Commit graph

137 commits

Author SHA1 Message Date
Luzanne Batoon
1ebf9cb663 Add restorecon flags for force and data data
Test: m
Bug: 210155681

Change-Id: I9d5b64c48d21e83fb8f03dac261efc530c5f8aa6
2024-05-16 21:35:54 +00:00
Nikita Ioffe
fe7b83faea Move ForkExecveAndWaitForCompletion to util.h
In the follow up patch this function will also be used in
first_stage_init.

Bug: 287593065
Test: m
Change-Id: Id805f8523596c26ed262d89aa652b27184b612c1
2024-03-13 14:44:46 +00:00
Yi-Yo Chiang
da5323e2d6 init: Use libfs_mgr kernel cmdline parser
Bug: 293695109
Test: CtsFsMgrTestCases
Change-Id: Ie2567d84cb80c392ad68aef0c438d8acc03a311e
2023-08-02 17:59:05 +08:00
Yi-Yo Chiang
79ad1e2e9b init: Unify kernel bootconfig parser with libfs_mgr
Right now there are two bootconfig parsers that gets linked into `init`.
One is from libinit itself and the other is from libfs_mgr.

The one in libinit removes all space characters between list elements,
so `key = "val1", "val2"` gets unquoted and squeezed into:
  `key=val1,val2`
The one in libfs_mgr doesn't remove spaces, it only unquotes:
  `key=val1, val2`

The libinit behavior is due to existing systems (such as sysprop)
expect the config value to be in the same format as kernel cmdline.
(aosp/1757971)
THe libfs_mgr behavior is due to the `androidboot.boot_device[s]`
format explicitly allows quoted comma appear in its list value, thus
relies on space, not comma, as the list value delimeter.

This commit merges the two parsers into libfs_mgr. Since all usages in
libfs_mgr besides `boot_device[s]` do not care about how list value are
delimited, and most usages in init expects the bootconfig value format
to be the same format as cmdline. We just special case the
`boot_device` scenario.

Also harden the test cases to cover all the different config value
format and expected result.

Note:
The format of kernel bootconfig is described here
https://docs.kernel.org/admin-guide/bootconfig.html

Bug: 293695109
Test: CtsFsMgrTestCases
Change-Id: I42b9bf626e8de38a60e8e09fac0693126b7efd91
2023-08-02 09:57:37 +00:00
Yi-Yo Chiang
b8c23259b1 init: Unify duplicated get_android_dt_dir with libfs_mgr
init and libfs_mgr both defines get_android_dt_dir() with subtle
differences. Merge the two implementations into libfs_mgr to reduce code
duplication (in terms of source code and code gen)

Note:
init's implementation checks the kernel cmdline first and then the
kernel bootconfig, while libfs_mgr's order is the opposite.
Realistically I don't think this order matter much though. If any, we
should prioritize bootconfig over kernel cmdline most of the time.

Bug: 293695109
Test: Presubmit
Merged-In: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
Change-Id: Ic8d2c965c62f9e873ccdaf77d67c7708f25a7b56
2023-08-01 10:15:05 +00:00
Nikita Ioffe
a66adf45aa init selinux.cpp: use a better way to detect if we run in Microdroid
We are now conditionally compiling init binaries & libinit for
Microdroid (adding -DMICRODROID=1 cflag), so instead of checking for the
presence of the /system/etc/selinux/microdroid_precompiled_sepolicy we
can check if the code is compiled for Microdroid.

In a follow-up changes we can split the sepolicy loading logic into 2
separate headers (one for Android and one for Microdroid) and include
the necessary one depending on the target we compile for.

Bug: 287206497
Test: atest MicrodroidTestApp
Change-Id: Id9c837d03a96ff9564688d33955ec85094eee487
2023-06-26 16:43:16 +01:00
Bart Van Assche
aee2ec8f1e init: Enable ANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION
From the unique_fd.h header file: "unique_fd's operator int is
dangerous, but we have way too much code that depends on it, so make
this opt-in at first."

From the Google C++ style guide: "Do not define implicit conversions."
See also go/cstyle#Implicit_Conversions.

Hence this CL that disables unique_fd::operator int().

Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2022-12-05 09:40:06 -08:00
Adam Langley
ecc14a5958 init: Add option to listen on sockets before starting service.
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality.  I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.

Needed for the hardware entropy daemon (see bug).

Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.

The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:

> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.

Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.

This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.

Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
2022-09-12 15:16:35 +01:00
Deyao Ren
238e909349 Remove and add service and action during apex load and unload
Bug: 232114573
Test: atest CtsInitTestCases ApexTestCases
Change-Id: I1f91ada1d44ac2380e2faf8fc25e0a521cc1a826
2022-08-30 17:31:00 +00:00
Deyao Ren
df40ed1be1 Add apex name to service
Passed apex file name to service. The file name will be parsed
to determine 1) whether the service is from an apex; 2) apex name

Bug: 236090201

Change-Id: I2c292c0c067f4bf44bb25b1f80e4f972b94f7258
2022-07-22 04:00:30 +00:00
Jiyong Park
11d7bc52df init: don't touch mmap_rnd_compat_bits on 64-bit only builds
mmap_rnd_compat_bits is for address space randomization of 32-bit
applications on 64-bit system. Configuring it is not only unnecessary
for 64-bit "only" builds, but also can cause a boot failure if the
kernel is built without CONFIG_COMPAT which is the case for Microdroid.

Use ro.product.abilist32 to determine whether 32-bit applications are
supported and if not, don't configure it, but mmap_rnd_bits.

Bug: 237950549
Test: run Microdroid with the kernel built with aosp/2153639

Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
2022-07-18 14:31:13 +09:00
Eric Biggers
48c05a6d03 init: remove unneeded special cases from FscryptInferAction
All the individual directories being treated specially by
FscryptInferAction() already have an explicit encryption action in the
corresponding mkdir commands.  The explicit action is the source of
truth, so the special cases in FscryptInferAction() are unnecessary.

Also, some of these cases were outdated.  For example, /data/app-staging
was changed from encryption=None to encryption=DeleteIfNecessary at some
point, but FscryptInferAction() was not updated.  This is causing the
warning "Inferred action different from explicit one" to be logged.

Additional "Inferred action different from explicit one" warnings are
logged due to subdirectories of /data/apex being explicitly encrypted.

Change FscryptInferAction() to only do what it needs to do: check
whether the directory is a top-level directory of /data or not.  Remove
the above-mentioned warning which is not useful.

Bug: 232554803
Change-Id: If6611d64107a19d242892c92dfea095577e193e5
2022-05-16 19:06:22 +00:00
Eric Biggers
6cb5a36f4c init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data.  However, it
assumed a path without any duplicate slashes or trailing slash(es).

While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation.  In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.

The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.

There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning.  This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards.  This CL implements that.

Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action.  There are no known cases where this
already occurs, however.  No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.

Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
      the log message "Verified that /data/fonts/ has the encryption
      policy ...".  Also verified that the message "Inferred action
      different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 19:29:00 +00:00
Eric Biggers
ef9275223c Move creation of /data/user/0 and /data/media/obb to vold
To prevent bugs, directory creation and encryption should happen
together.  /data/user/0 (and its "alias" /data/data) is a per-user
encrypted directory; such directories can only be encrypted by vold.
Therefore, move its creation to vold as well.

Besides closing the uncomfortably-large gap between the creation and
encryption of /data/user/0, this allows removing init's write access to
/data/user and similar directories (SELinux type system_userdir_file) to
prevent any such issues from being reintroduced in the future.

To also allow removing init's write access to /data/media (SELinux type
media_userdir_file), which also contains per-user encrypted directories,
also move the creation and encryption of /data/media/obb to vold.

Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=Linux API ("slave" mount flag)
Change-Id: I7245251eeb56b345b6c7711482c0aa5848648edb
2022-05-11 21:50:35 +00:00
Jiyong Park
3b3d87de79 Don't create vendor_init in microdroid
vendor_init is a subcontext of init which is responsible for handling
the vendor-defined services and vendor-defined actions. This is mainly
to enforce the Treble architecture in which the vendor components are
provided with a less-privileged context than the system components
because they are less-trusted.

