init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)
Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.
Bug: 293695109
Test: Presubmit
Merged-In: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)
Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.
Bug: 293695109
Test: Presubmit
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
(cherry picked from https://android-review.googlesource.com/q/commit:d7c67b40a9b6a5e72d54adf37da22238381182f7)
Ignore-AOSP-First: Fix merge conflict
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.
The directory is detached from /apex in the default mount namespace but
still visible in case bootstrap APEXes are needed.
However, there are (mostly, virtual) devices which don't need two mount
namespaces. Those devices don't need to make /bootstrap-apex directory
at all.
Bug: 290148078
Test: atest VendorApexHostTestCases
Test: atest MicrodroidTests
Change-Id: I541cec71d9970b14971d46e01e4808b23590dbed
MarkServicesUpdate() starts delayed services which are mostly for
APEXes. (e.g. start a service from APEX). But before
"DefaultNamespaceReady", services are started in "bootstrap" mount
namespace, which makes services from non-bootstrap APEXes fail to start.
This is a quick fix for the problem before coming up with better
solution in the future.
Bug: 293535323
Test: add 'start adbd' before 'perform_apex_config' in init.rc
adbd starts successfully.
Change-Id: I846689f7c38cdca83c1f7faec0106b8174527e09
VFIO nodes, both the container (`vfio`) node and group (numbered)
nodes, should be located in `/dev/vfio`. This change prevents
ueventd from flattening that structure.
Test: Bind a device to VFIO driver to create a VFIO group
Change-Id: I635e9febe6bb52718df263e735479f361eacad4c
It is easy to dos the property_service socket, since it will wait for a
complete data packet from one command before moving on to the next one.
To prevent low privilege apps interfering with system and root apps,
add a second property_service socket that only they can use.
However, since writes to properties are not thread-safe, limit use of
this second socket to just sys.powerctl messages. These are the messages
that this security issue is concerned about, and they do not actually
write to the properties, rather they are acted upon immediately.
Bug: 262208935
Test: Builds, boots
Ignore-AOSP-First: Security fix
Change-Id: I32835de31bb42c91b6479051ddf4b26b5c0b163f
One of the first ERROR messages in logcat of a normal boot of Cuttlefish
is from failure to open SEPolicy.zip. This condition is expected.
Therefore don't try to load SEPolicy.zip when it doesn't exist. This
replaces the following log messages:
0 0 I init : Error: Apex SEPolicy failed signature check
0 0 I init : Loading APEX Sepolicy from /system/etc/selinux/apex/SEPolicy.zip
0 0 E init : Failed to open package /system/etc/selinux/apex/SEPolicy.zip: No such file or directory
... with just:
0 0 I init : No APEX Sepolicy found
Change-Id: If3a77407c35130165df5782b9ef91912e8374dbf
Combine some cases that are handled identically, and remove the
'userdata_remount' parameter which is unused. No change in behavior.
Test: presubmit
Change-Id: I0567e47d02942af7865c155dab76e6d0e9d71a1f
Until the verification of the /vendor partition we restrict the usage of
the feature to only debuggable VMs. If a non-debuggable Microdroid VM
is requested to mount /vendor, first_stage_init will crash and the VM
won't boot.
Bug: 285855436
Test: vm run-microdroid --debug none --vendor test_vendor.img
Change-Id: I9d44ad5c1d971bac1a9173c291ce61b628f2f8e9
first_stage_init will only mount the /vendor partition in Microdroid if
the androidboot.microdroid.mount_vendor=1 is provided in the kernel
cmdline.
Bug: 285855433
Test: atest MicrodroidTestApp
Change-Id: I5b840b5474bc52ec2696a0ba6ead0476acddfb1a
The existing approach in first_stage_init/first_stage_mount makes it
harder to add conditional logic that should only be applied for
Microdroid. Additionally, it forces the FirstStageMount object to be
created twice.
This change refactors the control flow to make first_stage_init take the
ownership of the FirstStageMount object. It will help with the follow up
change (which will add logic to conditionally mount /vendor partition
while booting Microdroid). As a nice side effect, this refactoring also
fixes the problem of the FirstStageMount being created twice.
This change also merges the FirstStageMount and FirstStageMountVBootV2
in a single class, since nobody actually uses FirstStageMount.
Bug: 285855433
Test: device boots
Test: atest MicrodroidTestApp
Change-Id: I38a72c0f20e7c1ac70031498aeeca22b091fa827
The APEX sepolicy feature has unfinished support for verifying the
sepolicy file using fsverity with a builtin signature. However, this
was never finished and doesn't really make sense, since the
already-implemented scheme that uses a full-file hash combined with a
userspace signature check is better suited to the problem. Therefore,
remove this unfinished code.
Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: I3403a3303bcea32c7340642b843cd1541fe1fd2f
We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.
In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.
Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
This is likely waiting for the Java garbage collector to run,
and due to the lockless implementation of BinderProxyNativeData
and BpBinder, it's very difficult to efficiently force this
object to be deleted.
Change-Id: I4df667b9b47327967a43d75664fb506b8704f905
Fixes: 285458033
Test: N/A
These variants will compile with -DMICRODROID flag, which will allow us
to exclude init features that are not needed for Microdroid, and
introduce features that only work in Microdroid.
