Commit graph

2740 commits

Author SHA1 Message Date
Tom Cherry
9949ec5f56 init: replace Result<> with expected<>
Android-base has an implementation of the future std::expected<>.
This provides the same baseline functionality as Result<>, so use it
instead of our own version.

Bug: 132145659
Test: boot, init unit tests
Change-Id: I11e61bcb5719b262a6420483ed51a762826a9e23
2019-05-22 15:23:01 -07:00
Peter Collingbourne
f6ce7d0de0 Stop adding the bootstrap directory to rpath.
This is no longer necessary now that the bootstrap linker does this
automatically.

Change-Id: Ifd8177cc9cf5f2dc2a18c467ddb0147f8182fc4c
2019-05-16 19:36:27 -07:00
Tom Cherry
8a3630e327 Merge "init: always initialize device-mapper" 2019-05-16 15:09:16 +00:00
Martijn Coenen
acc45aa0a1 class_start_post_data also starts disabled services.
This keyword was introduced to support restarting services on devices
using APEX and FDE. The current implementation is not a restart, but
rather a 'reset' followed by a 'start', because the real /data must be
mounted in-between those two actions. But we effectively want this to be
a restart, which means that we also want to start 'disabled' services
that were running at the time we called 'class_reset_post_data'.

To implement this, keep track of whether a service was running when its
class was reset at post-data, and start all those services.

Bug: 132592548
Test: manual testing on FDE Taimen
Change-Id: I1e81e2c8e0ab2782150073d74e50e4cd734af7b9
Merged-In: I1e81e2c8e0ab2782150073d74e50e4cd734af7b9
2019-05-16 09:30:35 +02:00
Tom Cherry
eef2a703ad init: always initialize device-mapper
Device-mapper is required already, so drop the conditionals for trying to
load it.  GetRootEntry() was depending on its existance, so this adds the
required dependency.

Bug: 131747478
Test: boot without any verity/avb/dm-linear devices.
Change-Id: Ifc89d3b338e2c2b8faaf1c24e2792c1eeb5bbbde
2019-05-15 16:35:43 -07:00
Mark Salyzyn
44505ecdd9 init: move "started at" environment var names to headers
Move "FIRST_STAGE_STARTED_AT" to env_first_stage_started_at variable
in first_stage_init.h.  Move "SELINUX_STARTED_AT" to
env_selinux_started_at variable in selinux.h.

Test: build
Bug: 124491153
Bug: 129780532
Change-Id: I512d1835dcee5a3d034ac453b27b0709eed23cff
2019-05-08 13:50:21 -07:00
Mark Salyzyn
10377df9f8 init: ro.boottime.init.first_stage
Add a property ro.boottime.init.first_stage to provide us a
first stage init duration from start to exec completed in
nanoseconds.

For consistency, report nanoseconds duration for
ro.boottime.init.selinux as well instead of milliseconds.
Now also report consistently from start to exec completed
instead of just the selinux load time.

SideEffects: ro.boottime.init.selinux is reported to TRON and
             may alarm with the millionfold increase in precision.
             ro.boottime.init is now also consistent with ns
             precision.

Test: inspect
Bug: 124491153
Bug: 129780532
Change-Id: Iff4f1a3a1ab7ff0a309c278724c92da0832b9a69
2019-05-08 16:07:10 +00:00
Martijn Coenen
fc78be2935 Merge "Support for stopping/starting post-data-mount class subsets." 2019-05-07 06:41:01 +00:00
Tom Cherry
1cd30df584 Merge "Vboot1.0: remove code to read verity state in userspace" 2019-05-06 23:41:47 +00:00
Jeff Vander Stoep
0ac51cfc01 Load selinux compat file if it exists
This addresses Treble backwards compat issues introduced in
aosp/793958 and aosp/783669.

Bug: 122874820
Test: build/flash blueline with pi-dev vendor and generic_ab system
    images.
Test: adb pull /sys/fs/selinux/policy;
    sesearch policy --allowx -s vendordomain -t dev_type

Change-Id: I9123aa02cf4bf07d72d1ea086dde0d1cf1b30db4
2019-05-02 14:25:06 -07:00
Zimuzo
88de80fc53 Attempt native rollback for frequent crashes before boot completed
Before, if updatable processes crash 4 times in 4mins, a native
rollback will be attempted. This behavior does not detect
system_server early boot deadlocks because the system server requires
at least a min to detect a deadlock, and crash itself. The crashes
don't happen frequently enough for init to detect.