However, in case of microdroid, both the system and the vendor
partitions are from the same entity. As VMs don't have direct access to
any of the underlying hardware, the vendor partition is targeting the
virtual platform, not the real hw platform. There really is no need for
the discrimination.

This CL disables the creation of the vendor_init subcontext when init
runs in microdroid.

Bug: 201363575
Test: atest MicrodroidHostTestCases
Change-Id: Ie5e47d84e9e245565239b4f2159e8182b457699d
2021-09-29 21:35:08 +09:00
Devin Moore
6d5445b9f4 init: remove extra space in list of bootconfig values
If a bootconfig argument has a list of values, it has a space between
them in /proc/bootconfig.

Example:
BOARD_BOOTCONFIG := parameter=value1,value2,value3

In /proc/bootconfig, it looks like:
parameter = "value1", "value2", "value3"

Before this CL, that example would end up with the value string of:
"value1, value2, value3"

To keep consistent behavior with kernel cmdline the value string should be:
"value1,value2,value3"

Test: Boot cuttlefish with test bootconfig params and verify ro.boot.*
Bug: 192257482
Change-Id: Iccdec451f53330162fa2c9ad2b7c2630f32b4168
2021-07-08 01:52:46 +00:00
Alistair Delva
3bb240bd4c Allow android_dt_dir to be set by bootconfig
The androidboot.android_dt_dir property is special, because it is loaded
to find out where to get the other DT properties from, and those DT
properties are supposed to override the cmdline/bootconfig ones. So, it
need special casing, and that special case lacked bootconfig support.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.android_dt_dir=/tmp
[..]
init: Using Android DT directory /tmp
[..]
Change-Id: Ie0958dd0a96394d65f6568653b754ea6f885212e
2021-03-09 19:14:17 +00:00
Kiyoung Kim
0cbee0de2a Check if service is executed before APEX is ready
Any service which is executed when Runtime apex is mounted, but
linkerconfig is not updated can fail to be executed due to missing
information in ld.config.txt. This change updates init to have a status
variable which contains if current mount namespace is default
and APEX is not ready from ld.config.txt, and use bootstrap namespace if
it is not ready.

Bug: 181348374
Test: cuttlefish boot succeeded
Change-Id: Ia574b1fad2110d4e68586680dacbe6137186546e
2021-03-05 16:42:20 +09:00
Devin Moore
a4ef15bebb Support bootconfig in first stage init and fs_mgr
Androidboot parameters are being moved from the kernel commandline to
bootconfig.
fs_mgr looks for these parameters in properties and falls back to
reading directly from /proc/cmdline. So both of these sources are
updated for bootconfig.
The androidboot parameters from /proc/bootconfig
are added as ro.boot properties, and fs_mgr will fall back to searching
/proc/bootconfig if it is too early.

Test: boot cuttlefish with androidboot.fstab_suffix and
androidboot.hardware in bootconfig and not in cmdline.
Test: atest CtsFsMgrTestCases
Bug: 173815685

Change-Id: Iea36a0da94c26e1aa37d97c576725e0ad77cd3ad
2021-02-23 07:42:06 -08:00
Tom Cherry
959ea63b30 init: remove DumpShutdownDebugInformation()
This hasn't helped investigating the issue, and the issue itself isn't
a problem anymore, so we remove these logs.

Bug: 155203339
Test: reboot
Change-Id: I20e51d8fcad5572906a8d556bec8a8dee4522834
2020-12-10 07:34:29 -08:00
Alistair Delva
de28a8651f Respect ro.boot.fstab_suffix in swapon_all
While mount_all and umount_all were updated to use ro.boot.fstab_suffix,
I neglected to update swapon_all. Trivially copied from umount_all.

Bug: 142424832
Change-Id: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
Merged-In: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
2020-06-08 23:41:40 +00:00
Alistair Delva
a2cc1ebb72 Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.

The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.

On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".

This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.

Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 16:38:40 -07:00
Tom Cherry
1c84135144 init: add even more debugging information for reboot
There are devices stuck waiting for vendor_init to finish a command,
without giving much more information.  Instead of setting aside the
last run command, it's more valuable to store and dump the last 30
logs seen.

