Thermal shutdown could be due to tskin temperature or
battery temperature. Pass reason while rebooting the
system to reflect properly in boot.reason
Bug: 238464124
Test: Build and boot on device. Check reboot reason
for thermal shutdown and battery thermal shutdown with
thermal warmreset enabled.
Change-Id: I192562fed48ae7da7843e383362cd22a76ce479f
This variable is always false or empty now, so clean up remaining
references of the variable.
Bug: 241346584
Test: Presubmit
Change-Id: Id5c37a1391239206477fd802d364a2678692f513
Added SPDX-license-identifier-Apache-2.0 to:
init/fuzzer/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I2db55c80799d0a8fc5935d9b07a2ddb17eb7235e
This is to resolve idiosyncracies with test packaging.
Bug: 244284630
Test: ldd -d -r CtsInitTestCases
Change-Id: Iec2c14c3ca5cd359b79d9e1f12e689c0eeffb122
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
Services created during new tests weren't properly cleaned up after tests. It caused slowdown of subsequent tests as described in b/244486404.
This change kills/terminates services after test with apex services.
To provide some context, original change is at https://android-review.googlesource.com/q/topic:vapex_stop_service. The issue was discovered by android test monitor and filed as a P0 bug.
Bug: 244486404
Change-Id: Ie64e0eb1686e94ef543a457ea49d1d7aeab38c97
extra_free_kbytes.sh accepts a parameter representing the number of KB
to add to low and high watermarks. It adds this margin to the current
watermark levels, however this is not how /proc/sys/vm/extra_free_kbytes
knob that it replaces used to work. The old knob would add the margin
relative to the original and not the current level of the watermarks.
Change extra_free_kbytes.sh to add the specified margin to the original
watermark levels to act as correct replacement of the old knob.
Bug: 242837506
Fixes: 642048d969 ("init: Add extra_free_kbytes.sh script to adjust watermark_scale_factor")
Test: repeatedly run 'setprop sys.sysctl.extra_free_kbytes 30375'
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8af603ba00bd4fb8182b80b3c0969fa96cdd7311
Added SPDX-license-identifier-Apache-2.0 to:
init/test_upgrade_mte/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I77b956ed672a2f171b78ab1e7bfddc09bd0dc158
The /dev/selinux folder is normally created by first-stage-init
https://cs.android.com/android/platform/superproject/+/master:system/core/init/first_stage_init.cpp;l=299-300;drc=07c86bace1e7a7cc4dd975f10b077d21c3743749
However, in some cases the first-stage-init comes from a GKI prebuilt
boot.img and doess not create the required folder (see for example
b/217677967), resulting in bugs like b/244793900.
I modified the selinux.cpp code to create the /dev/selinux folder if it
does not exist already, as a safety measure.
To verify these changes for b/244793900, follow gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest, manual verification
Change-Id: I8fe798643b1aeab2b4caac837055348febf70b94
Tests using Service::Start() should run under root. Otherwise tests fail
to start services from the test binary due to lack of permission.
Bug: 244748231
Test: CtsInitTestCases
Change-Id: Ia4eb8457cfad7d44da6b171e44f64238e08af9f7
Prepare for migration of the blkio controller to the v2 cgroup hierarchy
by applying the NormalIoProfile when starting a service. While the
NormalIoProfile is automatically applied when the blkio controller is
mounted in the v1 hierarchy, this is not the case for the v2 hierarchy.
Bug: 213617178
Change-Id: I3cad288a31aa2692e10c778ae1e5fdd04acd66d7
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Before loading persistent properties, init now checks if there are any
invalid properties (not starting with "persist.").
Bug: 243723877
Test: atest persistent_properties
Change-Id: Ieb4ddce05916f193388af6b658e1904004ffa473
SeamendcHostTest should run when making changes to selinux.cpp, to
ensure the test logic is updated to match the logic selinux.cpp follows
when it decides to compile the SELinux policy in the OpenSplitPolicy
method.
Bug: 238394904
Test: atest --test-mapping system/core/init/TEST_MAPPING:presubmit
Change-Id: Iaf0ec2356a894b071e6875dd41bcf9e842126e42
This fixes the regression of aosp/2153354.
SwitchToMountNamespaceIfNeeded() is supposed to switch between "default"
mount namespace and "bootstrap" mount namespace. But it shouldn't affect
services with its own mount namespace.
