Mix the contents of /proc/cmdline and /default.prop
into /dev/urandom. /proc/cmdline often contains
androidboot.serialno, a device-specific unique
identifier. Similarly, /default.prop contains the
build fingerprint and timestamp, which vary between
device families.
Change-Id: I8803b38c7089b2a1217b99a7c1808b29a3b138cf
SurfaceFlinger needs some of its threads in the system-background cpuset
and some of its threads (the binder pool) outside of the
system-background cpuset in order to improve UI perf/power
consumption. Remove surfaceflinger from the system-background cpuset in
init.rc and allow a thread to place itself in the system-background
cpuset given enough permissions.
bug 25745866
Change-Id: I85f7e41c5439e6ad7cc2d355e51f5dfb3a0c7088
Changes to the way FBE works to support lifecycles mean that these
commands aren't needed any more.
Bug: 22358539
Change-Id: Id73339e0aa8070dd688f35b5d59de75236961395
Core system directories should be created here in init.rc instead
of making installd do the creation.
Bug: 26466827
Change-Id: I313a332e74699641872c41fce5a7ca35bfce8f82
Creation of /data/misc/vold was first introduced by commit 25775e8. It
then got reverted, probably inadvertently, by:
commit 2e24bcfdce
Author: Paul Lawrence <paullawrence@google.com>
Date: Fri May 22 18:31:55 2015 +0000
Revert "Set up crypto for user directories in init."
This folder is required by vold. In its absence, if one tries to format
an SD card as internal storage, an error will occur, with the following
message printed to logcat:
01-08 06:31:48.389 1002 1069 E vold : Failed to persist key
Restoring /data/misc/vold fixes this bug.
This fix has been verified on the emulator, which currently does not
allow its virtual SD card to be adopted, but another CL will be uploaded
to enable that.
Change-Id: Ibb87ee821630a038a6f9b7b6a9da50fe03ca690d
Signed-off-by: Yu Ning <yu.ning@intel.com>
* Added new kernel GID named "wakelock" (AID_WAKELOCK = 3010)
* Changed the group access for /sys/power/wake_lock and
/sys/power/wake_unlock from "system" to "wakelock"
* Added "wakelock" to the list of groups for the healthd process/service
Bug: 25864142
Change-Id: Ieabee9964cccec3107971a361a43aa9805164aa9
* Added new kernel GID named "wakelock" (AID_WAKELOCK = 3010)
* Changed the group access for /sys/power/wake_lock and
/sys/power/wake_unlock from "system" to "wakelock"
* Added "wakelock" to the list of groups for the healthd process/service
Bug: 25864142
Change-Id: Ieabee9964cccec3107971a361a43aa9805164aa9
If /sys/kernel/debug is present, make sure it has all the appropriate
SELinux labels.
Labeling of /sys/kernel/debug depends on kernel support
added in commit https://android-review.googlesource.com/122130
This patch depends on an external/sepolicy change with the
same Change-Id as this patch.
Change-Id: Id1d6a9ad6d0759d6de839458890e8cb24685db6d
update_verifier verifies the updated partitions and marks the current
slot as having booted successfully. It needs to be triggered prior to
the start of the framework, otherwise it won't be able to fall back to
the old system without a data wipe.
Bug: 26039641
Change-Id: I6fd183cdd3dfcc72feff2a896368158875b28591
This service is an enhanced version of bugreport that provides a better
user interface (like displaying progress and allowing user to enter
details).
It will be typically triggered by the 'Take Bug Report' UI, which will
now offer the option for the traditional or enhanced options (services
'bugreport' and 'bugreportplus' respectively).
BUG: 26034608
Change-Id: I39ea92c3e329a801b51f60a558c73faaf890c068
This mirrors what we do for "/data/data" for user 0. Eventually we
should move to vold/installd doing the user 0 initialization.
Bug: 22358539
Change-Id: I48cd27b990e6bd6e37870c41aef0e7dc3106caa4
If / is not write-able and system.img contains system/vendor, symlink
for `/vendor/ -> /system/vendor/` that is otherwise done in init.rc
should be done at build time.