Bug: 287206497
Test: build com.android.virt APEX
Change-Id: Ib9af0cfcdf06c70fc39e6e6ac8ef07bb69982969
Print logs necessary to understand why apexd isn't shutting
down when this test fails, due to a rare flake.
Bug: 285458033
Test: init_kill_services_test (and cause this error to be hit)
Change-Id: Ic9cbf7b2b9fa89504e4a53597065e94c32233e12
This CL allows restart_period to be set to a value shorter than 5s.
Previously this was prohibited to rate limit crashing services. That
behavior is considered to be a bit too conservative because some
services don't crash, but exit deliverately.
adbd is the motivating example. When adb root or adb unroot is
requested, it changes its mode of operation (via sysprop), exits itself,
and restarts (by init) to enter into the mode. However, due to the 5s
delay, the mode change can complete no earlier than 5 seconds after adbd
was started last time. This can slow the mode change when it is
requested right after the boot.
With this CL, restart_period can be set to a value smaller than 5. And
services like adbd can make use of it. However, in ordef to rate limit
crashing service, the default is enforced if the service was crashed
last time. In addition, such intended restart is not counted as crashes
when monitoring successive crashes during booting.
Bug: 286061817
Test: /packages/modules/Virtualization/vm/vm_shell.sh start-microdroid \
--auto-connect -- --protected
* with this change: within 2s
* without this change: over 6s
Change-Id: I1b3f0c92d349e8c8760821cf50fb69997b67b242
apexd restarts the device, so it causes flakes here,
especially in presubmit.
Bug: 280514080
Test: init_kill_services_test
Change-Id: I4455704795961f3ae94e29bdf098eca739130973
It can be difficult to figure out where this test
is while it's executing, so I've added logs.
Bug: 280514080
Test: init_kill_services_test (w/o tradefed to avoid reboot), then:
:) adb logcat -d | grep init_kill_services_test
... I init_kill_services_test: hello lmkd!
... I init_kill_services_test: okay, now goodbye lmkd
... I init_kill_services_test: I said goodbye lmkd!
... I init_kill_services_test: are you still there lmkd?
... I init_kill_services_test: I'm done with lmkd
... I init_kill_services_test: hello ueventd!
... I init_kill_services_test: okay, now goodbye ueventd
... I init_kill_services_test: I said goodbye ueventd!
... I init_kill_services_test: are you still there ueventd?
... I init_kill_services_test: I'm done with ueventd
... I init_kill_services_test: hello hwservicemanager!
... I init_kill_services_test: okay, now goodbye hwservicemanager
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: I said goodbye hwservicemanager!
... I init_kill_services_test: are you still there hwservicemanager?
... I init_kill_services_test: I'm done with hwservicemanager
... I init_kill_services_test: hello servicemanager!
... I init_kill_services_test: okay, now goodbye servicemanager
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: I said goodbye servicemanager!
... I init_kill_services_test: are you still there servicemanager?
... I init_kill_services_test: I'm done with servicemanager
Change-Id: I2466f574fc06cdf1b01db82f89649f39b0f34345
We've had flake in libdm_test for a long time, with no clear cause.
Lately however it has become particularly reproducible when running
the UeventAfterLoadTable test in isolation, and thus we've identified
the root cause.
uevents for device-mapper are fired when the sysfs node is added, but at
that time, the "dm" subnode has not yet been added. The root node and dm
node are added very close together, so usually it works, but sometimes
ueventd is too fast.
Instead of relying on sysfs, query the uuid/name node directly from
device-mapper.
Bug: 270183812
Test: libdm_test
Change-Id: I258de5de05d813c3cb7f129e82e56dbfe8bf3117
The prop can be consumed by init scripts to do customized setup:
on property:ro.gsid.dsu_slot=oemtest
# Do setup for test
on property:ro.gsid.dsu_slot=oemdemo
# Do setup for demo
Bug: 277691885
Test: m
Change-Id: I7bd78b9ba31021b27d57c6f092dad5d7ebf6e59b
When booting up, Android can boot into one of three modes: normal,
recovery, and charger mode. The set of modules that should be loaded
during first stage init in each mode can differ, which is why init
reads the list of modules to load from modules.load.recovery when
booting into recovery, and modules.load otherwise.
This means that init will read the list of modules to load during first
stage init from modules.load even when booting into charger mode. This
is not ideal, as it causes modules that need to be loaded during
first stage init only when booting into charger mode to also be loaded
during first stage init of normal boot, which can degrade boot time.
Thus, add support for reading modules.load.charger, which contains the
list of modules that need to be loaded during first stage init when
booting into charger mode.
Bug: 266752750
Change-Id: Ib9178bdfe5a6aac57b86b6d453b03625e95d5b48
Signed-off-by: Isaac J. Manjarres <isaacmanjarres@google.com>
This also specifies user on an adbd service
declaration which was missing before. It seems
that certain services are declared mulitple
times.
Fixes: 276813155
Test: boot (on CF, the only V device in the tree)
Test: remove 'user' specification and see error
Change-Id: I138f3ace72d46f221551ad61e75ba4c01632da59
NOTE: in master, but should be submitted in AOSP.
Waiting to hear from security folks. Also might
need cleanup.
Not currently done. Seems errorprone.