Bug: 239882455
Test: make a hal service start in a separate mount namespace
using 'namespace mnt' in its definition.
see the mount namespace of the service process
$ cat /proc/$(pgrep -f myservice)/ns/mnt
Change-Id: I8c80eaec723241c405f48980b9e88640123c43ad
Passed apex file name to service. The file name will be parsed
to determine 1) whether the service is from an apex; 2) apex name
Bug: 236090201
Change-Id: I2c292c0c067f4bf44bb25b1f80e4f972b94f7258
On ctl.apex_load <apex_name> control message, init invokes linkerconfig
to update linker configuration for the updated apex.
Bug: 232173613
Test: CtsInitTestCases
Test: VendorApexHostTestCases
Change-Id: I01d975849c3f4efe74205a7b04ebbd6864ba1121
mmap_rnd_compat_bits is for address space randomization of 32-bit
applications on 64-bit system. Configuring it is not only unnecessary
for 64-bit "only" builds, but also can cause a boot failure if the
kernel is built without CONFIG_COMPAT which is the case for Microdroid.
Use ro.product.abilist32 to determine whether 32-bit applications are
supported and if not, don't configure it, but mmap_rnd_bits.
Bug: 237950549
Test: run Microdroid with the kernel built with aosp/2153639
Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
Was "check_most_at_once", should be "check_at_most_once".
Also straighten the if-then-else logic from:
if (cond) {
// then
} else {
// error...
return;
}
to:
if (!cond) {
// error...
return;
}
// fallthrough is "then"
Test: Presubmit
Change-Id: I85c1e94c47a727089374d5d05ecd40f4187b66a1
For consistent error message. This is a preparation step for the
follow-up change: to generate linker configuration in DoLoadApex()
Bug: 232173613
Test: CtsInitTestCases
Change-Id: I27954ae2429e82da1bde1925ef62b277c24129d3
servicemanager/hwservicemanager are pre-apexd services but still wants
to see VINTF fragments from APEXes, especially from /data.
Like ueventd, these services need to be started in "default" mount
namespace.
Bug: 237672865
Test: m && boot
Change-Id: I0266c5be5530a1a07f8ffa23a26186d45a55613f
We don't initialize subcontext in microdroid. subcontext->pid() will
crash in such case.
Test: atest MicrodroidTests
Change-Id: Ifca65acededbf7f113d8bf16afbb8e2c1aa91b41
These props are supposed to be used by apexd when installing an apex
without reboot. During the installation, apexd will unmount the current
one and mount the new one. Since the path and its contents will be
replaced, anything loaded from the apex should be unloaded before
unmounting. After apexd mounts the apex again, then init should re-read
.rc files from the apex.
This change only addes required properties:
- ctl.apex_load <apex_name>
- ctl.apex_unload <apex_name>
- init.apex.<apex_name> = loaded | unloaded
Bug: 232114573
Bug: 232173613
Test: atest CtsInitTestCases
Change-Id: I4a8942d67912e2f11acc51bec756c4e3c218179a
This ensures /system to be a mountpoint, which allows adb-remount to
change the subtree propagation type of /system and MS_MOVE submounts
under /system.
Test: Add submount under /system and adb remount
Change-Id: Ib281be41eaf86bc3e6b7dfac893e5e27b8374da8
Add lz4 support in CowWriter/CowReader. Lz4 should offer faster
read/write performance but slightly larger COW sizes.
Download time: Reduced from 1264s to 825s (~35% faster)
Filesystem verification time: from 69s to 59s (~15% faster)
COW Size: 2.59GB to 3.21GB, (~25% regression)
Merge time: 37046ms to 27690ms (~25% faster)
Boot time: LZ4 is 2.7% faster
Overall, LZ4 offers faster read/write performance at the cost of 25%
space regression.
Test: th
Bug: 228478555
Change-Id: Ie521852fb3c9ff8a12e55b764c1eb1838f7b2181
```
std::vector<std::string> v2;
for (auto&& e : get_temporary_v1()) { v2.push_back(e); }
```
^^^ This is constructing v2 from a temporary object, which is an
unnecessary manual clone. We should just let copy-elision do its thing:
```
// Give compiler the chance to optimize this with copy-elision...
auto v2 = get_temporary_v1();
```
Also `lp_names` appends an extra ',' at its end. Just use
android::base::Join() here.
