I'll come back and remove klog_init when I've removed other calls to it.
Change-Id: Iad7fd26d853b4ddc54e9abd44516b6f138cbbfcb
Test: booted N9, looked at "adb shell dmesg" output.
Prebuilt kernels have not been updated with the requisite patches.
This reverts commit c819e78e7f.
Change-Id: I8e63373a9b8a1e5adcb2471dfe43bde28e3f8e65
Also make sure it is above a minimum threshold, else abort.
(cherry-pick of internal commit: 5d36813dc8)
Bug: 27681085
Change-Id: Ia1d9583254fd64828092533298a99ec64b8233f7
This CL allows enabling of multiple consoles. A service can be
mapped to a specific console by providing the optional argument,
IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3b24e7f6848bbe5c6475f11334c04ec536e6af88
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Signed-off-by: Viorel Suman <viorel.suman@intel.com>
This CL allows enabling of multiple consoles. The expected format
of "androidboot.console" kernel parameter is a list of available
consoles, as follows:
androidboot.console=tty0:ttyS0
A service can be mapped to a specific console by providing the
optional argument, IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3f8556425c8651bd121995869700f18b23365d55
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Remove references to SELinux policy files in /data/security
from libselinux/android.c. In the process all code that is
apparently related to handling an alternate policy and/or
reloading the policy has been removed.
Bug: 26544104
Change-Id: I47bf76ac3c26c5d71f92a21ffac2b17ba14262ea
Be consistent when mounting filesystems, and mount selinuxfs
at the same time other filesystems are mounted. In particular,
this ensures that a /sys/fs/selinux/null is available at early
boot, avoiding an unnecessary mknod call.
Change-Id: I01e6b3900f48b4cb3f12d8a928e1e95911524252
If ro.oem_unlock_supported is specified for the device and it supports
verified boot, export lock status in ro.boot.flash.locked.
Bug: 26039090
Change-Id: Ie7844aeb458c97944c72d46ea962b9cfb0a7875d
/property_contexts exists before selinux policies are loaded, so we must
restorecon before other processes can access it
Bug: 21852512
Change-Id: Ie983caac635eb928ab19eea996a5625f3673de39
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
When auditing setprop denials, it is often unclear of who the process is
in a multi-process domain. To help identify the invoker, log the pid, uid,
and gid of the caller.
Before:
avc: denied { set } for property=wifi.xxx ...
After:
avc: denied { set } for property=wifi.xxx pid=30691 uid=123 gid=345 ...
Change-Id: I5cdcb3d18fbd52e0987b5e1497b9f6620c6c742a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Create a Parser class that uses multiple SectionParser interfaces to
handle parsing the different sections of an init rc.
Create an ActionParser and ServiceParser that implement SectionParser
and parse the sections corresponding to Action and Service
classes.
Remove the legacy keyword structure and replace it with std::map's
that map keyword -> (minimum args, maximum args, function pointer) for
Commands and Service Options.
Create an ImportParser that implements SectionParser and handles the
import 'section'.
Clean up the unsafe memory handling of the Action class by using
std::unique_ptr.
Change-Id: Ic5ea5510cb956dbc3f78745a35096ca7d6da7085
This creates the concept of 'event_trigger' vs 'property_trigger'
Previously these were merged into one, such that 'on property:a=b &&
property:b=c' is triggered when properties a=b and b=c as expected,
however combinations such as 'on early-boot && boot' would trigger
during both early-boot and boot. Similarly, 'on early-boot &&
property:a=b' would trigger on both early-boot and again when property
a equals b.
The event trigger distinction ensures that the first example fails to
parse and the second example only triggers on early-boot if
property a equals b.
This coalesces Actions with the same triggers into a single Action object
Change-Id: I8f661d96e8a2d40236f252301bfe10979d663ea6
Support added so init scripts can now import directories.
BUG: 22721249
Change-Id: I02b566bfb50ea84469f1ea0c6ad205435a1df286
TEST: Tested importing a folder on arm64 emulator
It is only a temporary fix. I hope the code can be moved into a member
function of class Command.
Bug: 22654233
Change-Id: I38c24fb624e54986a953f44d398b3b80c3795d24
When SELinux is in enforcing mode, any process executed by
init must have a domain transition defined. See
https://android-review.googlesource.com/108640 for details. This
prevents an executable spawned by init from remaining in init's
(very powerful) SELinux domain.
