This patch translates UpdateState states into a MergeStatus from
IBootControl 1.1, and asks the HAL to store it. Unfortunately this patch
has to work around a few issues.
The first issue is that Soong doesn't allow including only the headers
from a HAL. The second issue is that entraining the headers requires
linking to libraries that would otherwise not be needed in init.
To address this, we now have three ways of linking to libsnapshot:
1. libsnapshot - Has access to gsid and HALs.
2. libsnapshot_nobinder - Has access to HALs, but not binder (for
recovery).
3. libsnapshot_init - Does not use binder or HALs.
The HAL code is #ifdef'd behind LIBSNAPSHOT_USE_HAL and we make use of
forward declarations and dependency injection to minimize its spread.
Bug: 139154945
Test: libsnapshot_test gtest
Change-Id: I21ffd8a79a43d0589f2f71f346ac1b019584a183
Especially now that property_service is a thread, there may be some
delay between when init sets sys.powerctl and when the main thread of
init receives this and triggers shutdown. It's possible that
outstanding init commands are run during this gap and that is not
desirable.
Instead, have builtins call TriggerShutdown() directly, so we can be
sure that the next action that init runs will be to shutdown the
device.
Test: reboot works
Test: reboot into recovery due to bad /data works
Change-Id: I26fb9f4f57f46c7451b8b58187138cfedd6fd9eb
This should help in preventing silly typos like "on foo:"
Test: atest CtsInitTestCases
Test: builds
Bug: 135984674
Change-Id: I6e4e18970e957d25dea9f557f0d31a759fbe6150
* Refactored code around stopping services a little bit to reuse it
between full reboot and userspace reboot.
* Add a scope_guard to fallback to full reboot in case userspace reboot
fails.
* In case of userspace reboot init will also wait for services to be
terminated/killed and log the ones that didn't react to
SIGTERM/SIGKILL in time.
* If some of the services didn't react to SIGKILL, fail userspace reboot.
Test: adb reboot userspace
Bug: 135984674
Change-Id: I820c7bc406169333b0f929f0eea028d8384eb2ac
This CL only draws boundaries between userspace and full reboots, and
adds some functionality that will be required for userspace reboot:
* Whenever device is shutting down is now controlled in reboot.cpp,
since during userspace reboot this state can change.
* Now it's also possible to restart handling of control messages inside
property service. In case of userspace reboot, init will restart it
after stopping post-data services.
* New userspace-reboot-requested trigger is added similar to shutdown
one for full reboot.
Test: adb reboot
Test: adb reboot userspace
Bug: 135984674
Change-Id: Id55a53ba781d2b90ce40449037b6d8d47e72c476
It wasn't clear to me why init was rebooting until I saw that it was
SIGABRT, which then made me read through earlier log spam to work out
what was actually unhappy (the SELinux compiler, in my case).
Test: worked out why init was rebooting my device
Change-Id: I605d8956213c4c23711073fd4b0ff99562b7f351
When I previously tried this in https://r.android.com/1108553 , it broke on
some targets but I think that may have been fixed. I'm trying it again now
to see if this now passes treehugger and sticks.
Note: There is still an indirect dependency via libfs_mgr.
Bug: 137267623
Test: Treehugger
Change-Id: I2d8b909e451bb64a1eb0719a145dfd74da1dcbad
This property will need to be reset during userspace reboot, so it can't
be a read-only property anymore.
Test: builds
Bug: 135984674
Change-Id: I4e079b537cb5c725ac0b652804fdc801a6facfcf
Also, add a "name" field to SnapshotStatus, and delete
the "name" arg from CreateSnapshot / WriteSnapshotStatus.
ReadSnapshotStatus will warn if the name mismatches from
the file name, and auto-correct it.
Test: libsnapshot_test
Change-Id: I725cf39c07684b100b140a8a21ea9d23ab9d2241
Commit I27dd391fc06a3c78e88a65c7931c84de1699f157 makes property_service
no longer load selinux property_contexts by function
selinux_android_prop_context_handle.
So we should load property_contexts from /system_ext as well in
property_service.cpp.
Bug: 137712473
Bug: 141871131
Test: `adb shell getprop -Z` to check system_ext_property_contexts is loaded
Change-Id: I49c5c725784c0d598062ae356be6226446f4942a
Support setting v2 encryption policies on init-created directories. The
policy version to set is gotten from a new field in
/data/unencrypted/mode, which is the file that's used to pass the
encryption options from vold to init.
Also don't bother falling back to defaults if fields are missing from
this file, since it's re-written on every boot by vold.
Bug: 140500999
Test: tested as series; see If64028d8580584b2c33c614cabd5d6b93657f608
Change-Id: Ia9c5d4b80199686799e3ac80de78a50ed3bdabf4
We want ashmem to only be used via libcutils API, with long-term goal
being deprecation of ashmem with memfd. To do that we route libcutils to
a new source of ashmem fds. We then phase out uses of /dev/ashmem that
doesn't go through libcutils using SELinux.