Bug: 155203339
Test: these logs appear during hung reboots
Test: normal reboots have no difference.
Change-Id: I99cae248eb81eaf34ef66b910fa653a9fa135f68
2020-04-29 09:01:53 -07:00
Tom Cherry
a2f9136b2c Refactor libinit_test_utils to not use libinit and expose its libraries
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included.  To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources.  Additionally, expose these sources as a
default for users of libinit_test_utils.

Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
2020-02-20 11:31:35 -08:00
Bernie Innocenti
cecebbbacc Convert system/core to Result::ok()
No functionality changes, this is a mechanical cleanup.

Test: m
Test: cd system/core && atest
Change-Id: Ifdaa3ce1947ed578f656d5a446978726eb416c36
2020-02-06 17:04:27 +00:00
Tom Cherry
c88d8f93cf init: Replace property_set() with android::base::SetProperty()
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().

In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.

Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
2019-12-04 15:43:21 -08:00
Tom Cherry
18278d2e9c init: make triggering shutdown from vendor_init better
Previously, we assumed that TriggerShutdown() should never be called
from vendor_init and used property service as a back up in case it
ever did.  We have since then found out that vendor_init may indeed
call TriggerShutdown() and we want to make it just as strict as it is
in init, wherein it will immediately start the shutdown sequence
without executing any further commands.

Test: init unit tests, trigger shuttdown from init and vendor_init
Change-Id: I1f44dae801a28269eb8127879a8b7d6adff6f353
2019-11-13 12:41:34 -08:00
Paul Crowley
68258e8444 Make encryption action an argument to mkdir
FscryptSetDirectoryPolicy no longer tries to infer the action from the
filename. Well mostly; it still assumes top-level directories in /data
should be encrypted unless the mkdir arguments say otherwise, but
it warns.

Bug: 26641735
Test: boot, check log messages
Change-Id: Id6d2cea7fb856f17323897d85cf6190c981b443c
2019-11-05 16:26:43 -08:00
Elliott Hughes
636ebc9b3b init: actually report which signal is causing the reboot.
It wasn't clear to me why init was rebooting until I saw that it was
SIGABRT, which then made me read through earlier log spam to work out
what was actually unhappy (the SELinux compiler, in my case).

Test: worked out why init was rebooting my device
Change-Id: I605d8956213c4c23711073fd4b0ff99562b7f351
2019-10-07 18:16:23 -07:00
Tom Cherry
4772f1da47 init: check the arguments of builtins during the build
Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more.  This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct.  For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.

Test: build

Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b
2019-08-01 10:54:47 -07:00
Tom Cherry
c5cf85db23 init: don't log in expand_props directly
It's better to pass the error message to the caller to determine how
best to print the error.

Test: build
Change-Id: Id8857c459df2f26c031650166609608d20e4d051
2019-08-01 10:34:58 -07:00
Tom Cherry
2e4c85f157 init: clean up file / socket descriptor creation
clang-tidy hinted that some of this code wasn't right.  Looking
deeper, there is really not much related to file and socket
descriptors, except that they're published in similar ways to the
environment.  All of the abstraction into a 'Descriptor' class takes
us further away from specifying what we really mean.

This removes that abstraction, adds stricter checks and better errors
for parsing init scripts, reports sockets and files that are unable to
be acquired before exec, and updates the README.md for the passcred
option.

Test: build, logd (uses files and sockets) works
Change-Id: I59e611e95c85bdbefa779ef69b32b9dd4ee203e2
2019-07-15 12:17:30 -07:00
Tom Cherry
247ffbf314 Fix a few clang-tidy issues and add NOLINT for others
android-base:
* Add NOLINT for expanding namespace std for std::string* ostream
  overload

libdm:
* Fix missing parentesis around macro parameters

init:
* Fix missing CLOEXEC usage and add NOLINT for the intended
  usages.
* Fix missing parentesis around macro parameters
* Fix erase() / remove_if() idiom
* Correctly specific unsigned char when intended
* 'namespace flags' should be signed, since 'flags' it signed for
  clone()
* Add clear to property restore vector<string> to empty after move
* Explicit comparison against 0 for strcmp

Test: build
Change-Id: I8c31dafda2c43ebc5aa50124cbbd6e23ed2c4101
2019-07-09 16:17:36 +00:00
Tom Cherry
172c83f972 init: remove last init.cpp global
By moving it into builtins.cpp..., but that's less bad than it is
now, especially since this is defunct in code targeting Q+.  Remove
the guards that init.h isn't being included by other files too as it's
not useful anymore.