Bug: 276813155
Test: boot, check logs
Change-Id: I7cbc39b282889dd582f06a8eedc38ae637c8edec
Set the user explicitly.
For boringssl self-test, changed to 'nobody' since
this test doesn't require permissions.
Bug: 276813155
Test: boot, check can 'nobody' can still write to kmesg.
Change-Id: I32f7134e83183bd054bffbb22d412d7a2dc0ad09
This test requires root to run. Skip if not root.
Bug: 270052268
Test: CtsInitTestCases init#StartConsole
Change-Id: I8b54acf97cda4bc2cfa15d0e34c678ec2b13f83e
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.
This trimming was already implemented when the message is typed as
SELINUX_AVC (see SelinuxAvcLog). Move the truncation one level up so it
is occurring for all types of logs.
Test: boot & adb logcat & inspect SELinux logs
Change-Id: I360359c1b178ef24d555dd41f8d4a18b293a175c
Bazel's intermediates/inputs are symlinks in its execution root, unlike Soong.
e.g.
$ file $(readlink -f out/bazel/output/execroot/__main__/packages/modules/adb/apex/adbd.rc)
/usr/local/google/home/jingwen/aosp/master-with-phones/packages/modules/adb/apex/adbd.rc:
ASCII text
Test: presubmits
Change-Id: I3977a37ee989e07bee56abb019a21055b8cef567
Don't continue with a specific run if a service
is already dead.
Bug: 272618190
Test: init_kill_services_test
Change-Id: I1b1c0b4e87fd7a5200bd6e6e6af2eb9686d7367d
No longer installed on device, so we need to include
it as a static lib. This library was actually specified
as a dependency on vts_ibase_test in two places, so this
is the second CL doing the same thing but in another
project.
Fixes: 270497432
Test: readelf -d $ANDROID_BUILD_TOP/out/target/product/vsoc_x86_64/data/nativetest/vts_ibase_test/vts_ibase_test
no longer shows libhidl-gen-utils
Change-Id: Icf427085e3978906e82231c8faacb7bdbcbf4569
After introducing ro.boot.serialconsole=0, the console will no longer be
spawned, but a step was missed to disable the service to prevent
respawns.
Bug: 266982931
Bug: 223797063
Bug: 267428635
Change-Id: I12b159eaa1999781aec31c05ce431b55e2ba4017
Let the CheckShutdown() method clear the do_shutdown_ member instead of
clearing that member separately from calling CheckShutdown().
Bug: 266255006
Change-Id: Ifc1cff2be92a45db7f91be2fdb812930d2fd1ad5
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The DebugRebootLogging() function was introduced to help with
root-causing b/150863651. Remove this function since this logging
functionality is no longer needed. Also remove the functions and methods
that are only used by DebugRebootLogging().
Change-Id: Ia150604c6cd70f42b13d655ba43b95445a55b6e2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Combine two if-statements. This change is fine because:
* The code between the two if-statements does not queue actions.
* If an action is queued from another thread then WakeMainInitThread()
is called after the action has been queued.
Bug: 266255006
Change-Id: Id4b9565ff4fdb3ee2a2bbca316c8c78e0f2d38dd
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We could combine this with the existing log, but I
wouldn't want to make that appear later.
Ironically, adding this log to try to reduce logs.
Bug: 36785118
Test: :) adb logcat -d | grep "started service" | wc -l
131
Change-Id: I38f4e9740871aa256eef0c62e897038eb46871a5
Make the code that creates BuiltinArguments instances easier to read by
using initializer lists instead of constructor calls. Remove the
BuiltinArguments constructors.
Change-Id: I6cf215a81d298cf7e524e22fb75db820e0225c9a
Signed-off-by: Bart Van Assche <bvanassche@google.com>
For many years, services declaring "console" would only be started if the
console device specified by androidboot.console= was present under /dev.
However, they would also be started if the /dev/console node existed.
This fallback causes problems with newer GKI kernel images which now
hard-code "console=ttynull" via CONFIG_CMDLINE, which essentially means
/dev/console always exists, even though this console points nowhere.
It also causes problems on devices where the androidboot.console was not
the same as the kernel dmesg console ("console="), such as cuttlefish,
because those platforms could not simultaneously enable kernel logging
but disable the interactive serial console feature. The framework just
assumed both would be muxed on the same serial port. Cuttlefish had a
workaround, to use "androidboot.console=invalid" to avoid the fallback,
but this doesn't work on devices which still want to mux the kernel logs
and interactive serial console.
This change resolves the issue in a better way, by introducing a new
boolean property called "androidboot.serialconsole". Setting this to "0"
will disable the console services, regardless of whether the
/dev/console or /dev/${ro.boot.console} devices exist. Older kernels
and bootloaders don't need to set this and can rely on the old behavior
in init, but bootloaders booting newer kernels must set it to avoid the
"performance is impacted" message due to console services being started.
Bug: 266982931
Bug: 223797063
Bug: 267428635
Test: "launch_cvd" with "androidboot.console=invalid" removed;
See the "performance is impacted" message.
Test: "launch_cvd" with "androidboot.serialconsole=0";
The "performance is impacted" message is gone.
Change-Id: Iaad4d27ffe4df74ed49606d3cabe83483c350df4
There can be more than one fstab entry of system partition.
