Commit graph

26746 commits

Author SHA1 Message Date
Tao Bao
40e0ec918e adb: Fix the 'adb reboot sideload' for A/B devices.
We used to write the command file (/cache/recovery/command) to trigger
the sideload mode. A/B devices don't support that (may not have /cache
paritition). This CL switches to using libbootloader_message which
writes the command to BCB (bootloader control block) instead.

Test: "adb root && adb reboot sideload" reboots sailfish into recovery
      sideload mode.

Change-Id: I158fd7cbcfa9a5d0609f1f684a2d03675217628f
2017-01-05 18:01:01 -08:00
Treehugger Robot
4bf9c82857 Merge "Use shared lib of libutils, libz and libbase." 2017-01-05 23:24:21 +00:00
Sandeep Patil
871c306855 init: split property context into platform & non-platform components
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: I62689b229a67e319c65bf034da804f660f82bd35
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-05 13:19:01 -08:00
Treehugger Robot
8954ef987b Merge "logd: sepolicy dynamic rate limiting" 2017-01-05 20:28:34 +00:00
Mark Salyzyn
247d682fe1 logd: sepolicy dynamic rate limiting
Processing overhead for selinux violation messages is costly. We want
to deal with bursts of violations, but we have no intent of allowing
that sustained burst to go unabated as there is a cost of processing
and battery usage.

Tunables in libaudit.h are:

AUDIT_RATE_LIMIT_DEFAULT 20        /* acceptable burst rate      */
AUDIT_RATE_LIMIT_BURST_DURATION 10 /* number of seconds of burst */
AUDIT_RATE_LIMIT_MAX     5         /* acceptable sustained rate  */

Since we can only asymptotically handle DEFAULT rate, we set an upper
threshold of half way between the MAX and DEFAULT rate.

Default kernel audit subsystem message rate is set to 20 a second.
If sepolicy exceeds 125 violation messages over up to ten seconds
(>=~12/s), tell kernel audit subsystem to drop the rate to 5 messages
a second.  If rate drops below 50 messages over the past ten seconds
(<5/s), tell kernel it is ok to increase the burst rate back to 20
messages a second.

Test: gTest logd-unit-tests --gtest_filter=logd.sepolicy_rate_limiter_*
Bug: 27878170
Change-Id: I843f8dcfbb3ecfbbe94a4865ea332c858e3be7f2
2017-01-04 14:46:58 -08:00
Elliott Hughes
fe05f1cde4 Merge "Don't use bare noreturn in log.h." 2017-01-04 00:37:18 +00:00
Treehugger Robot
4a3b03e9e5 Merge "init/service.cpp: fix access check for console" 2017-01-03 23:27:40 +00:00
Treehugger Robot
d06f86ced6 Merge "Send property_service AVC messages to the kernel audit system" 2017-01-03 23:24:48 +00:00
Treehugger Robot
5badada997 Merge "LogAudit.cpp: replace newlines with spaces in audit messages" 2017-01-03 22:21:37 +00:00
Nick Kralevich
8adb4d9d12 Send property_service AVC messages to the kernel audit system
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.

Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.

After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:

  type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
  ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
  property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
  tcontext=u:object_r:default_prop:s0 tclass=property_service'

Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
2017-01-03 13:50:13 -08:00
Elliott Hughes
9b3b119912 Don't use bare noreturn in log.h.
toybox has a #define noreturn that trips over this.

Also move `format` out of the way, just in case.

Bug: https://github.com/android-ndk/ndk/issues/271
Test: builds
Change-Id: Ib8811136b4b422ff74625509539a5464a3c9af18
2017-01-03 13:17:42 -08:00
Adrian Salido
24ef8601c2 init/service.cpp: fix access check for console
Commit 9596d2b95d changes how
availability of console is checked by only checking access bits for
the console device. However, in cases where there is no console it
defaults to /dev/console. This device is always enumerated by tty
driver (i.e. file and access bits may be correct), but it doesn't
always map to an underlying console driver. Because the lookup for the
underlying console driver happens during the open system call, checking
only the access bits is not sufficient and need to make sure open
system call is successful, we can safely close the FD afterwards to
avoid FD leaks.