After, this cl, the old behavior exists and additionally, init detects
*any* 4 crashes of updatable processes before boot completed,
regardless of if they happen within 4mins or not.

Test: Manually tested by adding artificial sleep in system_server so
deadlock is triggered before boot. system_server crashes 4 times in
over 4mins and the ro.init.updatable_crashing prop is set to 1.
Bug: 129597207

Change-Id: Ie6fb5693ff4be105bcbe139c22850fb076e40260
2019-04-30 11:19:19 +00:00
Martijn Coenen
70788f93ba Support for stopping/starting post-data-mount class subsets.
On devices that use FDE and APEX at the same time, we need to bring up a
minimal framework to be able to mount the /data partition. During this
period, a tmpfs /data filesystem is created, which doesn't contain any
of the updated APEXEs. As a consequence, all those processes will be
using the APEXes from the /system partition.

This is obviously not desired, as APEXes in /system may be old and/or
contain security issues. Additionally, it would create a difference
between FBE and FDE devices at runtime.

Ideally, we restart all processes that have started after we created the
tmpfs /data. We can't (re)start based on class names alone, because some
classes (eg 'hal') contain services that are required to start apexd
itself and that shouldn't be killed (eg the graphics HAL).

To address this, keep track of which processes are started after /data
is mounted, with a new 'mark_post_data' keyword. Additionally, create
'class_reset_post_data', which resets all services in the class that
were created after the initial /data mount, and 'class_start_post_data',
which starts all services in the class that were started after /data was
mounted.

On a device with FBE, these keywords wouldn't be used; on a device with
FDE, we'd use them to bring down the right processes after the user has
entered the correct secret, and restart them.

Bug: 118485723
Test: manually verified process list
Change-Id: I16adb776dacf1dd1feeaff9e60639b99899905eb
2019-04-26 14:04:59 +02:00
Joseph Jang
67231474fe Merge "init: Add reboot timeout handler" 2019-04-26 08:23:06 +00:00
josephjang
aaddf282ec init: Add reboot timeout handler
In order to prevent device stuck at reboot, we try to create shutdownt
monitor thread with a timeout (default 30s). It will dump init process
and blocked tasks call trace in last kmsg then trigger kernel panic to
reboot device.

Test: reboot device

bug: 128561401
Change-Id: Ieb400ab9fbd983544b61241a4f4b8aa2f4baa863
2019-04-26 06:02:09 +08:00
Tom Cherry
7a03b5d314 Merge "init: simplify async restorecon" 2019-04-24 19:14:28 +00:00
Tom Cherry
fe8154175c init: simplify async restorecon
In the future, property service may run in its own thread or process,
which means that PropertyChildReap() needs to be refactored to not run
as part of the init signal handler.

The new method spawns a new thread that handles the queue of paths
that require restorecon. It then communicates back to property service
via android::base::SetProperty(). Property service distinguishes the
thread from other callers of SetProperty() by checking the pid in the
credentials for the socket connection, thus avoiding dependencies on
the rest of init.

The new method also drops the genericness, since restorecon is the
only function that we should ever need to run asynchronously

Test: async restorecon works, including with queued requests
Change-Id: I2ca00459969e77b1820776dac23d0a0d974e330b
2019-04-24 08:50:10 -07:00
Treehugger Robot
74d84224ae Merge "Remove the mount points defined in skip_mount.cfg from ReadDefaultFstab()" 2019-04-24 02:53:53 +00:00
Tom Cherry
87882c0a00 Merge "init: handle getpeercon() errors" 2019-04-23 16:06:40 +00:00
Tom Cherry
4bc16589df Merge "init: set up SelinuxAuditCallback() earlier" 2019-04-23 16:04:35 +00:00
SzuWei Lin
77c28476f1 Remove the mount points defined in skip_mount.cfg from ReadDefaultFstab()
The first stage init skips mounting the mount points defined in
skip_mount.cfg, but these mount points still return from
ReadDefaultFstab(). The behavior causes some error logic which
try to access the partition which had been skipped.

After applying the patch. ReadDefaultFstab() will not contain the
skipped mount points.