For example, the filesystem of one entry is ext4 and another is erofs.
system /system ext4 ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
system /system erofs ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
If both filesystems of system and system_ext paritions are erofs,
only the ext4 fstab entry will be returned by GetEntryForMountPoint,
and system_ext cann't be mounted.
So we need to return both of the fstab entries and try all of them.
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.com>
Change-Id: I407553d48b1749cd0554f057a6bfd38daa96fdcb
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.corp-partner.google.com>
Let the compiler verify that lock_ is held when any of the data members
are accessed.
Bug: 266255006
Change-Id: I71b341815d84ab530627d934ad4d4681b652b9d8
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Let the compiler verify that shutdown_command_lock_ is held when
shutdown_command_ is accessed.
Bug: 266255006
Change-Id: Ibd05137ab65e20f247f35bbb2bb1865e05f51f41
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Wait until strace has attached to the service instead of assuming that
it has attached after one second.
Change-Id: Ifb71fa2419563e1334d8500ea867ec92121395e0
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Remove the ConvertToArgv() function. Do not cast the std::string::find()
result. Make the strace path absolute.
Change-Id: If329e91275c834ba375863e40901f6be07a5f347
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Without root, Service::Start() fails due to lack of permissions.
Bug: 267559075
Test: run cts -m CtsInitTestCases -t init#GentleKill
atest init#GentleKill
Will skip under cts, pass under atest
Change-Id: I69e8be7000718bdba1c2acd9675b5645c0891afc
PropertyInit loads the build.prop files and set the system properties.
Set the SELinux log callback before that to show the avc denials for debugging.
Test: $ make init_system
Push this module and ensure system property set denials are shown during boot
Bug: 185920634
Bug: 211547922
Change-Id: If9f34d469d3da2ebdfe64bb611de85a3ca37e000
Since we cannot create a gpt table on zoned LU, we cannot make a generic symlink
from it. Instead, let's make it by uevent, "/dev/block/by-name/zoned_device".
Note that, we support only one zoned device in the system.
Bug: 265180564
Change-Id: Ie62b0fd68b77e3e43cf0f5c5cad9503150174271
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
During selinux transition, daemon will notify `init` process
by writing to file "/metadata/ota/daemon-alive-indicator".
Init will wait until daemon notifies it. Furthermore, daemon
will only write to that file once all threads are spin up
and attached to dm-user misc devices.
Once snapshot-merge is completed, this file will be removed.
Additionally, during boot, init will also ensure that
there are no stale files and will try to remove just
before selinux transition.
Bug: 262407519
Test: OTA on Pixel - Verify new file exits and init waits until daemon
is fully up.
Change-Id: Iabef58ad282d80a7afa493e9df9468ae41a13e44
Signed-off-by: Akilesh Kailash <akailash@google.com>
ParseApexConfigs() uses Parser::ParseConfigFile() to parse .rc files in
the target apex. ParseConfigFile() returning bool (with logging on
error) doesn't propagate the error message back to the callers
(including apexd or PackageManager).
We'd better to migrate other Parse*() methods of Parser class to return
Result<T>. But this change focuses on plumbing error progagation for
APEX configs.
Bug: 238820991
Test: atest CtsInitTestCases
Change-Id: Ifad97635dbb53a70053ec73a7a5b7e742466daf6
Tests that a service marked as gentle_kill terminiated with SIGTERM
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Change-Id: I169b52cfd74f07b4d2439761ea315117323b3fcb
If a service specifies gentle_kill, attempt to stop it will send SIGTERM
instead of SIGKILL. After 200ms, it will issue a SIGKILL.
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Added in next patch
Change-Id: Ieb0e4e24d31780aca1cf291f9d21d49cee181cf2
Persistent properties are flushed with fsync which can cause the
non-persistent property write path to block.
Bug: 250125146
Test: manual test with ro.property_service.async_persist_write = true
Change-Id: Id123bfc7de948b76c51b4d98d00c8cb4a0850bf1
Defaulting Android to limit memlock to 64KB. This will help preventing
pages from being swapped until the app is killed it's memory will stay
resident. CTS test is enforced only in U+ devies.
Bug: 201797650
Test: Added new test to verify we are memlock at or under 64KB
Change-Id: I5a9e9da12f6df5a056ee47d0593c13e9c779e054
From
https://android-build.googleplex.com/builds/tests/view?testResultId=TR66328435937757440&invocationId=I00700010119503421:
system/core/init/init_test.cpp:219: Failure
Failed
Value of: service->Start()
Actual: createProcessGroup(0, 15611) failed for service 'console'
Expected: is ok
The above error message does not contain enough information to
root-cause the test failure. Hence this CL that makes an error message
more informative.
Bug: 262090304
Change-Id: I09929b2f2aabf1eec4d90ec93234a9e968888da4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If a service that runs under root doesn't have the capabilities field in
it's definition, then it will inherit all the capabilities that init
has.
This change adds a linter to detect such services and ask developers to
explicitly specify capabilities that their service needs. If service
doesn't require any capabilities then empty capabilities fields should
be added in the service definition.
The actual access control list on what capabilities a process can use is
controlled by the SELinux, so inheriting all the init capabilities is
not a security issue here. However, asking services to explicitly
specify the capabilities they need is a good defense-in-depth mechanism.