Test: build
Change-Id: Ic564fcff9e8716ec924098b07a8c9d94ca25f960
2019-06-26 14:46:58 -07:00
Tom Cherry
bbcbc2ffb3 init: replace Result<Success> with Result<void>
Now that Result<T> is actually expected<T, ...>, and the expected
proposal states expected<void, ...> as the way to indicate an expected
object that returns either successfully with no object or an error,
let's move init's Result<Success> to the preferred Result<void>.

Bug: 132145659
Test: boot, init unit tests
Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 12:39:18 -07:00
Vic Yang
92c236e41b init: Refactor selinux.h/cpp
This change factors out functions that handle selabels from
selinux.h/cpp into selabel.h/cpp.  This allows util.cpp to be used by
the upcoming native zygote without a bunch of define flags that are
required for selinux.cpp.

Bug: 133443795
Test: Build and boot cuttlefish.
Change-Id: Ie238a96c6407c6698a605dd8803c1727abfaae7b
2019-05-29 15:09:39 -07:00
Tom Cherry
75e13baf32 init: make fatal reboot target configurable
Currently, if init encounters a fatal issues it reboots to fastboot
but this may be not desirable in all cases, especially the case of
critical services crashing.  Therefore this change adds the ability
for vendors to customize the reboot target via the
androidboot.init_fatal_reboot_target= kernel command line.

This applies to all LOG(FATAL) messages as well as fatal signals in
userdebug/eng builds, except for signals before logging is enabled in
first stage init.

Bug: 121006328
Test: device reboots to configurable target with LOG(FATAL)
Test: device reboots to configurable target after a segfault in the
      various stages of init
Test: device reboots to fastboot without a configured target
Change-Id: I16ea9e32e2fee08dece3d33b697d7a08191d607b
2019-05-29 09:14:17 -07:00
Tom Cherry
59656fb377 init: dump stack when aborting
Dump init stacks when aborting either due to LOG(FATAL) or in
userdebug/eng builds due to signals, including signals from
sanitizers.

Doesn't work for static first stage init yet, b/133450393 tracks
that.

Also, ensure that LOG(FATAL) in child processes calls abort() in all
stages of init, not just 2nd stage init.

Bug: 131747478
Test: abort init in various ways and see stacks
Test: hang or crash in backtrace handler and see child reboot
Change-Id: Ib53b5d3e7e814244203f875de016ada9900dfce8
2019-05-29 08:58:29 -07:00
Jiyong Park
6866041ff0 Proper mount namespace configuration for bionic
This CL fixes the design problem of the previous mechanism for providing
the bootstrap bionic and the runtime bionic to the same path.

Previously, bootstrap bionic was self-bind-mounted; i.e.
/system/bin/libc.so is bind-mounted to itself. And the runtime bionic
was bind-mounted on top of the bootstrap bionic. This has not only caused
problems like `adb sync` not working(b/122737045), but also is quite
difficult to understand due to the double-and-self mounting.

This is the new design:

Most importantly, these four are all distinct:
1) bootstrap bionic (/system/lib/bootstrap/libc.so)
2) runtime bionic (/apex/com.android.runtime/lib/bionic/libc.so)
3) mount point for 1) and 2) (/bionic/lib/libc.so)
4) symlink for 3) (/system/lib/libc.so -> /bionic/lib/libc.so)

Inside the mount namespace of the pre-apexd processes, 1) is
bind-mounted to 3). Likewise, inside the mount namespace of the
post-apexd processes, 2) is bind-mounted to 3). In other words, there is
no self-mount, and no double-mount.

Another change is that mount points are under /bionic and the legacy
paths become symlinks to the mount points. This is to make sure that
there is no bind mounts under /system, which is breaking some apps.