Bug: 235111004
Test: Presubmit GSI boot test
Change-Id: Ibe8ce7a29b8521e789aa0a99f7f6d31f3f9c70e9
Now that emulated FBE is no longer supported, there is no longer any
distinction between native FBE and emulated FBE. There is just FBE.
Referring to FBE as "fscrypt" is also poor practice, as fscrypt (the
Linux kernel support for filesystem-level encryption) is just one part
of FBE, the Android feature.
Therefore, rename fscrypt_is_native() to IsFbeEnabled().
Bug: 232458753
Change-Id: Ib4dcdf799833b91d326b4b6f7120b0a3d4f4fc31
External firmware handlers cannot run until com.android.runtime.apex is
activated. However, it may be possible to request firmware from the
kernel before apex activation. Waiting for runtime apex is required
before running an external firmware handler.
Test: atest CtsInitTestCases
Change-Id: Id63b7f29084d3cecb901049162d3e5cd0055566f
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
If booting with debug ramdisk (ro.force.debuggable is true), override
the persistent property "persist.sys.usb.config" to always enable adb.
This ensures a consistent debug experience. The developer can expect
that after debug ramdisk (debug boot image) is flashed,
1. Device is rootable with (adb root)
2. adb is enabled automatically
3. no-auth (if $ADB_VENDOR_KEYS is used)
Bug: 223517900
Test: 1. Flash & boot user build, verify device doesn't have usb
debugging enabled.
2. Reboot to bootloader and flash vendor_boot-debug.img.
3. Boot and verify usb debugging is automatically enabled.
4. Enter Developer Options and manually turn off usb debugging.
5. Reboot and verify that usb debugging is automatically enabled.
Change-Id: I729e961d645f2dd521ead8ca30b5cb8eb1d9f909
When a process is started as a native service,
oom_score_adj is set to -1000 so that processes
are unkillable by lmkd.
During boot, snapuserd process is not started as a service;
hence, we need to set the oom_score_adj explicitly else in
the event of low memory situation, lmkd can kill the
process thereby device can never boot.
Bug: 234691483
Test: th and OTA on Pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Ic2c85aa470522b4bc847a16b4f5cebfc528ed3cf
Some partitions may not have build.prop files (and it's totally fine).
Rather than logging such failures as WARNING, load_property_from_file
now returns a Result<void> object so callers can manually log for
themselves.
Bug: 228389036
Test: boot and logcat
Change-Id: Ia4ad7eef34d572182a3f6e86547664ae31dfd29f
Mainline modules are not supposed to rely on 'on' action triggers in
their init scripts because events/properties are not guranteed to be
stable across many devices.
To reduce the potential risk of enabling 'on' for APEXes, for now, we
enable it for only Vendor APEXes.
When an init script in a non-Vendor APEX contains 'on' section, init
emits an error on parsing the script and skip the section.
For example, when init.rc in the ADBD APEX has 'on' section,
the following error is emitted on parsing the script.
init: Parsing file /apex/com.android.adbd/etc/init.rc...
init: /apex/com.android.adbd/etc/init.rc: 8: ParseSection() failed:
'on' is supported for only Vendor APEXes.
Bug: 232543017
Test: see above
Change-Id: I6509c8d2c6b632369d215128f740f9ed78858605
We have a case where a service is requested to be started and does
not appear to be running, but we see no indication that it is
actually starting. This log should be enough information to see
if init is in a bad state.
Bug: 232297944
Test: doesn't add too much spam
~/android/aosp/system/core/init :) adb logcat -d | grep "requested start" | wc -l
42
Change-Id: Ic07f250c98b200b9e5b4432200c3668c6ca0ff35
All the individual directories being treated specially by
FscryptInferAction() already have an explicit encryption action in the
corresponding mkdir commands. The explicit action is the source of
truth, so the special cases in FscryptInferAction() are unnecessary.
Also, some of these cases were outdated. For example, /data/app-staging
was changed from encryption=None to encryption=DeleteIfNecessary at some
point, but FscryptInferAction() was not updated. This is causing the
warning "Inferred action different from explicit one" to be logged.
Additional "Inferred action different from explicit one" warnings are
logged due to subdirectories of /data/apex being explicitly encrypted.
Change FscryptInferAction() to only do what it needs to do: check
whether the directory is a top-level directory of /data or not. Remove
the above-mentioned warning which is not useful.
Bug: 232554803
Change-Id: If6611d64107a19d242892c92dfea095577e193e5
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data. However, it
assumed a path without any duplicate slashes or trailing slash(es).