So far this linter only checks the services on /system partition.
All currently offending services are added to the exempt list. I will
work on fixing some of them in the follow-up changes.
Bug: 249796710
Test: m dist
Change-Id: I2db06af165ae320a9c5086756067dceef20cd28d
It runs a service with root privilege which can't be done on user
builds. Until the issue is resolved, skip the test on user builds.
Bug: 262090304
Test: N/A
Change-Id: I690ffbd7fdaef688a0c862e0c653e9b21e281ece
Current documentation is misleading: if a service runs as root and
doesn't specify any capabilities, then it will start with all the
capabilities (note that whether it can use them is controlled by
selinux).
Test: n/a
Bug: 249796710
Change-Id: I0d6a884127c6a6c5b651c1222fcf48322065daae
The availability of /dev/console varies across different devices and
even across different build variants (ex: userdebug/user). Instead of
relying on the device-specific condition, use the /dev/null as the
console device for the test.
Bug: 262090304
Test: atest CtsInitTestCases on raven-user
Change-Id: I3b12d66e94609328dfdd6f640d1adb88a773fa38
process_cgroup_empty_ is used to indicate that a service is already
killed or not. If cgroup support lacks, services cannot be killed
because process_cgroup_empty_ is always true.
This change fixes it by not assigning process_cgroup_empty_ as true.
Instead, make KillProcessGroup send signals even when cgroup is
disabled. Also DoKillProcessGroupOnce() is updated so it returns a number of killed processes, excluding already dead processes. This behavior agrees with its name (DoKillProcessOnce), and it prevents regression upon missing cgroups, because kill(-pgid) will always
"succeed" so KillProcessGroup will loop even when all processes are
already dead.
Bug: 257264124
Test: boot microdroid, see services are terminated
Change-Id: I19abf19ff1b70c666cd6f12d0a12956765174aaa
DM_DEV_CREATE no longer creates sysfs nodes. Note this in ueventd and
add some helper APIs to libdm, so devices can be created with a
placeholder table.
This also fixes a bug in dmctl where the detailed info on suspended
devices was wrong.
Bug: 259328366
Test: dmctl with "uevents" tool
Change-Id: I822f8010e48d32841aa0ee508822f76d03a3dd85
Service objects have external state (the child process) and hence must
not be duplicated. Disable the copy constructor and the assignment
operator to prevent that these objects get duplicated accidentally.
Bug: 213617178
Change-Id: Ia5391154b94eca7f12be69eabcdf3f173fc06452
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make it easier to diagnose service failures.
Bug: 213617178
Change-Id: I27135cb32b6a98b2fe24ab2324dffbf5b591fdd5
Signed-off-by: Bart Van Assche <bvanassche@google.com>
From the Google C++ style guide: "Objects with static storage duration
are forbidden unless they are trivially destructible." Hence this CL.
Bug: 213617178
Change-Id: I4c9a51618ee1eb14ed439295a5fc0101b940a63d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
From the unique_fd.h header file: "unique_fd's operator int is
dangerous, but we have way too much code that depends on it, so make
this opt-in at first."
From the Google C++ style guide: "Do not define implicit conversions."
See also go/cstyle#Implicit_Conversions.
Hence this CL that disables unique_fd::operator int().
Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Sort the compiler flags alphabetically before adding a new macro
definition.
Change-Id: If919333302817406a890c9622396ec96920adf29
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Simplify PollIn() by converting a single-element array into a scalar. No
functionality is changed.
Change-Id: I3ef36b9c0daafeed3a92f90c7a7c4fe0654dd586
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Skip the test if /dev/console does not exist. Fix the console service
security label. Fix the getsid() test.
Bug: 260104465
Test: atest 'CtsInitTestCases:init#StartConsole' on a P2023 development board
Change-Id: If2533a3f205f922a9b04a748cb558a09c5925986
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Revert commit 14f9c15e05 ("init: Add more diagnostics for signalfd
hangs") because:
* That commit was intented to help with root-causing b/223076262.
* The root cause of b/223076262 has been fixed (not blocking SIGCHLD
in all threads in the init process).
Test: Treehugger
Change-Id: I586663ec0588e74a9d58512f7f31155398cf4f52
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Change-Id: Ieb9e6908df725447e3695ed66bb8bd30e4e38aa9
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for adding more code in the parent process that depends on
whether or not a console is required.
Bug: 213617178
Change-Id: I066ede32fcd4ce09d06be23158f3c1970064a697
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make the code easier to read by introducing symbolic names for the
constants used by Service::Start() for communication between the parent
and child processes.
Bug: 213617178
Change-Id: I3e735e149682fa9df2ed57f75eb5a67d7c68bd92
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change setpgid(0, getpid()) into setpgid(0, 0). This patch removes one
system call but does not change the behavior of the code. From the
setpgid() man page: "If pgid is zero, then the PGID of the process
specified by pid is made the same as its process ID."
Bug: 213617178
Change-Id: I7031d9eb3711f526751da495c07a8927f9386d97
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Revert commit 9c61dad67e in preparation of
introducing a second interprocess communication channel.