Bug: 128961335
Test: `fastboot delete-logical-partition product_a`
Test: `fastboot flash system aosp_arm64-userdebug`
Test: `fastboot -w reboot` and boot to home screen
Change-Id: I3156260b5d37647dbecf98ca90601a089bea5c46
2019-04-23 17:42:40 +08:00
Treehugger Robot
2ddb8df2ef Merge "Adding adb_debug.prop into debug ramdisk" 2019-04-23 02:01:36 +00:00
Tom Cherry
7f160af142 init: handle getpeercon() errors
Though unlikely, it is possible for getpeercon() to fail.  This change
adds code to handle this case gracefully.

Bug: 130209483
Test: boots, properties are set
Change-Id: I3b3fb76b2312a5cbc87c0da2a044be3ddf8aa400
2019-04-22 13:32:24 -07:00
Tom Cherry
2f113ad1e1 init: set up SelinuxAuditCallback() earlier
The setup of SelinuxAuditCallback() was happening after property files
are loaded, and now that these property files can trigger audits, the
audit messages did not contain all of the correct information.  This
change moves the setup of SelinuxAuditCallback() to immediately before
the property area is initialized, to ensure that this can not happen
again.

Bug: 130979265
Test: audits work early
Change-Id: I9eb43269317c74e041626ee7b2bb7fea49250e09
2019-04-22 12:41:39 -07:00
Bowgo Tsai
05f07d89a6 Adding adb_debug.prop into debug ramdisk
The debug ramdisk can only be used if the device is unlocked.
When it's used, init will load adb_debug.prop and the userdebug
sepolicy from the debug ramdisk, to allow adb root on a user build.

Bug: 126493225
Test: 'make' and checks the file is installed
Change-Id: Id6962414197fc8f47f7c07818e8fb16107dc17a3
2019-04-20 06:08:51 +00:00
Treehugger Robot
72d8d2f2c6 Merge "Copying debug ramdisk files to /debug_ramdisk/*" 2019-04-19 23:54:53 +00:00
Tom Cherry
f7545cea34 Vboot1.0: remove code to read verity state in userspace
The code to read verity state in userspace is deprecated in favor of
having the bootloader read and report the state, so this change
removes this now unused code.

Bug: 73456517
Test: boot
Change-Id: Ib626fd61850bce3016179ca92a9831c2ac29c032
2019-04-19 16:53:33 -07:00
Treehugger Robot
9b33cbc0cb Merge "init: small header clean up" 2019-04-19 04:23:24 +00:00
Treehugger Robot
a7c103eb8e Merge "init: set oom_adj early before fork vendor_init" 2019-04-19 02:17:50 +00:00
Bowgo Tsai
30afda71c0 Copying debug ramdisk files to /debug_ramdisk/*
In previous implementation, userdebug sepoilcy and property files are
loaded from the system.img. This CL changes this to:

  - first-stage init copies userdebug files from ramdisk to /debug_ramisk/*
  - second-stage init loads files from /debug_ramdisk/*.

Note: same as before, the above can only be triggered, if the device
is UNLOCKED

With this, we don't have to put userdebug related files into the USER
system.img.

Bug: 126493225
Test: boot device with a ramdisk with /force_debuggable, checks related
      files are loaded
Change-Id: I63f5f846e82ba78427062bf7615c26173878d8f3
2019-04-19 09:56:14 +08:00
Wei Wang
45d8174fe7 init: set oom_adj early before fork vendor_init
right now vendor_init is forked before we set oom_adj for init which
leaves a chance vendor_init could be killed in heavy memory pressure.

this CL set the oom_adj before forking everything to ensure all native
have correct oom_adj settings.

Fixes: 130824864
Test: procrank -o
Change-Id: I8af129076c3efa29f7b781459449f8f2dc853c98
2019-04-18 16:14:08 -07:00
Tom Cherry
030ef18580 init: small header clean up
Remove an unimplemented function from the header and clean up some
slight syntax mistakes.

Test: build
Change-Id: Ia82c6aee24fa0889a7595aabc564bef970a0863b
2019-04-18 14:18:36 -07:00
Tom Cherry
990483d409 init: do not fork before doing (u)mount_all()
A fork() was historically added in case of fs_mgr crashing or leaking
memory, but this should not be the case with fs_mgr, and a fork() only
hides any such problem, instead of allowing us to address it
directly.