Test: boot device and check console svc doesn't continuously restart
Bug: 33691649
Change-Id: Ia51a8a2f56c345b70db55e95f61a057a98b52895
2017-01-03 13:11:29 -08:00
Treehugger Robot
891df1c410 Merge "logd: Add support for ro.logd.auditd.[main|events]" 2017-01-03 21:03:55 +00:00
Nick Kralevich
2e58867771 LogAudit.cpp: replace newlines with spaces in audit messages
Some kernels have a bug which causes a newline to show up in audit
messages. The embedded newlines cause one message to look like two due
to prefix controls.

Replace any newlines with spaces. Duplicate spaces are further
consolidated in code immediately after this newly added code.

Test: create an audit message with a newline, and watch it be cleaned up.
Bug: 27878170
Change-Id: Id90c29ab9e10d3be96f51403b0293622d782422a
2017-01-03 12:39:28 -08:00
David Pursell
fd979edb57 Merge "fastboot: update getvar documentation." 2017-01-03 17:45:05 +00:00
Mark Salyzyn
ce80da3018 logd: Add support for ro.logd.auditd.[main|events]
log selinux audit messages boolean (true or false, default true)
selection for logging destinations:

ro.logd.auditd - turn on logd.auditd to pick up violations.
ro.logd.auditd.dmesg - to the kernel log.
ro.logd.auditd.main - to the "main" log buffer.
ro.logd.auditd.events - to the "events" log buffer.

We used to also read logd.auditd.dmesg and persist.logd.auditd.dmesg
which do not get refreshed when /data mounts internally.  This is a
confusing state as these properties will be read after a logd crash
and restart, adjusting the behavior of the logger.  Same can be said
for logd.auditd as well.  Drop reading these other parameters.

Test: manual set r/o parameters, stop/start logd to confirm behavior
Bug: 33969000
Bug: 27878170
Change-Id: I1a6bb4a903074c9aa7b227cf583a0094d49cbefd
2017-01-03 09:44:42 -08:00
Elliott Hughes
10a7b9bb8b Merge "libziparchive: use _FILE_OFFSET_BITS=64" 2016-12-30 20:21:17 +00:00
Elliott Hughes
b175ee271b Merge "Make libziparchive C++-only." 2016-12-30 19:40:56 +00:00
Treehugger Robot
7d24dea9cb Merge "logd: gtest: logd.timeout socket does not clean up properly" 2016-12-29 22:36:57 +00:00
Mark Salyzyn
1736c4866c logd: gtest: logd.timeout socket does not clean up properly
Until the socket ages out, it sticks around and gets reused in
subsequent tests affecting the outcome of those tests.  We opt
to run logd.timeout in a forked and isolated process to keep
these conditions from interfering.

Adjusted benchmark execute to only run the tests we are
interested in to improve the time it takes to run.

Commented some areas of code to make them easier to maintain.

Test: gTest logd-unit-tests success
Bug: 33962045
Change-Id: Ic1b98bc4a2d7e8927f1a87628e3bcc368c9cf8ce
2016-12-29 12:59:22 -08:00
Elliott Hughes
a970c8f1fc Make libziparchive C++-only.
If we're going to build libziparchive with _FILE_OFFSET_BITS=64, which
seems like a reasonable idea, we don't want off_t/off64_t mixups in the
ABI, and C++ name mangling helps protect against that where C wouldn't.

Bug: N/A
Test: builds
Change-Id: I5f068b41fb4cd9e1e055e5250054318b35bcbc08
2016-12-29 10:38:37 -08:00
Treehugger Robot
3553ae73fb Merge "init: Make 'write_file' return bool to match 'read_file'." 2016-12-29 17:24:18 +00:00
Jorge Lucangeli Obes
77f0e9fda8 init: Make 'write_file' return bool to match 'read_file'.
The mismatch of return values makes reasoning about the correctness of
CLs like https://android-review.googlesource.com/317923 quite hard.