Bug: 213617178
Change-Id: I2959a3902a1b994cca2ac99855be1fc60d63bcbb
Signed-off-by: Bart Van Assche <bvanassche@google.com>
It is nontrivial to derive from the implementation of class Service
which members are not modified. Hence this CL that documents this by
declaring these members 'const'.
Change-Id: I27b907a1c7044376d5c5393a29050c66cbdab7bf
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Treehugger starts Cuttlefish with the console disabled. Add a test that
enables the console. The purpose of this test is to trigger the code paths
in Service::Start() that are unique to processes associated with a
console.
Bug: 213617178
Change-Id: I834632ce6ec5c237c9c2c3f5b1aa7bc98c3ef260
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Test: Cuttlefish + atest 'CtsInitTestCases'
Change-Id: I6931cd579e607c247b4f79a5b375455ca3d52e29
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In microdroid, APEXes are passed as block devices from host, and then
mounted directly, without using /data. Unmounting APEXes on reboot is
for clean unmount of /data, so it's not needed in microdroid.
This skips unmounting in microdroid to remove unnecessary SELinux
denials.
Bug: 256793087
Test: run microdroid and reboot, see no denials happen
Change-Id: Iaf737876f5ab5de5e8f76ed8bb0963cc25d73a80
Prepare for using the interprocess communication channel in two
directions.
Bug: 213617178
Change-Id: Ic78a3d8a2ec1f808fa5b4c4b198051655ee1b0ec
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Test: Cuttlefish + atest 'CtsInitTestCases'
Change-Id: I4c55790c2dcde8716b860aecd57708d51a081086
Signed-off-by: Bart Van Assche <bvanassche@google.com>
It is essential for correct operation of ReapAnyOutstandingChildren()
that ReapOneProcess() does not modify 'pid'. Make it easier to verify
for humans that ReapOneProcess() does not modify the 'pid' local
variable. Document the value of siginfo.si_signo with DCHECK_EQ()
statements.
Bug: 213617178
Change-Id: I14baaa7adbe5416b7f777f32fb76896f2ae27b4e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The newly logged information includes the pending signals bitmask (SigPnd).
That information allows to determine whether kill() did not deliver a
signal or whether SIGCHLD has not been processed in time. This patch is
expected to help with root-causing b/254878413.
Bug: 254878413
Change-Id: Id33d1fb724163f8e5d4b3edfeb6c4be5321c0d95
Signed-off-by: Bart Van Assche <bvanassche@google.com>
There are two bugs in HandleSignalFd():
* If the one_off argument is true and if no data is read from the
signalfd, 'siginfo' is left uninitialized and used in the switch
statement in HandleSignalFd().
* The PLOG() statement in the switch statement should be a LOG()
statement since it does not report a failed system call.
This CL has been tested by changing kDiagnosticTimeout locally from 10s
into 100ms.
Change-Id: I0e488dd95bc13e1befaef770c0748d1d47f6e431
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This change prevents that a later CL will trigger the following warning:
parameter 'test_context' is passed by value and only copied once; consider
moving it to avoid unnecessary copies
Change-Id: If5837ee6438efdf194781de041779c1089897789
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Allow us to check if check_at_most_once is set for any partitions.
This property should be false for any device with a reasonable amount of
RAM and a modern CPU. Enabling check_at_most_once violates AVB best
practices, it should only be allowed on performance limited devices.
Bug: 253033920
Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes
and that partition.system.verified.check_at_most_once is set.
Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Prepare for introducing a second interprocess communication channel by
introducing the class InterprocessFifo. Stop using std::unique_ptr<> for
holding the pipe file descriptors. Handle EOF consistently.
Bug: 213617178
Change-Id: Ic0cf18d3d8ea61b8ee17e64de8a9df2736e26728
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The documentation added by commit c9c0bbac53 ("init: Add task_profiles
init command") mentions that the task_profiles keyword sets process
attributes. Make the implementation of that keyword match the
documentation.
Change-Id: Ia080132f16bfc2488f8c25176d6aed37a2c42780
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Bring the host_init_stubs.h header file in sync with the
<android/api-level.h> header file.
Change-Id: I0d344b5f89f909e5315a0075773efd0b725a72a4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We are planning to remove cgroups from the Micrdroid kernel, since the
entire VM belongs exclusively to a single owner, and is in the control
of the cgroups on the host side.
This patch expoxes CgroupAvailable API from libprocessgroup, and changes
init to query the CgroupAvailable API before doing any
cgroups/task_profiles related work.
Bug: 239367015
Test: run MicrodroidDemoApp
Test: atest --test-mapping packages/modules/Virtualization:avf-presubmit
Change-Id: I82787141cd2a7f9309a4e9b24acbd92ca21c145b
Change the type of 'handler' from std::shared_ptr<Handler> into Handler.
This change is safe since a previous CL moved the handler calls from the
Epoll::Wait() caller into Epoll::Wait() itself.
Bug: 213617178
Change-Id: Ife79e6863536b96ee4bb3cd778f6b0b164a95fed
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Invoke the callback functions from inside Epoll::Wait() instead of
returning a vector with pointers to callback functions. Remove handlers
after handler invocation finished to prevent that self-removal triggers
a use-after-free.
The CL that made Epoll::Wait() return a vector is available at
https://android-review.googlesource.com/c/platform/system/core/+/1112042.