BUG=b:25512724
Change-Id: Iaa63d6440373a4fd754a933c9f1960b3787a6d98
Move foreground tasks to /sys/fs/cgroup/stune/boost/tasks (boosted
weight in EAS scheduler). Move background tasks to
/sys/fs/cgroup/stune/tasks (default weight). For services started
with init, set "foreground" services to boosted.
Change-Id: I0e489fad9510727c13e6754dabaf311c2391f395
Folders in the root directory are now created during the build,
as we may be building without a ramdisk, and when we do that,
the root directory will be read-only. With those changes,
these mkdirs will never need to run.
Change-Id: I49c63e8bfc71d28e3f938ed41f81d108359fa57a
Move foreground tasks to /sys/fs/cgroup/stune/boost/tasks (boosted
weight in EAS scheduler). Move background tasks to
/sys/fs/cgroup/stune/tasks (default weight). For services started
with init, set "foreground" services to boosted.
Change-Id: I0e489fad9510727c13e6754dabaf311c2391f395
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I312104ff926fb08d98ac8256b76d01b0a90ea5e5
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I157ccbebf36bee9916f3f584551704ec481ae1d1
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Building without ramdisk requires a way to specify board specific
directoryies and symlinks in the root directory at build time.
Change-Id: I11301e98228bc4761f3aee177a546146651b9f25
(cherry picked from commit d7549c9a65cad886f672af41f5fca6f0bd0c12fa)
3.18 has a warning in dmesg that appears when the parent cpuset's cpus
and mems are changed to something other than what the child has. Reorder
init.rc to prevent this warning from appearing.
bug 24941443
Change-Id: I49d8394063b23dce03222dcc9ddccdc32bb97ea2
Don't allow the accidental triggering of sysrq functionality
from the keyboard. The only expected use of sysrq functionality
is via /proc/sysrq-trigger
Please see https://www.kernel.org/doc/Documentation/sysrq.txt for
additional information on /proc/sys/kernel/sysrq
Bug: 13435961
Change-Id: I60dc92a4b2b4706e8fa34a6cead9abd449f7375f
Ensure that /data/misc/update_engine exists since it will be referenced
by selinux policy.
Bug: 23186405
Change-Id: I96e4ff341086da6474ef7f7c934f1f35bffc1439
The goal is to enable SANITIZE_TARGET='address coverage', which
will be used by LLVMFuzzer.
Bug: 22850550
Change-Id: Iea756eaaedaa56aee4daf714510269efe3aaa553
Move uncrypt from /init.rc to /system/etc/init/uncrypt.rc using the
LOCAL_INIT_RC mechanism
Bug 23186545
Change-Id: Ibd838dd1d250c0e6536e44b69f11fb5ed42ba10b
init.usb.rc and adbd.rc contain similar contents and belong in the same
file.
This file also belongs on the ramdisk as adbd is on the ramdisk, not the
system partition, therefore resolving to keep init.usb.rc in its current
location and combining the contents of adbd.rc is the best approach
Change-Id: I430f8fea58694679e7b8b7be69ce87daadd616f4
init.trace.rc will be renamed to atrace.rc and use the LOCAL_INIT_RC
mechanism to be included on /system appropriately.
Bug 23186545
Change-Id: I55c37d3ff98c9ac10e6c1a713fadc7eb37346195
Fix typos in the usb typec properties (sys.usb.typec.*),
so the data_role and the power_role can be written properly in the sysfs.
Bug: 23790832
Change-Id: I90f591ab37825a07e0610ef1fec0e831eb19515d
This CL adds a new init script init.usb.configfs.rc
to add generic configfs commands. Setting
sys.usb.configfs in init.usb.{hardware}.rc
enables executing commands in this script
Bug=23633457
Change-Id: Iaae844a7957d6c9bf510648aaff86d56aa0c6243
This CL helps to execute a different set of
commands for the usb configs specified in
init.usb.rc. Aimed at using configfs based
commands over android composition driver.