Bug: 33941660
Test: Init builds, HiKey boots.
Change-Id: Ia4b8a9af420682997b154a594892740181980921
2016-12-28 14:16:54 -05:00
Treehugger Robot
f37948d659 Merge changes I6145bae8,Ia9452b3e
* changes:
  logcat: unit test produces log stutter
  liblog: test failures due to permission issues
2016-12-27 20:45:31 +00:00
Mark Salyzyn
a46326a51c logcat: unit test produces log stutter
logd now counts multiple identical messages, causing messages to be
held back.  Stop doing that in the tests.  When that filter appeared,
the logcat-unit-tests went from 23 seconds to a couple of minutes of
runtime breakign the automated testing.

Test: gTest logcat-unit-tests total time less than 1 minute.
Bug: 33845198
Bug: 33535908
Change-Id: I6145bae89b6d5e5024ef4f8fe66440c9ae53f7c6
2016-12-27 19:13:00 +00:00
Mark Salyzyn
af3503cff4 liblog: test failures due to permission issues
Test: gTest liblog-unit-tests passes
Change-Id: Ia9452b3ee9e6068723e8bef48c4d88d3769951a8
2016-12-27 10:01:42 -08:00
Colin Cross
491c3871a0 Merge "Remove obsolete mentions of LLVM_HOST_BUILD_MK" 2016-12-23 05:41:20 +00:00
Treehugger Robot
69eb60be5d Merge changes Idafeb835,Ie1a9bf85
* changes:
  libcutils: Use strnlen for default property values
  Use clang-format to fix up properties.c
2016-12-22 18:52:19 +00:00
Myles Watson
e67abec514 libcutils: Use strnlen for default property values
Add unit tests to test the corner cases.

Test: unit tests pass before and after the change.
Change-Id: Idafeb8354cd6c7db2a68cd398dafe153453a3940
2016-12-22 09:21:06 -08:00
Myles Watson
22c0962ab9 Use clang-format to fix up properties.c
BasedOnStyle: Google
IndentWidth: 4
ColumnLimit: 100

Test: unit tests pass
Change-Id: Ie1a9bf85c001ef1a2dcdafdc5bf696b9267116f7
2016-12-22 09:20:57 -08:00
Treehugger Robot
1d5965e40f Merge "Ask the user before wiping if crypto policy fails." 2016-12-22 15:52:44 +00:00
David Pursell
c56d63e59d fastboot: update getvar documentation.
The protocol doc states that calling `fastboot getvar` for an unknown
variable should return an empty OKAY message, but in reality modern
devices return a FAIL response in this case (tested with marlin and
shamu).

Additionally, some A/B logic in fastboot expects a FAIL response for
unknown variables in order to function properly.

This CL changes the documentation to match reality.

Bug: http://b/33756193
Test: none
Change-Id: I41f7c80585be73e60ca0ac216787596c4d60a1d5
2016-12-21 15:59:50 -08:00
Jaekyun Seok
86e80b9be0 Use shared lib of libutils, libz and libbase.
libutils, libz and libbase are being used as shared lib by many other
modules.
So using their shared lib will reduce total image size.

Size diffs on angler build image are as follows.

libziparchive.so  : 103844 -> 41680 (-62164)
libnativeloader.so:  50824 -> 25104 (-25720)
total             : (-87884)

Test: building succeeded, and the image was tested on angler.
Bug: 33056637
Change-Id: I015afe5b8f4d87d495b706e2e78d60f44a910e87
2016-12-22 07:03:26 +09:00
Treehugger Robot
3d6d5b101a Merge "liblog: add IF_ALOG_RATELIMIT" 2016-12-21 21:55:32 +00:00
Treehugger Robot
3fa88d8689 Merge "logd: LogBufferElementKey use uint32_t for uid" 2016-12-21 21:40:11 +00:00
Paul Crowley
0b8b2303ac Ask the user before wiping if crypto policy fails.
If crypto policy fails, instruct recovery to prompt the user before
wiping all data.

Test: adb shell rmdir /data/ota && adb shell mkdir -p /data/ota/forcefail && adb reboot
Bug: 28693324
Change-Id: I4d09b35a20c513a76c9ba56fe826114449a9ad68
2016-12-21 13:39:23 -08:00
Mark Salyzyn
fc148f7f33 liblog: add IF_ALOG_RATELIMIT
IF_ALOG_RATELIMIT()
    ALOGE("Only one message globally using IF_ALOG_RATELIMIT()"
          " in the process may appear ever ten seconds,"
          " (%s)", strerror(errno));

static time_t last; /* initial state zero */
IF_ALOG_RATELIMIT_LOCAL(60, &last)
    ALOGE("Only one message locally may appear every minute,"
          " (%s)", strerror(errno));

These new calls are guaranteed not to affect the value of a
non-zero errno to simplify logging of errors.  However, the
ALOGE calls in the above examples may update the errno value
upon their return.