While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation. In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.
The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.
There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning. This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards. This CL implements that.
Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action. There are no known cases where this
already occurs, however. No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.
Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
the log message "Verified that /data/fonts/ has the encryption
policy ...". Also verified that the message "Inferred action
different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
Instead of using config file path, use APEX's preinstalled path to
determine whether to use subcontext or not for APEX configs.
Bug: 232021354
Test: CtsInitTestCases, CtsBluetoothTestCases
Change-Id: Iba603f09602f0bec3113e2be3d15c62055c09e72
APEX configs have supported only 'service' definitions. For those
services relying on 'on' trigger actions, we had to have separate config
files installed in read-only partitions (e.g. /system/etc/init).
This was suboptimal because even though APEXes are updatable, read-only
partitions are not.
Now, 'on' is supported in APEX configs. Putting 'on' trigger actions
near to service definitions makes APEX more self-contained.
'on' trigger actions loaded from APEX configs are not sticky. So, events
happens before loading APEX configs can't trigger actions. For example,
'post-fs-data' is where APEX configs are loaded for now, so 'on
post-fs-data' in APEX configs can't be triggerd.
Bug: 202731768
Test: atest CtsInitTestCases
Change-Id: I5a01d9c7c57b07955b829d6cc157e7f0c91166f9
Replace libbacktrace with the new AndroidUnwinder object.
Bug: 120606663
Test: Ran unit tests.
Test: Added call of UnwindMainThreadStack() in DebugRebootLogging()
Test: and verified unwind data is logged properly.
Change-Id: Ia724f9485377d6d2c894283242a3c5653bf82768
To prevent bugs, directory creation and encryption should happen
together. /data/user/0 (and its "alias" /data/data) is a per-user
encrypted directory; such directories can only be encrypted by vold.
Therefore, move its creation to vold as well.
Besides closing the uncomfortably-large gap between the creation and
encryption of /data/user/0, this allows removing init's write access to
/data/user and similar directories (SELinux type system_userdir_file) to
prevent any such issues from being reintroduced in the future.
To also allow removing init's write access to /data/media (SELinux type
media_userdir_file), which also contains per-user encrypted directories,
also move the creation and encryption of /data/media/obb to vold.
Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=Linux API ("slave" mount flag)
Change-Id: I7245251eeb56b345b6c7711482c0aa5848648edb
When system_server crashes or gets killed, it causes zygote to kill
itself, which in turn leads to killing all processes in the same
process group (all apps). This leaves empty process groups because
system_server is not there to remove them.
Purge empty process groups when init detects zygote death.
Bug: 228160715
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I0ce27eea28f8713e52033bbec2d5363a7b8ff5db
Original change: https://android-review.googlesource.com/c/platform/system/core/+/2072812
Change-Id: I780b31d9ca1de1887a53c8f8ca66a4953863f3bd
Ignore-AOSP-First: this is an automerge
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
Original change: https://android-review.googlesource.com/c/platform/system/core/+/2074258
Change-Id: Ic27ce9c20d86894ba37a6f9053281b4758e12f25
Ignore-AOSP-First: this is an automerge
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
When bootchart is enabled its thread shares the mount namespace context
with the main thread. This prevents the main thread to switch the mount
namespace later with setns().
So, unshare() the mount namespace of the bootchart thread.
Bug: 229983560
Test: rebooted with bootcharting on/off
enter_default_mount_ns should succeeded.
Change-Id: Idac0d0efcb4f7f7d8a7cbcebf8fa2fa29f104c35
Original change: https://android-review.googlesource.com/c/platform/system/core/+/2070481
Change-Id: I6d7e9994f3678ceb862d34422a7383107835186a
Ignore-AOSP-First: this is an automerge
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
If there are snapshot metadata persisting in /metadata/ota/snapshots,
remove them before applying a new update. Make sure that
the snapshots are indeed invalid before removing them.
On a sidenote, add a comment in init.cpp related to
b/223076262.
Bug: 228250473
Test: 1: Apply OTA in recovery through adb sideload
2: Reboot
3: Apply OTA OTA again through update_device.py
4: Re-run Full OTA updates just from update_device.py
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I116bbafae09042b9c391ccd58c102704571c214e
* changes:
DO NOT MERGE: Revert "init: Add more diagnostics for signalfd hangs."
DO NOT MERGE: Revert "init: Add diagnostics for signalfd epoll failures."