Bug: 213617178
Change-Id: I52c6ade5746a911510746f83802684f2d9cfb429
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make it easier to verify for humans that all data structure members are
initialized. No functionality is changed.
Bug: 213617178
Change-Id: I1ce2af566dba51f2032f2e7518576a67e666d12e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change the type of epoll_timeout from
std::optional<std::chrono:milliseconds> into std::chrono::milliseconds.
No functionality is changed.
Bug: 213617178
Change-Id: Ieb150e0aeabdb79c8da4649875ea3ed59297343b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If UnregisterHandler() is called from inside a handler for an event that
has not yet been processed then that will result in a use-after-free.
Fix this by passing file descriptors to epoll_ctl() instead of pointers
to map elements.
Bug: 213617178
Change-Id: Ie62e3a299af964271ec24cd8fc2e794042b77ee6
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for optimizing Epoll::Wait() by moving the
ReapAnyOutstandingChildren() call into Epoll::Wait(). No functionality
is changed.
Bug: 213617178
Change-Id: I280ea0069ed29cf323e4177ec500b30b900f7c8d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Add a move constructor in the CatchDtor class. Check the .emplace()
result. Simplify the destructor. Initialize handler_invoked. Explain the
purpose of this test.
Bug: 213617178
Change-Id: I4d6f97dbb2705a2f2dd78e449ae8de74e90b102f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The new sequence of operation would be:
1: Load sepolicy - Daemon will continue to be alive and serve any I/O request
2: After sepolicy loading is complete - Switch the device-mapper tables.
3: Kill the block device daemon launched in the first-stage init.
4: Re-launch the daemon with the correct selinux labels set.
5: Enforce the sepolicy
Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
Thermal shutdown could be due to tskin temperature or
battery temperature. Pass reason while rebooting the
system to reflect properly in boot.reason
Bug: 238464124
Test: Build and boot on device. Check reboot reason
for thermal shutdown and battery thermal shutdown with
thermal warmreset enabled.
Change-Id: I192562fed48ae7da7843e383362cd22a76ce479f
This variable is always false or empty now, so clean up remaining
references of the variable.
Bug: 241346584
Test: Presubmit
Change-Id: Id5c37a1391239206477fd802d364a2678692f513
Added SPDX-license-identifier-Apache-2.0 to:
init/fuzzer/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I2db55c80799d0a8fc5935d9b07a2ddb17eb7235e
This is to resolve idiosyncracies with test packaging.
Bug: 244284630
Test: ldd -d -r CtsInitTestCases
Change-Id: Iec2c14c3ca5cd359b79d9e1f12e689c0eeffb122
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
Services created during new tests weren't properly cleaned up after tests. It caused slowdown of subsequent tests as described in b/244486404.
This change kills/terminates services after test with apex services.
To provide some context, original change is at https://android-review.googlesource.com/q/topic:vapex_stop_service. The issue was discovered by android test monitor and filed as a P0 bug.
Bug: 244486404
Change-Id: Ie64e0eb1686e94ef543a457ea49d1d7aeab38c97
extra_free_kbytes.sh accepts a parameter representing the number of KB
to add to low and high watermarks. It adds this margin to the current
watermark levels, however this is not how /proc/sys/vm/extra_free_kbytes
knob that it replaces used to work. The old knob would add the margin
relative to the original and not the current level of the watermarks.
Change extra_free_kbytes.sh to add the specified margin to the original
watermark levels to act as correct replacement of the old knob.
Bug: 242837506
Fixes: 642048d969 ("init: Add extra_free_kbytes.sh script to adjust watermark_scale_factor")
Test: repeatedly run 'setprop sys.sysctl.extra_free_kbytes 30375'
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8af603ba00bd4fb8182b80b3c0969fa96cdd7311
Added SPDX-license-identifier-Apache-2.0 to:
init/test_upgrade_mte/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I77b956ed672a2f171b78ab1e7bfddc09bd0dc158
The /dev/selinux folder is normally created by first-stage-init
https://cs.android.com/android/platform/superproject/+/master:system/core/init/first_stage_init.cpp;l=299-300;drc=07c86bace1e7a7cc4dd975f10b077d21c3743749
However, in some cases the first-stage-init comes from a GKI prebuilt
boot.img and doess not create the required folder (see for example
b/217677967), resulting in bugs like b/244793900.
I modified the selinux.cpp code to create the /dev/selinux folder if it
does not exist already, as a safety measure.
To verify these changes for b/244793900, follow gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest, manual verification
Change-Id: I8fe798643b1aeab2b4caac837055348febf70b94
Tests using Service::Start() should run under root. Otherwise tests fail
to start services from the test binary due to lack of permission.
Bug: 244748231
Test: CtsInitTestCases
Change-Id: Ia4eb8457cfad7d44da6b171e44f64238e08af9f7
Prepare for migration of the blkio controller to the v2 cgroup hierarchy
by applying the NormalIoProfile when starting a service. While the
NormalIoProfile is automatically applied when the blkio controller is
mounted in the v1 hierarchy, this is not the case for the v2 hierarchy.
Bug: 213617178
Change-Id: I3cad288a31aa2692e10c778ae1e5fdd04acd66d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Before loading persistent properties, init now checks if there are any
invalid properties (not starting with "persist.").