However, this is only enforced when SELinux is in enforcing mode.
During new device bringup, it's common to run an Android device
in globally permissive mode. In globally permissive mode, SELinux
denials are logged only, but otherwise ignored. If appropriate
SELinux domain transitions are not defined from init to init spawned
processes, this could cause misleading SELinux denials attributed
to init instead of the child process.
To help address these misleading denials, modify init to not spawn
processes unless a domain transition is defined. This essentially
enforces the rules in https://android-review.googlesource.com/108640
on both permissive and enforcing kernels.
While I'm here, change some "freecon()" calls to "free()", with the
long term goal of deleting freecon() entirely.
Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
d34e407aeb removed support for
running with SELinux completely disabled. SELinux must either be
in permissive or enforcing mode now.
Remove unnecessary calls to is_selinux_enabled(). It always returns
true now.
Change-Id: Ife3156b74b13b2e590afe4accf716fc7776567e5
Helped debug a problem where the N9 bootloader incorrectly
concatenated the various command lines.
Bug: http://b/20906691
Change-Id: I0580b06f4185129c7eedf0bdf74b5ce17f88bf9c
Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.
Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.
Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
Don't double mount /dev and its subdirectories anymore. Instead, the
first stage init is solely responsible for mounting it.
Don't have init prepare the property space. This is the responsibility
of the second stage init.
Don't have SELinux use the property space to determine how we should
be running. Instead, create a new function and extract the data we
need directly from /proc/cmdline. SELinux needs this information in
the first stage init process where the property service isn't available.
Change-Id: I5b4f3bec79463a7381a68f30bdda78b5cc122a96
The first stage init mounts /proc and /sys, and then the second
stage init also mounts /proc and /sys on top of the existing mount.
Only mount these two directories once, in the first stage init.
Not yet fixed: the double mounting of /dev. Removing the double
mounting doesn't work right now because both init stages are trying
to create a property space, and if the double mount of /dev goes away,
the property service in the second stage init fails to work.
Change-Id: I13719027a47526d074390c2b1a605ad99fb43a8f
write_file() returned -errno on error, not -1. Callers who check for
-1 would falsely believe that the write was successful when it wasn't.
Fixup write_file so that it return -1 on error consistent
with other functions.
Change-Id: Ic51aaf8678d8d97b2606bd171f11b3b11f642e39
Not just because it's what the cool kids are doing --- it also lets us
simplify the inner loop and decouple it from whatever systems want to
be woken to perform some activity if there's data to be read on some fd.
Currently this is just used to clean up the existing signal handling,
keychord, and property service code.
Change-Id: I4d7541a2c4386957ad877df69e3be08b96a7dec5
All the code that was being delayed does is create a socket. We can
do that straight away, avoid the overhead, and simplify our main loop.
The keychord fd, on the other hand, seems a little tricky. It looks
like /dev/keychord isn't immediately available, at least not on N9;
we have to wait for ueventd to set us up the bomb.
Change-Id: I020e75b8e4b233497707f0a3cbbb6038b714161f
We can set it up earlier, and error reporting like this helped me find
the SELinux problem with the last change to this code.
Change-Id: If0f38bc5ff0465c4030e2d39d34f31f49b2d8487
This reverts commit 4217374611.
It turns out that the kernel passes any unrecognized arguments on to init,
and (at least) N6 and N9 have such arguments. My lazy check of argc was
thus insufficient to recognize what stage of init we were in, so we'd
skip to stage 2 and not set up SELinux. And apparently you can get a
very long way with SELinux off... We'll fix that in a later change.
Bug: 19702273
Change-Id: I43b3fb722fed35dd217cb529cbcac9a29aff4e4b
Fixes init deadlock when an exec command was called
in an on-init section.
The exec command handling relies on that the signal handler
mechanism is working to know when to continue executing
commands.
Change-Id: Ib0ce75ffad7cf3bf926c93d0506b2fe3e5a92630
Also make important events in init's life NOTICE rather than INFO,
and ensure that NOTICE events actually make it to the kernel log.
Also fix the logging so that if you have a printf format string
error, the compiler now catches it.
Also give messages from init, ueventd, and watchdogd distinct tags.
(Previously they'd all call themselves "init", and dmesg doesn't
include pids, so you couldn't untangle them.)
Also include the tag in SELinux messages.
Bug: 19544788
Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