In Q, we introduced ashmemd as the source of ashmem fds to libcutils.
However, having a separate process and, consequently, binder hops to
handle /dev/ashmem results in performance/memory overhead.
To address the overhead, replace ashmemd with a duplicate of
/dev/ashmem. Name it /dev/ashmem<boot_id>, where boot_id is a random
number generated on each boot. This way we make sure that developers
don't accidentally depend on /dev/ashmem<boot_id>, as that name can't be
hardcoded.
Bug: 139855428
Test: writing "add"/"remove" to /sys/class/misc/ashmem/uevent correctly
adds/removes /dev/ashmem and /dev/ashmem/boot_id
Change-Id: I36d23116048bfcd99903ba46cc133161835a2cfa
Some services are not native android services and therefore don't log
via the normal mechanisms. This gives developers an option to have
their stdout/stderr logs sent directly to kmsg.
Test: see test prints to kernel log
Change-Id: I7973ea74d5cab3a90c2cd9a3d5de2266439d0c01
There are no uevent fils in these dirs, so there's no need to
traverse these dirs.
Test: manual
Change-Id: I57b82846ad863952d8717e6c3ab80c1e243ee4f8
Signed-off-by: lijiazi <lijiazi@xiaomi.com>
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: Ib37622271b559d65462de99ff424be831004508a
There might be partitions like product or system_ext in addition
to the system partition. Those partitions can contain dependencies
required by the system so we need to make the init to recognize
these partitions and mount them accordingly.
Bug: 140092208
Test: gsi_tool install & reboot
Change-Id: Ie5ef063292c3656e79cce9f887f23a8faa1ba2be
There is a race condition with Service::Start and socket creation.
Since socket creation currently happens after the fork(), it's
possible that init can continue executing other commands before the
socket is created. If init starts another service that relies on that
socket, it isn't guaranteed to be available.
Particularly, we've seen this with hwservicemanager starting after
logd, but hwservicemanager's logs sometimes not showing up.
Bug: 140810300
Test: boot and logging functions correctly
Change-Id: Ib2932e836d345830cd38f3b556598508fd953058
All of the logic in reboot.cpp is meant to safely shutdown services,
safely unmount emulated RW file systems, then finally unmount the
remaining RW file systems, particularly /data. If /data hasn't been
mounted, then none of this logic is required.
Running this logic caused a lock up when shutting down blueline from
early-init. Vold, or potentially a related HAL, locked up during the
ShutdownVold() calls. debuggerd separately locked up in the watchdog
thread.
Therefore, this change immediately reboots if /data is not mounted.
It also removes the lines to call into debuggerd. debuggerd will not
run due to SELinux in any case, so it can only be used when hands-on
debugging a device.
Bug: 141082587
Test: shutdown with /data mounted continues as normal
Test: shutdown from early-init immediately shuts the device down
Change-Id: I79c72346b17c7dfe57e955d9739bcaf559badc14
This code is more generic than it needs to be and one of the side
effects is that an extra init process is forked for odm_init, despite
it having the same context as vendor_init. I don't think anything is
going to change regarding that soon, so this change stops forking that
extra process to save its memory and simplifies the code overall.
Bug: 141164879
Test: init still uses vendor_init for vendor_scripts
Test: init unit tests
Test: init only has one subcontext process
Change-Id: I0d224455604a681711e32f89fb20132378f69060
Replace libcrypto with libcrypto_static, which can be protected through
visibility to ensure only modules that don't affect FIPS certification
can use it.
Bug: 141248879
Test: m checkbuild
Change-Id: I5f0b9acfb57f68570f6f58f2395f2bb1bc015365
When userdata is used to store COW devices, we need to ensure we've
generated uevents for it.
This patch also refactors FirstStageMount to pass required devices
through arguments rather than a member variable.
Bug: 140761481
Test: manual test
Change-Id: Ie5e1c9699f084da5467a758eea41c7907fecc5ca
Bug: 140882488
Test: Booted twice, checked logs to ensure encryption
is different each time, adb created files in directory.
Change-Id: I44f746acd1040f7baa9123d4824ba39b194f287b
This replaces the recently added `exec_reboot_on_failure` builtin, since
it'll be cleaner to extend service definitions than extending `exec`.
This is in line with what we decided when adding `exec_start` instead
of extending `exec` to add parameters for priority.
Test: `exec_start` a service with a reboot_on_failure option and watch
the system reboot appropriately when the service is not found and when
the service terminates with a non-zero exit code.
Change-Id: I332bf9839fa94840d159a810c4a6ba2522189d0b
init_first_stage is built in Make and statically links libcrypto,
so it needs to set LOCAL_INJECT_BSSL_HASH to make the FIPS self
test pass.
Bug: 137267623
Test: m checkbuild
Change-Id: Icd8ec07b731228a162db9a13d7304bf1d73127aa
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.
Bug: 138352500
Test: unit tests
Change-Id: Ic5da37268fd78109f83ae52d1b903bf7322a5ee5