This adds three more diagnostics to stuck exec services:
1. /proc/pid/fds is dumped
2. /proc/pid/status is dumped
3. HandleSignalFd is called to see if a SIGCHLD got stuck somewhere
Bug: 223076262
Test: while (1) in linkerconfig
Ignore-AOSP-First: diagnostics
Change-Id: Ida601d86e18be9d49b143fb88b418cbc171ecac6
writepid usage to add a task to a cgroup was deprecated in favor of the
task_profile command. The reason is that writepid hardcodes cgroup path
and makes it hard to change it in the future, whereas task profiles
configure cgroup paths in one centralized place and are easy to change.
Log a warning when writepid is used with cgroups and try converting it
into a task_profiles command for well-known cgroups. If conversion is
not possible the writepid operation will still be attempted to avoid
breaking existing use cases and an error will be logged.
Bug: 191283136
Test: build and boot
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ie58393468ef7d92ab0ffb41e6f339e36d21f7478
During process startup, system creates a process group and places the
new process in it. If process group creation fails for some reason, the
new child process will stay in its parent's group. This poses danger
when the child is being frozen because the whole group is affected and
its parent is being frozen as well.
Fix this by treating group creation failure as a fatal error which would
prevent the app from starting.
Bug: 227395690
Test: fake group creation failure and confirm service failure to start
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I83261bef803751759c7fd709bf1ccd33ccad3a0b
It could be the case that /dev/console is created at the first stage
boot. ueventd doesn't have a permission to relabel from tmpfs to
console_device, so we should try restorecon /dev/console, together with
/dev.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ic538bc9214d3996fe7b37fa2224c1f0c6eb373d1
Includes extracting the APEX-specific SDK version naming scheme filter
logic so it can be reused when host_apex_verifier looks at rc files
inside the APEX.
Bug: 222121216
Test: Use in host_apex_verifier
Change-Id: I0396a455f30d2de71525ccd3fa69c75576054048
Certain binaries, such as snapuserd, are only available under
/system/bin. To make them accessible by first stage init, we copy
/system/bin/snapuserd to /first_stage_ramdisk/system/bin/snapuserd .
Test: th
Bug: 219841787
Change-Id: I913425a82905c745a05ac32d488f08506dc264ff
First, we load independent module in parallel, then we singly load
modules which have soft-dependencies. then remove them from dependency
list of other modules. Repeat these steps until all modules are loaded.
Bug: 180676019
Test: boot successfully, and save more than 400 ms on Pixel 6 Pro.
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: Ib844cfee72d4049bd951528692c818b4fa6c8e8f
* changes:
Init: add dev.mnt.blk.bootdevice to access device sysfs
init: mount_handler: detect main block device more reliably
init.rc: use /sys/class/block instead of /sys/devices/virtual/block
This adds two new diagnostics. First, signalfd reads are now non-blocking. If the read takes more than 10 seconds, we log an error.
Second, init now wakes up from epoll() every 10 seconds. If it waits on an "exec" command for more than 10 seconds, it logs an error.
This change will be reverted as soon as we get feedback.
Bug: 223076262
Test: device boots
Change-Id: I7ee98d159599217a641b3de2564a92c2435f57ef
This patch adds a new property, 'dev.mnt.root.<mount_point>', which provides,
for example of /data,
1. dm-N
dev.mnt.dev.data = dm-N
dev.mnt.blk.data = sdaN or mmcblk0pN
dev.mnt.rootdisk.data = sda or mmcblk0
2. sdaN or mmcblk0pN
dev.mnt.dev.data = sdaN or mmcblk0pN
dev.mnt.blk.data = sdaN or mmcblk0pN
dev.mnt.rootdisk.data = sda or mmcblk0
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I0a58a62d416f966f26b5de04112c2f9a7eceb22c
Current code is not portable beyond SCSI devices (e.g., UFS).
For example, eMMC and NVMe devices fail due to their extra postfix.
Change its logic to rewind each character until "queue" directory appears.
Test: Confirm md0p1, sda20, nvme0n1p3, mmcblk0p3 are all handled well.
Change-Id: I585ccf2d4a72f6ef8ecb203acdd72a1e32d3e749
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
This reverts commit 471643a909.
Reason for revert: Given https://r.android.com/1960063, it is safe to revert this diagnostics patch
Change-Id: Ib3600c1982ee10a0204ac0fdbc3e160c2833ed07
These aren't actually duplicate interfaces because we
are overriding the service so interfaces in the original
definition will never be used.
