATE_LIMIT_DEFAULT 20 /* acceptable burst rate */
AUDIT_RATE_LIMIT_BURST_DURATION 10 /* number of seconds of burst */
AUDIT_RATE_LIMIT_MAX 5 /* acceptable sustained rate */
Since we can only asymptotically handle DEFAULT rate, we set an upper
threshold of half way between the MAX and DEFAULT rate.
Default kernel audit subsystem message rate is set to 20 a second.
If sepolicy exceeds 125 violation messages over up to ten seconds
(>=~12/s), tell kernel audit subsystem to drop the rate to 5 messages
a second. If rate drops below 50 messages over the past ten seconds
(<5/s), tell kernel it is ok to increase the burst rate back to 20
messages a second.
Test: gTest logd-unit-tests --gtest_filter=logd.sepolicy_rate_limiter_*
Bug: 27878170
Change-Id: I843f8dcfbb3ecfbbe94a4865ea332c858e3be7f2
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.
Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.
After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:
type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service'
Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
toybox has a #define noreturn that trips over this.
Also move `format` out of the way, just in case.
Bug: https://github.com/android-ndk/ndk/issues/271
Test: builds
Change-Id: Ib8811136b4b422ff74625509539a5464a3c9af18
Commit 9596d2b95d changes how
availability of console is checked by only checking access bits for
the console device. However, in cases where there is no console it
defaults to /dev/console. This device is always enumerated by tty
driver (i.e. file and access bits may be correct), but it doesn't
always map to an underlying console driver. Because the lookup for the
underlying console driver happens during the open system call, checking
only the access bits is not sufficient and need to make sure open
system call is successful, we can safely close the FD afterwards to
avoid FD leaks.
Test: boot device and check console svc doesn't continuously restart
Bug: 33691649
Change-Id: Ia51a8a2f56c345b70db55e95f61a057a98b52895