Bug=23633457
Change-Id: Ifa5f804e1cff93d15ad57d0ed553300bc5868936
This is used for app launches (and maybe other high priority tasks
in the future). It's to be set to whatever cores should be used
for short term high-priority tasks.
bug 21915482
Change-Id: Id0ab0499146c09e860b97f4cb8095834cb12dd50
Services definitions for core services are now bundled with the source
for the service itself in the form of <service name>.rc. These
individual .rc files are now located in /system/init/... and are
parsed when the system partition is mounted.
Bug: 23186545
Change-Id: Ia1b73af8d005633aa4252d603892064d7804163d
Instead of setting global ASAN_OPTIONS in immutable init.environ.rc,
load them from a file that can be changed later. The file has to be
on the /system partition to both be editable and available at the
early stages of boot.
Also add allocator_may_return_null=1 as that is closer to the
non-ASan allocator behavior.
Bug: 22846541
Change-Id: Ib0f41393c528f2e7cb398470e41f50abf5f4f455
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
system.img may contain the root directory as well. In that case, we
need to create some symlinks init.rc would during the build.
Change-Id: I4e7726f38c0f9cd9846c761fad1446738edb52c0
This CL adds a trigger and a service so that Systrace can be used
for tracing events during boot.
persist.debug.atrace.boottrace property is used for switching on
and off tracing during boot. /data/misc/boottrace/categories
file is used for specifying the categories to be traced.
These property and file are rewritten by Systrace when the newly
added option --boot is specified.
Here is an example of tracing events of am and wm catetories
during boot.
$ external/chromium-trace/systrace am wm --boot
This command will cause the device to reboot. Once the device has
booted up, the trace report is created by hitting Ctrl+C.
As written in readme.txt, this mechanism relies on persistent
property, so tracing events that are emitted before that are not
recorded. This is enough for tracing events after zygote is
launched though.
This only works on userdebug or eng build for security reason.
BUG: 21739901
Change-Id: I03f2963d77a678f47eab5e3e29fc7e91bc9ca3a4
Ensure that /data/anr always exists. This allows us to eliminate
some code in system_server and dumpstate. In addition, this change
solves a common problem where people would create the directory
manually but fail to set the SELinux label, which would cause
subsequent failures when they used the directory for ANRs.
Bug: 22385254
Change-Id: I29eb3deb21a0504aed07570fee3c2f87e41f53a0
Required by logd on devices with USE_CPUSETS defined.
Make /dev/cpuset/background, /dev/cpuset/foreground and
/dev/cpuset/task writeable by system gid. Add logd to system
group for writing to cpuset files and to root group to avoid
regressions. When dropping privs, also drop supplementary groups.
Bug: 22699101
Change-Id: Icc01769b18b5e1f1649623da8325a8bfabc3a3f0
The cfs tunables auto-scale with the number of active cpus by default. Given
that the tunable settings are in device-independent code and it's not
known how many cores are currently active when the init.rc file runs,
the cfs tunables can vary pretty significantly across devices depending
on the state at boot. Disable scaling of the the tunables so that we
can get more consistent behavior of cfs across devices. If we want to
do per-device tuning of these values, we can override what's written
here in device specific files.
Bug: 22634118
Change-Id: Id19b24ef819fef762521e75af55e6d4378cfc949
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I312104ff926fb08d98ac8256b76d01b0a90ea5e5
* commit 'ee923139c346e6751203fc7d2a341388e01c7b19':
Set up user directory crypto in init.
logd: switch to unordered_map from BasicHashtable
rootdir: make sure the /oem mountpoint is always available
Folders in the root directory are now created during the build,
as we may be building without a ramdisk, and when we do that,
the root directory will be read-only. With those changes,
these mkdirs will never need to run.
Change-Id: I49c63e8bfc71d28e3f938ed41f81d108359fa57a
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I157ccbebf36bee9916f3f584551704ec481ae1d1
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
gatekeeperd depends on having /data to determine whether
to call setup routines for qcom HALs.