Test: boot
Change-Id: If7ee4807757048258a6ea9a79a24cebbacc530cc
2019-04-17 12:55:50 -07:00
Yifan Hong
e438843ead Merge "init: add umount_all builtin." 2019-04-16 22:46:52 +00:00
Treehugger Robot
6aa0d7eaf8 Merge "init: fix loglevel docs." 2019-04-16 07:32:47 +00:00
Yifan Hong
402633d605 init: add umount_all builtin.
umount_all is the cleanup step for mount_all.

In particular, the mount_all builtin creates a verity device,
'postinstall-verity', for the following line:

system /postinstall ... ... slotselect_other,logical,avb_keys=...

cppreopt umounts /postinstall but doesn't destroy the postinstall-verity
device, causing OTA to fail (because it cannot destroy the
system_[other] device). umount_all also destroy the verity device.

Note that mount_all does not map system_[other]; it is mapped by
first stage init. Hence, umount_all doesn't destroy it either. The OTA
client is reponsible for unmapping the device itself.

Bug: 129988285
Test: flash, boot, then check `dmctl list devices`, then OTA

Change-Id: Id3ab65b3860b6ea6cfec310ab13652009c81f415
Merged-In: Id3ab65b3860b6ea6cfec310ab13652009c81f415
2019-04-15 15:11:28 -07:00
Elliott Hughes
8457f52ba9 init: fix loglevel docs.
Bug: http://b/129989984
Test: N/A
Change-Id: Ie7b320fd47dec839ad79d677eb90050cfbcf50c3
2019-04-15 12:17:22 -07:00
Bowgo Tsai
a0f8b05d91 first-stage mount: support using other avb_keys
This change allows specifying additional avb keys to verify a fstab
entry. It can be used together with the original 'avb' flag. When both
'avb' and 'avb_keys' are present, it will try to use avb_keys to verify
this partition and extract the AVB descriptor from the end of it first.
When avb_key fails, it falls back to searching the AVB descriptor in the
built-in /vbmeta (and its chained partitions) with the matched partition
name.

An example of a fstab file:

system  /system  ext4  ro,barrier=1  wait,slotselect,avb=vbmeta,logical,first_stage_mount,avb_keys=/avb/gsi.avbpubkey
vendor  /vendor  ext4  ro,barrier=1  wait,slotselect,avb,logical,first_stage_mount

The overhead of adding an additional 'avb_keys' should not be significant,
as the typical size of a AVB Hashtree descriptor for /system is usually
less than 1000 bytes. e.g., on crosshatch, it's about 600 bytes, which
takes less than 1 millisecond for the following call to return failure.

   auto avb_standalone_handle = AvbHandle::LoadAndVerifyVbmeta(*fstab_entry);

We also checked the time spent on init's first stage on crosshatch, with the
following CL to set ro.boottime.init.first_stage. The testing result
shows no significant difference between them as well.

https://android-review.googlesource.com/c/platform/system/core/+/934536

With an additional avb_keys entry for /system
    [ro.boottime.init.first_stage]: [728]
    [ro.boottime.init.first_stage]: [720]
    [ro.boottime.init.first_stage]: [722]

Without an additional avb_keys entry for /system
    [ro.boottime.init.first_stage]: [730]
    [ro.boottime.init.first_stage]: [728]
    [ro.boottime.init.first_stage]: [725]

Bug: 124491153
Test: boot a device with above fstab settings

Change-Id: I0c81f816efb0dd40c93da2df304f2e215df9d105
2019-04-09 13:38:05 +00:00
Mark Salyzyn
b833d17de2 init: fixes to README.mk
Corrected a few technical, spelling and grammar errors.

Test: none
Bug: 129780532
Change-Id: Ia05f44c782d94a3bb4224fc6929ac325852e0c41
2019-04-08 10:06:49 -07:00
Nick Kralevich
9ca898fff8 Avoid leaking property values into logs on error
The purpose of having fine grain read/write control over the property
space is to help ensure the confidentiality of data stored in
properties. Leaking property values into the dmesg buffer on errors
exposes the value outside of the access control rules specified by
policy.

(arguably this is also true for the property name, not just the value.
However, property names are exposed in other places now, so the
incentive to fix this is lower. It would also take away a valuable
debugging tool.)