Test: gTest liblog-unit-tests --gtest_filter=liblog.__android_log_ratelimit
Bug: 33535908
Change-Id: Id8cc192fc7d14504ffd418933cf88ae945c089f2
2016-12-21 21:36:14 +00:00
Mark Salyzyn
684bdb576d logd: LogBufferElementKey use uint32_t for uid
Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-test
Change-Id: Icae34b1fa0b3df0a45ad175ec81aaf232f322f38
2016-12-21 12:16:46 -08:00
Christian Poetzsch
3081c5ebfb libziparchive: use _FILE_OFFSET_BITS=64
On 32 bit system those calls may fail if one tries to unpack files which
are bigger than 2GB.

Use large file system support to fix this problem.

Test: unpack a file bigger than 2GB on 32 bit Android systems

Change-Id: Ibd9bd5fc4a2f8dc7df98bd595f4fd1638a4f0d4a
Signed-off-by: Christian Poetzsch <christian.potzsch@imgtec.com>
2016-12-21 12:05:10 +00:00
Treehugger Robot
8a1c4b8530 Merge "Add system/core/Android.bp" 2016-12-20 20:25:09 +00:00
Dan Willemsen
d66e7bb7cf Add system/core/Android.bp
Test: Soong's build.ninja is identical before/after (except GlobRules)
Change-Id: I97c1e4cedad1dfc8622abb6cfed6257971199a96
2016-12-20 10:58:18 -08:00
Treehugger Robot
2ead17196c Merge "logd: trailing spaces in log statistics (part deux)" 2016-12-20 18:16:15 +00:00
Treehugger Robot
1fa079b255 Merge "Revert "logd: trailing spaces in log statistics"" 2016-12-20 18:16:00 +00:00
Treehugger Robot
3080ce2fe4 Merge "modify a minor error in mount_with_alternatives Test: when called with end_idx = null" 2016-12-20 02:08:36 +00:00
Treehugger Robot
27425fd80d Merge "logd: sum liblog tag messages" 2016-12-19 23:43:48 +00:00
Treehugger Robot
9fa0215e15 Merge "logd: correct duplicate message state machine" 2016-12-19 23:43:23 +00:00
Treehugger Robot
d04fa942e5 Merge "logd: add android::sizesTotal() function" 2016-12-19 23:19:11 +00:00
Mark Salyzyn
b545e1c9e3 logd: trailing spaces in log statistics (part deux)
Test: manual
Bug: 30118730
Change-Id: Iafda6f95e1b1377649e01868c81c0056c116e01b
2016-12-19 15:06:42 -08:00
Mark Salyzyn
d966e22680 Revert "logd: trailing spaces in log statistics"
Caused +/- field data to land under the Pruned column

This reverts commit 0adcc3e3e8.

Test: manual
Bug: 30118730
Change-Id: Ic75ce3a90baded19f3efc0cc77474fe5d9a8accd
2016-12-19 15:06:37 -08:00
Mark Salyzyn
1dfb4de436 logd: sum liblog tag messages
As an extension to the duplicate multiple message filtering, special
case liblog tagged event messages to be summed.  This solves the
inefficient and confusing duplicate message report from the DOS attack
detection such as:

liblog: 2
liblog: 2
liblog: 2
liblog: 2
liblog: 3

which would result in:

liblog: 2
chatty: ... expire 2 lines
liblog: 2
liblog: 3

And instead sums them and turns them all into:

liblog: 11

liblog messages should never be subject to chatty conversion.

Test: liblog-benchmarks manually check for coalesced liblog messages
      and make sure they do not turn into chatty messages.
      Instrumented code to capture sum intermediates to be sure.
Bug: 33535908
Change-Id: I3bf03c4bfa36071b578bcd6f62234b409a91184b
2016-12-19 14:03:38 -08:00