We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.
In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.
Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.
This trimming was already implemented when the message is typed as
SELINUX_AVC (see SelinuxAvcLog). Move the truncation one level up so it
is occurring for all types of logs.
Test: boot & adb logcat & inspect SELinux logs
Change-Id: I360359c1b178ef24d555dd41f8d4a18b293a175c
There can be more than one fstab entry of system partition.
For example, the filesystem of one entry is ext4 and another is erofs.
system /system ext4 ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
system /system erofs ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
If both filesystems of system and system_ext paritions are erofs,
only the ext4 fstab entry will be returned by GetEntryForMountPoint,
and system_ext cann't be mounted.
So we need to return both of the fstab entries and try all of them.
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.com>
Change-Id: I407553d48b1749cd0554f057a6bfd38daa96fdcb
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.corp-partner.google.com>
From the unique_fd.h header file: "unique_fd's operator int is
dangerous, but we have way too much code that depends on it, so make
this opt-in at first."
From the Google C++ style guide: "Do not define implicit conversions."
See also go/cstyle#Implicit_Conversions.
Hence this CL that disables unique_fd::operator int().
Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The /dev/selinux folder is normally created by first-stage-init
https://cs.android.com/android/platform/superproject/+/master:system/core/init/first_stage_init.cpp;l=299-300;drc=07c86bace1e7a7cc4dd975f10b077d21c3743749
However, in some cases the first-stage-init comes from a GKI prebuilt
boot.img and doess not create the required folder (see for example
b/217677967), resulting in bugs like b/244793900.
I modified the selinux.cpp code to create the /dev/selinux folder if it
does not exist already, as a safety measure.
To verify these changes for b/244793900, follow gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest, manual verification
Change-Id: I8fe798643b1aeab2b4caac837055348febf70b94
It could be the case that /dev/console is created at the first stage
boot. ueventd doesn't have a permission to relabel from tmpfs to
console_device, so we should try restorecon /dev/console, together with
/dev.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ic538bc9214d3996fe7b37fa2224c1f0c6eb373d1
[reland aosp/1910032]
Updatable sepolicy is shipped within an zip within an APEX. Because
it needs to be available before Apexes are mounted, apexd copies
the zip from the APEX and stores it in /metadata/sepolicy. If there is
not updatable sepolicy in /metadata/sepolicy, then updatable policy is
loaded from /system/etc/selinux/apex. Init performs the following
steps on boot:
1. Validates the zip by checking its signature against a public key
that is stored in /system/etc/selinux.
2. Extracts files from zip and stores them in /dev/selinux.
3. Checks if the apex_sepolicy.sha256 matches the sha256 of
precompiled_sepolicy. if so, the precompiled sepolicy is used.
Otherwise, an on-device compile of the policy is used. This is the
same flow as on-device compilation of policy for Treble.
4. Cleans up files in /dev/selinux which are no longer needed.
5. Restorecons the remaining files in /dev/selinux.
6. Sets selinux into enforcing mode and continues normal booting.
Bug: 199914227
Test: adb root
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip \
/metadata/sepolicy/SEPolicy.zip
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.sig \
/metadata/sepolicy/SEPolicy.apk.sig
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.fsv_sig \
/metadata/sepolicy/SEPolicy.zip.fsv_sig
adb reboot
ls -laZ /dev/selinux/
Verify that files exist and that the labels are expected.
Change-Id: I2dbe43e329e91f46abedc7e44f7d24b220e19173
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
While I'm here, improve accuracy of some comments and
in-code-documentation.
Test: build boot cuttlefish device. adb remount, modify
/system/etc/selinux/plat_sepolicy_and_mapping.sha256 to force
on-device policy compilation. reboot. Verify that device boots
without new selinux denials.
Change-Id: Ibe5c5fa1ea206c1b4d5ad8183433c332a8aaadbf
This change only *adds* /system_ext/etc/selinux to the debug policy
search path, and does not change any preconditions to load the debug
policy. The device still needs to be bootloader-unlocked and has the
debug ramdisk flashed to be able to use the debug policy. The only thing
changed is that now the debug policy can be loaded from /system_ext or
/debug_ramdisk when system partition is compliance testing GSI.
The debug policy in the boot ramdisk may be outdated if the system
partition is flashed with a image built from a different revision.
This happens frequently when running the compliance testing VTS, where
the device is flashed with (A) GSI and (B) device vendor image & debug
boot image, and (A) and (B) are built from different git revisions.
To address this, we install a copy of the debug policy under
/system_ext, so that the version desync between (A) & (B) wouldn't be a
problem anymore because (A) no longer relies on the debug policy file
from (B).