Test: Verify 'm dist' works without complaining about
duplicate interfaces.
Change-Id: Iab5e1d8bb4cb7d5b2608028c3cee73af94c47424
This kernel command-line parameter may be used to alter the loading of
firmware.
Bug: 222166126
Test: n/a
Change-Id: I6dc1ae92694cf08b11ab6c3c41aa3d62c992a72a
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: I5a6f587ecc5e6470137de6cceda7e685bce28ced
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: I972f4e60844bb0d133b1cca1fd4e06bb89fc5f37
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: Ib8e1e87fbd335520cbe3aac2a88d250fcf3b4ff0
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In Android S and later, androidboot.* kernel cmdline parameters are
moved to bootconfig instead the kernel cmdline. This includes the
androidboot.force_normal_boot.
Bug: 219951268
Test: N/A
Change-Id: Id0328ad09a34d654de9936e37a576a8a9f44de6c
The SetTaskProfiles() call modifies cgroup attributes. Modifying cgroup
attributes can only succeed after the cgroups and cgroup attributes have
been created. Hence this patch that makes the child process wait until
the parent has finished creating cgroups and activating cgroup
controllers.
Bug: 213617178
Test: Without this patch the migration to the v2 hierarchy does not work reliably. With this patch applied, the migration to the v2 hierarchy works reliably.
Change-Id: I80a7c0a35453d8fd89ed798d077086aa8ba9ea17
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Non-GRF devices must read only the `ro.product.first_api_level` but
not the vendor build version because `ro.product.first_api_level` is
always less than or equal to `ro.vendor.build.version.sdk` for
non-GRF devices.
Bug: 218610653
Test: getprop ro.vendor.api_level
Change-Id: Ib98c33ae052daa949208c43bd441f98cf442da49
[reland aosp/1910032]
Updatable sepolicy is shipped within an zip within an APEX. Because
it needs to be available before Apexes are mounted, apexd copies
the zip from the APEX and stores it in /metadata/sepolicy. If there is
not updatable sepolicy in /metadata/sepolicy, then updatable policy is
loaded from /system/etc/selinux/apex. Init performs the following
steps on boot:
1. Validates the zip by checking its signature against a public key
that is stored in /system/etc/selinux.
2. Extracts files from zip and stores them in /dev/selinux.
3. Checks if the apex_sepolicy.sha256 matches the sha256 of
precompiled_sepolicy. if so, the precompiled sepolicy is used.
Otherwise, an on-device compile of the policy is used. This is the
same flow as on-device compilation of policy for Treble.
4. Cleans up files in /dev/selinux which are no longer needed.
5. Restorecons the remaining files in /dev/selinux.
6. Sets selinux into enforcing mode and continues normal booting.
Bug: 199914227
Test: adb root
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip \
/metadata/sepolicy/SEPolicy.zip
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.sig \
/metadata/sepolicy/SEPolicy.apk.sig
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.fsv_sig \
/metadata/sepolicy/SEPolicy.zip.fsv_sig
adb reboot
ls -laZ /dev/selinux/
Verify that files exist and that the labels are expected.
Change-Id: I2dbe43e329e91f46abedc7e44f7d24b220e19173
This reverts commit 97ff3ab852.
Reason for revert: b/216491364 boot time regression
Bug: 216491364
Change-Id: I6c9af0887affa130cc61edf70506e79453dbd228
Updatable sepolicy is shipped within an zip within an APEX. Because
it needs to be available before Apexes are mounted, apexd copies
the zip from the APEX and stores it in /metadata/sepolicy. If there is
not updatable sepolicy in /metadata/sepolicy, then updatable policy is
loaded from /system/etc/selinux/apex. Init performs the following
steps on boot:
1. Validates the zip by checking its signature against a public key
that is stored in /system/etc/selinux.
2. Extracts files from zip and stores them in /dev/selinux.
3. Checks if the apex_sepolicy.sha256 matches the sha256 of
precompiled_sepolicy. if so, the precompiled sepolicy is used.
Otherwise, an on-device compile of the policy is used. This is the
same flow as on-device compilation of policy for Treble.
