tkill and tgkill are syscalls that do not have glibc wrappers, but
they are required in order to send a signal to a specific thread.
Non-android software may call them directly with syscall(). Bionic
provides a wrapper for tgkill, so seccomp allows it, but not for
tkill. Add tkill to the whitelist.
This can be reproduced with:
sleep 1000 & sleep 1 ; strace -p $!
then hit ctrl-C, and the shell will print "Bad system call" because
the strace process died with SIGSYS
Bug: 34586922
Test: repro case is fixed
Change-Id: Ib6962a967f2cc757f2906de7905e75e1b6d6f39f
restart_syscall is used by the kernel whenever a syscall with a
timeout is interrupted. Whitelist it in seccomp to prevent
processes being killed with SIGSYS when being ptraced.
Bug: 34586922
Test: hwui_unit_tests
Change-Id: Ic47dcad33f3082eb5673c3c67fe17200d4daaf74
New protocol assumes that there is no limit on name or value
and effectively removed limit on property name length.
It also send back a uint32_t with error code (or 0 on success)
Bug: http://b/33926793
Test: mm, boot, run bionic-unit-tests --gtest_filter=prop*
Change-Id: Iac6290398ddc495e03f8fbbc3a79e923eff5df6f
Also ensure that it uses the highest supported value, and
abort if the value is not above a minimum threshold.
Test: Tested against the curent kernel (maximum value of 2,
set to 0 by the kernel initially) and against a
modified kernel (maximum value of 4, set to 4 by the
kernel initially)
Bug: 30368199
Change-Id: I608db577258b68b390ffe96f452e1f7c0bc9ad8a
The following files will be loaded additionally.
- /odm/default.prop and /vendor/default.prop for default props.
- /odm/build.prop for build props.
The props files must follow the following priority order.
- /default.prop > /odm/default.prop > /vendor/default.prop
- /system/build.prop > /odm/build.prop > /vendor/buid.prop
Test: tested default/build prop files with enabling early mount, but
didn't test files of odm partition because odm partition doesn't
exist now.
Bug: 34116668
Change-Id: I946d076dae38f2288865dd986fb16d801d4abcc0
SoC vendors and ODMs need a way to run different init scripts under
different boot modes. This patch adds a new ro.boot.init_rc kernel
cmdline argument to support this.
Bug: 26639863
Test: Tested on bullhead with androidboot.init_rc given a
non-existent .rc file which leads to expected boot failures.
Boot succeeds if androidboot.init_rc is not specified.
Change-Id: I2bca1cc3de6720feced041fe87266fb8afcce8b0
This now combines all the "libsparse" libraries into the same soong
target. A minor side-effect of this change is that the libsparse
static library depends on the libz shared library instead of the libz
static library. This minor change has no effect since targets using
the static libsparse library need to explicitly include either the
static libz or the shared one.
Bug: 34220783
Change-Id: I8f41586cf4c3336791cfa57ab4f5ae59a76d7ffa
SoC vendors and ODMs need a way to run different init scripts under
different boot modes. This patch adds a new ro.boot.init_rc kernel
cmdline argument to support this.
This patch also changes late-init trigger. Now late-init is only
triggered in "normal" boot (where boot mode is not specified). This is
to make AOSP init.rc re-usable in other boot modes as the operations
in late-init are less common.
Bug: 26639863
Test: Tested on bullhead with
androidboot.init_rc = {non-existent .rc file}
and/or
androidboot.init_rc = {none empty string}
both of which lead to expected boot failures.
Boot succeeds if androidboot.init_rc is not specified.
Change-Id: Ie5f08c3914f2f825ad3c401fde6741459668c523
Test: Ran script to test performance - https://b.corp.google.com/issues/32313202#comment3
Saw no significant regression with this change on or off
Removed chroot from SYSCALLS.TXT - chroot blocked
Boot time appears reasonable
Device boots with no SECCOMP blockings
Measured per syscall time of 100ns
Empirically counted <100,000 syscalls a second under heavy load
Bug: 32313202
Change-Id: Icfcfbcb72b2de1b38f1ad6a82e8ece3bd1c9e7ec
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: I62689b229a67e319c65bf034da804f660f82bd35
Signed-off-by: Sandeep Patil <sspatil@google.com>
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.
Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.
After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:
type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service'
Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
Commit 9596d2b95d changes how
availability of console is checked by only checking access bits for
the console device. However, in cases where there is no console it
defaults to /dev/console. This device is always enumerated by tty
driver (i.e. file and access bits may be correct), but it doesn't
always map to an underlying console driver. Because the lookup for the
underlying console driver happens during the open system call, checking
only the access bits is not sufficient and need to make sure open
system call is successful, we can safely close the FD afterwards to
avoid FD leaks.
Test: boot device and check console svc doesn't continuously restart
Bug: 33691649
Change-Id: Ia51a8a2f56c345b70db55e95f61a057a98b52895
The mismatch of return values makes reasoning about the correctness of
CLs like https://android-review.googlesource.com/317923 quite hard.
Bug: 33941660
Test: Init builds, HiKey boots.
Change-Id: Ia4b8a9af420682997b154a594892740181980921
This reduces the overhead when bootcharting is on (obviously), but also
removes the "do we need to do anything for bootcharting?" check in cases
where we're not bootcharting.
Bug: http://b/23478578
Bug: http://b/33450491
Test: rebooted with bootcharting on/off
Change-Id: Id8746b5023b17d7615679eba0bcd02aee048ef1a
Compile policy from disparate sources at beginning of init and use to load
rather than relying on prebuilt policy.
Bug: 31363362
Test: Policy builds on-device and boots.
Change-Id: I681ec3f7da351d0b24d1f1e81e8a6b00c9c9d20c
Partners have expressed interest in using the 'capabilities' keyword
in init, so make the code more resilient:
-Check that ambient capabilities are supported by the kernel.
-Check that the last valid cap at runtime is not higher than what's in
kernel headers.
-Check that the user is not requesting a capability present in kernel
headers but not supported by the kernel at runtime.
-Don't attempt to drop bounding set capabilities not supported at
runtime.
This CL also fixes a small bug where < should have been used instead of
<=, and uses 'static' instead of anonymous namespaces.
Bug: 32438163
Test: Use a test service that uses capabilities.
Test: Apply in internal tree and test with angler and rild.
Change-Id: Ia271cc7eb389d1d526d61f897261e4bac4d19e5d
This is a cherry-pick of internal commit:
f611291688 which was a revert of a
revert, specifically a revert of commit:
c8f026fc9c.
The above revert was meant only for AOSP, since the kernel prebuilts
were not yet available there. The revert was reverted internally so
that internal builds, which have the appropriate kernel prebuilts,
operated properly.
The very first commit was originally done in nougat-dev and cherry-picked
to AOSP, so it was not picked up again when nougat landed in master. Add
it now.
Bug: 27681085
Test: Builds and boots.
Change-Id: If1cb6308e61aaaabca5b5bd30df78aab49e7b0d5
When init starts a service with a console, it tests for the presence of
a readable/writable console device. The test results in a leaked file
descriptor.
Use access() instead of open() to avoid leaking file descriptors.
Bug introduced in 70daa67062.
Test: compiles and device boots
Change-Id: I4efcfa0bb2cdb09f0455bc04a3a91e784bda7962
Most notably, there's no longer any need to guess an end time.
Bug: http://b/23478578
Bug: http://b/33450491
Test: rebooted with bootcharting on/off
Change-Id: Icb7d6859581da5526d77dfc5aa4d57c9bfbfd7e2