Bug: 243723877
Test: atest persistent_properties
Change-Id: Ieb4ddce05916f193388af6b658e1904004ffa473
SeamendcHostTest should run when making changes to selinux.cpp, to
ensure the test logic is updated to match the logic selinux.cpp follows
when it decides to compile the SELinux policy in the OpenSplitPolicy
method.
Bug: 238394904
Test: atest --test-mapping system/core/init/TEST_MAPPING:presubmit
Change-Id: Iaf0ec2356a894b071e6875dd41bcf9e842126e42
This fixes the regression of aosp/2153354.
SwitchToMountNamespaceIfNeeded() is supposed to switch between "default"
mount namespace and "bootstrap" mount namespace. But it shouldn't affect
services with its own mount namespace.
Bug: 239882455
Test: make a hal service start in a separate mount namespace
using 'namespace mnt' in its definition.
see the mount namespace of the service process
$ cat /proc/$(pgrep -f myservice)/ns/mnt
Change-Id: I8c80eaec723241c405f48980b9e88640123c43ad
Passed apex file name to service. The file name will be parsed
to determine 1) whether the service is from an apex; 2) apex name
Bug: 236090201
Change-Id: I2c292c0c067f4bf44bb25b1f80e4f972b94f7258
On ctl.apex_load <apex_name> control message, init invokes linkerconfig
to update linker configuration for the updated apex.
Bug: 232173613
Test: CtsInitTestCases
Test: VendorApexHostTestCases
Change-Id: I01d975849c3f4efe74205a7b04ebbd6864ba1121
mmap_rnd_compat_bits is for address space randomization of 32-bit
applications on 64-bit system. Configuring it is not only unnecessary
for 64-bit "only" builds, but also can cause a boot failure if the
kernel is built without CONFIG_COMPAT which is the case for Microdroid.
Use ro.product.abilist32 to determine whether 32-bit applications are
supported and if not, don't configure it, but mmap_rnd_bits.
Bug: 237950549
Test: run Microdroid with the kernel built with aosp/2153639
Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
Was "check_most_at_once", should be "check_at_most_once".
Also straighten the if-then-else logic from:
if (cond) {
// then
} else {
// error...
return;
}
to:
if (!cond) {
// error...
return;
}
// fallthrough is "then"
Test: Presubmit
Change-Id: I85c1e94c47a727089374d5d05ecd40f4187b66a1
For consistent error message. This is a preparation step for the
follow-up change: to generate linker configuration in DoLoadApex()
Bug: 232173613
Test: CtsInitTestCases
Change-Id: I27954ae2429e82da1bde1925ef62b277c24129d3
servicemanager/hwservicemanager are pre-apexd services but still wants
to see VINTF fragments from APEXes, especially from /data.
Like ueventd, these services need to be started in "default" mount
namespace.
Bug: 237672865
Test: m && boot
Change-Id: I0266c5be5530a1a07f8ffa23a26186d45a55613f
We don't initialize subcontext in microdroid. subcontext->pid() will
crash in such case.
Test: atest MicrodroidTests
Change-Id: Ifca65acededbf7f113d8bf16afbb8e2c1aa91b41
These props are supposed to be used by apexd when installing an apex
without reboot. During the installation, apexd will unmount the current
one and mount the new one. Since the path and its contents will be
replaced, anything loaded from the apex should be unloaded before
unmounting. After apexd mounts the apex again, then init should re-read
.rc files from the apex.
This change only addes required properties:
- ctl.apex_load <apex_name>
- ctl.apex_unload <apex_name>
- init.apex.<apex_name> = loaded | unloaded
Bug: 232114573
Bug: 232173613
Test: atest CtsInitTestCases
Change-Id: I4a8942d67912e2f11acc51bec756c4e3c218179a
This ensures /system to be a mountpoint, which allows adb-remount to
change the subtree propagation type of /system and MS_MOVE submounts
under /system.
Test: Add submount under /system and adb remount
Change-Id: Ib281be41eaf86bc3e6b7dfac893e5e27b8374da8
Add lz4 support in CowWriter/CowReader. Lz4 should offer faster
read/write performance but slightly larger COW sizes.
Download time: Reduced from 1264s to 825s (~35% faster)
Filesystem verification time: from 69s to 59s (~15% faster)
COW Size: 2.59GB to 3.21GB, (~25% regression)
Merge time: 37046ms to 27690ms (~25% faster)
Boot time: LZ4 is 2.7% faster
Overall, LZ4 offers faster read/write performance at the cost of 25%
space regression.
Test: th
Bug: 228478555
Change-Id: Ie521852fb3c9ff8a12e55b764c1eb1838f7b2181
```
std::vector<std::string> v2;
for (auto&& e : get_temporary_v1()) { v2.push_back(e); }
```
^^^ This is constructing v2 from a temporary object, which is an
unnecessary manual clone. We should just let copy-elision do its thing:
```
// Give compiler the chance to optimize this with copy-elision...
auto v2 = get_temporary_v1();
```
Also `lp_names` appends an extra ',' at its end. Just use
android::base::Join() here.
Bug: 235111004
Test: Presubmit GSI boot test
Change-Id: Ibe8ce7a29b8521e789aa0a99f7f6d31f3f9c70e9