Test: compiles
Change-Id: I4a0634b8b5e4fd2edf718eaf7343940df627366d
2019-04-04 10:15:25 -07:00
Yifan Hong
25d42eeaa6 Merge changes from topic "libprocessgroup_rc"
* changes:
  CgroupSetupCgroups -> CgroupSetup
  Add libcgrouprc to ld.config.*.txt.
  libprocessgroup: use libcgrouprc to read cgroup.rc
  libprocessgroup_setup: use libcgrouprc_format
  libprocessgroup: Move CgroupSetupCgroups() to libprocessgroup_setup
  libprocessgroup: Add libcgrouprc
  libprocessgroup: Add libcgrouprc_format
2019-04-03 19:08:51 +00:00
Yifan Hong
9d7b89abea CgroupSetupCgroups -> CgroupSetup
Test: builds
Bug: 123664216
Change-Id: I47c46ca9ba5c1fbf3f9f7a1b185dc48b058b1e32
Merged-In: I47c46ca9ba5c1fbf3f9f7a1b185dc48b058b1e32
2019-04-02 22:31:57 -07:00
Yifan Hong
d8ce1fb1d1 libprocessgroup_setup: use libcgrouprc_format
Use CgroupController definition from libcgrouprc_format, not
libprocessgroup, because the wire format will be removed
from libprocessgroup later.

Bug: 123664216
Test: builds
Change-Id: If5e2301a1b65c3f6a51a1661cfeeed4e299f634e
Merged-In: If5e2301a1b65c3f6a51a1661cfeeed4e299f634e
2019-04-02 22:31:57 -07:00
Yifan Hong
6f9ce2e548 libprocessgroup: Move CgroupSetupCgroups() to libprocessgroup_setup
Only init uses SetupCgroups. This functionality is
moved from libprocessgroup to its own library, and only
init links to it.

Also, merge CgroupSetupCgroups() with CgroupMap::SetupCgroups()
because the former is just an alias of the latter, and
CgroupMap does not belong to libcgrouprc_setup.

Test: boots
Bug: 123664216
Change-Id: I941dc0c415e2b22ae663d43e30dc7a464687325e
Merged-In: I941dc0c415e2b22ae663d43e30dc7a464687325e
2019-04-02 22:31:57 -07:00
Mark Salyzyn
e419a79329 ueventd: populate /dev/block/mapper link
Since DM_NAME= is not sent (delete bug) or interpreted with ueventd
message, instead probe /sys/devices/virtual/block/dm-X/dm/name when
instantiating.  Cache the value for later delete.

By creating the /dev/block/mapper/<name> nodes, this will give
selabel_lookup_best_match an alias to hang its hat on so that the
associated /dev/block/dm-X nodes will be suitably labelled and
differentiated.

NB: For Android, the deletion of the nodes will only happen in the
    context of fastbootd, update_engine and gsid; otherwise the links
    and properties created can be considered set-once and persistent.

Test: manual inspect /dev/block/mapper/ links
Bug: 124072565
Change-Id: I6d9e467970dfdad7b67754ad61084964251eb05f
2019-04-02 19:28:47 +00:00
Treehugger Robot
0a887aa14c Merge "Disallow operator!() on unique_fd" 2019-03-29 03:52:46 +00:00
Treehugger Robot
a896e2aee5 Merge "init: mount_handler: system-as-root (legacy)" 2019-03-28 18:25:27 +00:00
Suren Baghdasaryan
81cfeb54fc Merge "libprocessgroup: restrict SetupCgroups to one-time usage and only by init" 2019-03-28 17:13:09 +00:00
David Anderson
5aa37dc3dc Merge "init: Support booting off GSIs installed to non-userdata block devices." 2019-03-28 09:46:44 +00:00
Bernie Innocenti
7cb72c96b4 Disallow operator!() on unique_fd
This catches a common mistake where client code checks for errors using
the common idiom that works for std::iostream and other file-like
classes:

  unique_fd fd = open(...);
  if (!fd) {
  }

Test: atest libbase_test
Test: m droid
Change-Id: I9629a7795537ecb3b57be9c741c06f80967e4cc2
2019-03-28 15:56:07 +09:00
Suren Baghdasaryan
5b53573671 libprocessgroup: restrict SetupCgroups to one-time usage and only by init
SetupCgroups is called by init process during early-init stage and is not
supposed to be called again by anyone else. Ensure that the caller is the
init process, make sure cgroup.rc file is written only one time, keep the
file descriptor to cgroup.rc file open by the init process to ensure all
its further mappings stay valid even if the file is deleted.

Bug: 124774415
Test: build, run, verify no errors or warning in the logcat

Change-Id: Ib8822cf0112db7744e28d442182d54dcf06f46f2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-28 01:25:22 +00:00