Bug: 22298552
Change-Id: I6c552016dc863bbb04bd5a949a2317a720c8263f
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
Change-Id: I8a6c40d44e17de386417a443c9dfc3b4e7fe59a5
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
Fix the file access permissions and group ownership of
"/data/misc/bluedroid/bt_config.conf" so the file can be reused when
switching users on the device.
For that purpose, we need to do the following:
1. Set the set-group-ID (bit 02000) flag for directory "/data/misc/bluedroid"
so the files created in that directory will have group-id of
"net_bt_stack" .
2. Change the file's permissions of file "/data/misc/bluedroid/bt_config.conf"
to Read/Write by User and Group.
Bug: 21493919
Change-Id: Ie00ab4695198ef2aa299b484ef9d4f17bd41b98a
allow_user_segv_handler=1 is required to run ART under ASan
detect_odr_violation=0 and alloc_dealloc_mismatch=0 suppress some of
the existing bug reports during boot.
Bug: 21951850, 21785137
Change-Id: I4d36967c6d8d936dacbfdf1b94b87fa94766bd3e
During development it is useful to be able to kill inputflinger and have
init restart it without bringing down the entire system server.
Change-Id: I8b13b94331c5045086db2f5c73a8f49efc5992cb
/system/bin/uncrypt needs to be triggered to prepare the OTA package
before rebooting into the recovery. Separate pre-recovery (uncrypt)
into two services: uncrypt that does the uncryption work and
pre-recovery that actually reboots the device into recovery.
Also create /cache/recovery on post-fs in case it doesn't exist.
Bug: 20012567
Bug: 20949086
(cherry picked from commit e48aed0f0a)
Change-Id: I9877cd6ac9412ea6a566bb1ec0807940c7a38ce5
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.
While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.
Bug: 19197175
Change-Id: Ie3d9567819ced7757b0a8f391547f27db944153c
An automatic domain transition is already defined by SELinux
policy. Avoid having redundant information on the exec line.
This commit depends on commit 17fff893c0
which made the SELinux process label optional.
(cherrypicked from commit 221fca7ddd)
Change-Id: I89464f2bd218c7d6e8db08aa6bed2b62ec6dad2a
An automatic domain transition is already defined by SELinux
policy. Avoid having redundant information on the exec line.
This commit depends on commit 17fff893c0
which made the SELinux process label optional.
Change-Id: I89464f2bd218c7d6e8db08aa6bed2b62ec6dad2a
* commit '560515540d3ef4da9dc58e3b7fcfeb6c067bb677':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
* commit 'e0e565635a7c6c36a05282622c01203afbec5ca5':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
(cherry pick from commit 100658c303)
- logpersistd is defined as a thread or process in the context of the
logd domain. Here we define logpersistd as logcat -f in logd domain
and call it logcatd to represent its service mechanics.
- Use logcatd to manage content in /data/misc/logd/ directory.
- Only turn on for persist.logd.logpersistd = logcatd.
- Add logpersist.start, logpersist.stop and logpersist.cat debug
class executables, thus only in the eng and userdebug builds.
ToDo: Wish to add Developer Options menu to turn this feature on or
off, complicated by the fact that user builds have no tools with
access rights to /data/misc/logd.
Bug: 19608716
Change-Id: I57ad757f121c473d04f9fabe9d4820a0eca06f31
- logpersistd is defined as a thread or process in the context of the
logd domain. Here we define logpersistd as logcat -f in logd domain
and call it logcatd to represent its service mechanics.
- Use logcatd to manage content in /data/misc/logd/ directory.
- Only turn on for persist.logd.logpersistd = logcatd.
- Add logpersist.start, logpersist.stop and logpersist.cat debug
class executables, thus only in the eng and userdebug builds.
ToDo: Wish to add Developer Options menu to turn this feature on or
off, complicated by the fact that user builds have no tools with
access rights to /data/misc/logd.
Bug: 19608716
Change-Id: I57ad757f121c473d04f9fabe9d4820a0eca06f31