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: Ibe17eb1ecb0e813309c9596d1f152b7455686b26
Revert "Add a copy of debug policy to GSI system image"
Revert "Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT"
Revert "Add system_ext_userdebug_plat_sepolicy.cil for GSI"
Revert submission 1824717-gsi_debug_policy
Reason for revert: Breaks the build (see b/200933187).
Reverted Changes:
I37ef02628:Add a copy of debug policy to GSI system image
I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI...
I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s...
Change-Id: I2eb3b00abb981c25514b75b2e7b4b7b203653390
This change only *adds* /system_ext/etc/selinux to the debug policy
search path, and does not change any preconditions to load the debug
policy. The device still needs to be bootloader-unlocked and has the
debug ramdisk flashed to be able to use the debug policy. The only thing
changed is that now the debug policy can be loaded from /system_ext or
/debug_ramdisk when system partition is compliance testing GSI.
The debug policy in the boot ramdisk may be outdated if the system
partition is flashed with a image built from a different revision.
This happens frequently when running the compliance testing VTS, where
the device is flashed with (A) GSI and (B) device vendor image & debug
boot image, and (A) and (B) are built from different git revisions.
To address this, we install a copy of the debug policy under
/system_ext, so that the version desync between (A) & (B) wouldn't be a
problem anymore because (A) no longer relies on the debug policy file
from (B).
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I4d6235c73472e4d97619b2230292e6a0bc4b3e05
If precompiled vendor policy has system_ext hash, system_ext also has to
have its hash, to use precompiled sepolicy.
Bug: 186727553
Test: remove system_ext's hash and see sepolicy compiled in runtime
Change-Id: I4af3418d614156b5e9cd0b0116c2814ba994ee81
Minor refactoring and renaming, goal is to make the follow-up patch
easier to read.
Bug: 184132970
Test: Presubmit
Change-Id: I66416161b30ac310934d901cbaf11bc926e2cbf7
So we can extend platform policies with target specific compat rules.
This use case surface in the context of system only upgrade, when the
vendor policy cannot be updated, then the system_ext partition can
contain target specific compat policies.
Bug: 183362912
Test: Presubmit
Change-Id: Ic6436eb8a269f07f932331dedf7dbaa629538ade
Some devices might not have system_ext or product partitions. But init
has been refusing to use precompiled sepolicy because init always checks
system / system_ext / product hashes, regardless of existence. This
makes system_ext and product optional, so hash check can be skipped for
non-existing partitions. Of course system is always checked.
Bug: 181640066
Test: boot microdroid and cuttlefish, see precompiled sepolicy works
Change-Id: I32c296fffd894c27097e8b4e10ade977a21d61ab
The androidboot.selinux property is loaded in a special way, because it
happens in the "selinux_setup" stage, and not the true second stage.
Allow it to be passed through bootconfig instead of only via the kernel
cmdline.
Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.selinux=permissive
Test: launch_cvd -guest_enforce_security=false [bootconfig method]
[..]
init: Permissive SELinux boot, forcing sys.init.perf_lsm_hooks to 1.
[..]
Change-Id: I92003c7a2dac5d6e7d0e0f4ee2757f86cc0087c7
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
Dynamically creating /dev/dm-user makes it difficult to set an inotify
watch for child devices to appear. It requires having an additional
watch on /dev, and more complicated sepolicy as a result.
Bug: 168554689
Test: full OTA with VABC enabled
Change-Id: I0cdef3d5a953a372446ff4e539a25a7b5314500d
Since new files can be introduced to /metadata after the initial
restorecon, we need to skip hashing.
Bug: 150907679
Test: rollback, ls -lZ /metadata/ota
Change-Id: I1f928f519ae2c75aeedb74b70d513743e86bcf2b
The rollback indicator is created during first stage init and
is unlabeled. Need to restorecon it properly so that it can
be properly deleted by update_engine later.
Bug: 149956852
Bug: 150907679
Test: apply OTA, reboot, look at serial console
Change-Id: Ie954023b557865691fec2ae378145596bf1973a9
adb remount and snapshot-based updates use ImageManager in first-stage
init. This creates status files, which need to be labelled.
Bug: 148834619
Test: manual test
Change-Id: I72949fca2889f9e5612049844a78bf9355b48797
Those keys will be used for key revocation check by DSU installation
service. Note that failing to copy those keys to /metadata is NOT fatal,
because it is auxiliary to perform public key matching prior to booting
into DSU images on next boot. The actual key matching will still be done
on next DSU boot.
Bug: 146910547
Test: boot device, checks the avb keys are copied to /metadata/gsi/dsu/avb/.