4. Cleans up files in /dev/selinux which are no longer needed.
5. Restorecons the remaining files in /dev/selinux.
6. Sets selinux into enforcing mode and continues normal booting.
Bug: 199914227
Test: adb root
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip \
/metadata/sepolicy/SEPolicy.zip
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.sig \
/metadata/sepolicy/SEPolicy.apk.sig
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.fsv_sig \
/metadata/sepolicy/SEPolicy.zip.fsv_sig
adb reboot
ls -laZ /dev/selinux/
Verify that files exist and that the labels are expected.
Change-Id: I614e8d84892693ecc663b17eebd204096367693d
This is a race between init process and bionic libc initialization of
snapuserd.
init->fork() ----------------> SecondStageMain() -> PropertyInit()
|
|
v
execveat ---> __libc_init_common() -> __system_properties_init()
(snapuserd)
When init process calls PropertyInit(), /dev/__properties__ directory
is created. When bionic libc of snapuserd daemon invokes __system_properties_init
_after_ init process PropertyInit() function is invoked, libc will
try to initialize the property by reading
/system/etc/selinux/plat_property_contexts. Since any reads on /system
has to be served by snapuserd, this specific read from libc cannot be
serviced leading to deadlock.
Reproduce the race by inducing a sleep of 1500ms just before execveat()
so that init process calls PropertyInit() before bionic libc
initialization. This leads to deadlock
immediately and with additional kernel instrumentation with debug
logs confirms the failure:
======================================================
init: Relaunched snapuserd with pid: 428
ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8
ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8
[ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0
[ 25.423000][ T428] vfs_read+0x2e0/0x354
[ 25.426986][ T428] ksys_read+0x7c/0xec
[ 25.430894][ T428] __arm64_sys_read+0x20/0x30
[ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0
[ 25.442095][ T428] do_el0_svc+0x28/0xa0
[ 25.446100][ T428] el0_svc+0x14/0x24
[ 25.449825][ T428] el0_sync_handler+0x88/0xec
[ 25.454343][ T428] el0_sync+0x1c0/0x200
=====================================================
Fix:
Before starting init second stage, we will wait
for snapuserd daemon to be up and running. We do a simple probe by
reading system partition. This read will eventually be serviced by
daemon confirming that daemon is up and running. Furthermore,
we are still in the kernel domain and sepolicy has not been enforced yet.
Thus, access to these device mapper block devices are ok even though
we may see audit logs.
Note that daemon will re-initialize the __system_property_init()
as part of WaitForSocket() call. This is subtle but important; since
bionic libc initialized had failed silently, it is important
that this re-initialization is done.
Bug: 207298357
Test: Induce the failure by explicitly delaying the call of execveat().
With fix, no issues observed.
Tested incremental OTA on pixel ~15 times.
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
This patch attempts to diagnose snapuserd hangs by performing reads
immediately after entering second-stage init. This is done by spawning
two threads: one to perform the reads, and another to wait for the read
thread to finish. If any aspect of the read fails, or the read thread
does not complete in 10 seconds, then a list of snapuserd's open file
descriptors are logged.
Bug: 207298357
Test: apply working OTA, check logcat for success
apply broken OTA, check logcat for fd map
Change-Id: I549e07b7d576fcdaca9b2d6ff33e0924c3812c07
This change provide a specialization of android::base::OkOrFail for
status_t. As a result, a statement whose type is status_t can be used
with OR_RETURN.
The specialization also provides conversion operators to Result<T,
StatusT> where StatusT is a wrapper type for status_t. This allows
OR_RETURN macro to be used in newer functions that returns Result<T,
StatusT>.
Example usage:
\#include <utils/ErrorsMacros.h>
status_t legacy_inner();
status_t legacy_outer() {
OR_RETURN(legacy_inner());
return OK;
}
Result<T, StatusT> new_outer() {
OR_RETURN(legacy_inner()); // the same macro
return T{...};
}
Bug: 209929099
Test: atest libutils_test
Change-Id: I0def0e84ce3f0c4ff6d508c202bd51902dfc9618
They are changed to template classes. s/Error/Error<>/g to reflect that.
In addition, the direct uses of ResultError for error reporting is
replaced with Error and Errorf.
Bug: 209929099
Test: m
Change-Id: I815526a8e6fa30e63fa3efcf5700b146bf70a507
If surfaceflinger crashes before zygote starts, it will restart zygote
too early. Add this argument will allow it to only restart zygote if
it's already running.
Bug: 197224273
Test: manual test
Change-Id: I0ac8dbeaf0a002f8cfcfcc0f63d4b90d08393c5c