Change-Id: I25a4eba82e84288bac7a859205c920628a063651
Currently linker config locates under /dev, but this makes some problem
in case of using two system partitions with chroot. To match system
image and configuration, linker config better stays under /linkerconfig
Bug: 144966380
Test: m -j passed && tested from cuttelfish
Change-Id: Iaae5af65721eee8106311c1efb4760a9db13564a
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().
In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.
Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
Currently system sepolicy can be extended via:
- BOARD_PLAT_PUBLIC_SEPOLICY_DIR
- BOARD_PLAT_PRIVATE_SEPOLICY_DIR
To support having a single shared core system sepolicy, those
customization should be moved to the newly added system_ext partition.
System-ext-specific sepolicy files will be installed into
/system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into
precompiled_sepolicy at build-time. In case precompiled_sepolicy can't
be used (e.g. system-only-ota), the init will merge this file with
the rest of the sepolicy at runtime.
Bug: 137712473
Test: boot aosp_crosshatch with system_ext_sepolicy.cil
Test: boot aosp_crosshatch without system_ext_sepolicy.cil
Change-Id: Ib37622271b559d65462de99ff424be831004508a
It's better to pass the error message to the caller to determine how
best to print the error.
Test: build
Change-Id: Id8857c459df2f26c031650166609608d20e4d051
It is exceedingly difficult to debug I/O and filesystem corruption
issues during first and selinux initialization stage init. By
redirecting stderr, and for good measure stdout, to /dev/kmsg in
first stage init before it exec's "/system/bin/init" we can see
the filesystem corruption errors more clearly.
Before this we would see:
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
and then wonder why?
After this change we can see:
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
libc: Fatal signal 5 (SIGTRAP), code 128 (SI_KERNEL), fault addr...
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
-or-
init: Skipped setting INIT_AVB_VERSION (not in recovery mode)
linker: CANNOT LINK EXECUTABLE "/system/bin/init": cannot locate symbol...
Kernel panic - not syncing: Attempted to kill init! exitcode=0x...
(NB: with stutter removed because of stdout and stderr)
Silence from these sources otherwise on successful execution.
Test: boot
Bug: 138459777
Change-Id: I4200b24baeaa6e408a5e0a2c890561bda1e2f1f4
This change factors out functions that handle selabels from
selinux.h/cpp into selabel.h/cpp. This allows util.cpp to be used by
the upcoming native zygote without a bunch of define flags that are
required for selinux.cpp.
Bug: 133443795
Test: Build and boot cuttlefish.
Change-Id: Ie238a96c6407c6698a605dd8803c1727abfaae7b
Dump init stacks when aborting either due to LOG(FATAL) or in
userdebug/eng builds due to signals, including signals from
sanitizers.
Doesn't work for static first stage init yet, b/133450393 tracks
that.
Also, ensure that LOG(FATAL) in child processes calls abort() in all
stages of init, not just 2nd stage init.
Bug: 131747478
Test: abort init in various ways and see stacks
Test: hang or crash in backtrace handler and see child reboot
Change-Id: Ib53b5d3e7e814244203f875de016ada9900dfce8
Add a property ro.boottime.init.first_stage to provide us a
first stage init duration from start to exec completed in
nanoseconds.
For consistency, report nanoseconds duration for
ro.boottime.init.selinux as well instead of milliseconds.
Now also report consistently from start to exec completed
instead of just the selinux load time.
SideEffects: ro.boottime.init.selinux is reported to TRON and
may alarm with the millionfold increase in precision.
ro.boottime.init is now also consistent with ns
precision.
Test: inspect
Bug: 124491153
Bug: 129780532
Change-Id: Iff4f1a3a1ab7ff0a309c278724c92da0832b9a69
In previous implementation, userdebug sepoilcy and property files are
loaded from the system.img. This CL changes this to:
- first-stage init copies userdebug files from ramdisk to /debug_ramisk/*
- second-stage init loads files from /debug_ramdisk/*.
Note: same as before, the above can only be triggered, if the device
is UNLOCKED
With this, we don't have to put userdebug related files into the USER
system.img.
Bug: 126493225
Test: boot device with a ramdisk with /force_debuggable, checks related
files are loaded
Change-Id: I63f5f846e82ba78427062bf7615c26173878d8f3
When init found "/force_debuggable" in the first-stage ramdisk, it will
do the following if the device is unlocked:
1. load /system/etc/adb_debug.prop (with ro.debuggable=1)
2 .load userdebug_plat_sepolicy.cil instead of original plat_sepolicy.cil from
/system/etc/selinux/.
This make it possible to run VTS on a USER build GSI, by using a special
ramdisk containing "/force_debuggable".
Bug: 126493225
Test: unlock a USER build device, check 'adb root' can work
Change-Id: I9b4317bac1ce92f2c0baa67c83d4b12deba62c92