Finally, code for creating mount namespaces, mounting bionic, etc are
refactored to mount_namespace.cpp

Bug: 120266448
Bug: 123275379
Test: m, device boots, adb sync/push/pull works,
especially with following paths:
/bionic/lib64/libc.so
/bionic/bin/linker64
/system/lib64/bootstrap/libc.so
/system/bin/bootstrap/linker64
Change-Id: Icdfbdcc1efca540ac854d4df79e07ee61fca559f
2019-01-30 19:18:22 +09:00
Tom Cherry
d6c2feb9fa init: delete code that sets ro.recovery_id
It looks like this code is dead currently.  From history, this was
meant to be used as a way to check that the recovery image is what was
expected during runtime, but that effort never completed, and we have
full verification of the recovery image when booting into recovery
anyway.

The code is functionally dead as is too, since /recovery doesn't
actually exist in any fstab, since recovery is either mounted as a
ramdisk during recovery or not mounted during normal boot.

Test: boot
Change-Id: I48cd324ef0d5a163db2df2648f6042174b83f10e
2019-01-29 21:17:53 +00:00
Tom Cherry
48e83e629f init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr.  InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.

Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.

In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.

Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources.  Therefore, it must be done for a second time in second
stage init.

Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-05 10:36:38 -07:00
Tom Cherry
40acb379cd Move watchdogd out of init
We're moving past a world where static executables are needed,
including watchdogd, so treat this like any other executable and place
it in /system/bin.

Bug: 73660730
Test: watchdogd still runs
Change-Id: I1f7508fd55dce6e9ee72a6ab7a085011a76c0053
2018-08-02 12:25:58 -07:00
Tom Cherry
f02506938e init: removed unused includes
Test: build
Change-Id: Ie3020491f67f6930acebe6397be6997b59477b96
2018-07-20 22:48:51 +00:00
Elliott Hughes
dc80312628 libbase: add host properties support.
Move init and libprocessgroup away from their existing hacks.

Bug: N/A
Test: ran tests
Change-Id: Ifabdd38e0cc4ab2582f1ea59d32159d386f48eb6
2018-05-24 18:04:31 -07:00
Tom Cherry
de6bd50d42 init: add host side parser for init
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.

Bug: 36970783
Test: run the parser on init files on host

Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
2018-02-28 10:45:45 -08:00
Joel Galenson
4b591f1851 Run restorecon after init creates a symlink or writes to a file.
Init currently sets the SELinux context on a mkdir but not on
other operations.  This patch modifies it to do so when creating
symlinks, writing to a file, or copying a file.

Test: Built, flashed, and booted.  Added fake init entries and
verified that they received the proper SELinux context.

Change-Id: I836b570fef81d74f3b6c8e7ce0274e94ca7b12d3
2017-11-29 15:29:49 -08:00
Wei Wang
4cea121872 init: add log to time spent in waiting for file
Bug: 64925999
Test: boot and take log
Change-Id: I7d37906708b5a4a195fb1ba1113641656d419e62
2017-08-22 14:09:11 -07:00
Tom Cherry
d8db7ab80d init: replace panic() with LOG(FATAL)
Test: boot bullhead
Test: Introduce LOG(FATAL) at various points of init and ensure that
      it reboots to the bootloader successfully
Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots
      instead of recursing infinitely
Test: Ensure that fatal signals reboot to bootloader

Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
2017-08-17 18:16:51 -07:00
Tom Cherry
11a3aeeae3 init: introduce Result<T> for return values and error handling
init tries to propagate error information up to build context before
logging errors.  This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:

bool CalculateResult(const T& input, U* output, std::string* err)

bool CalculateAndUseResult(const T& input, std::string* err) {
  U output;
  std::string calculate_result_err;
  if (!CalculateResult(input, &output, &calculate_result_err)) {
    *err = "CalculateResult " + input + " failed: " +
      calculate_result_err;
      return false;
  }
  UseResult(output);
  return true;
}

Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.

This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string.  If the functional only returns success or a failure with
an error message, Result<Success> may be used.  The classes Error and
ErrnoError are used to indicate a failed Result<T>.

A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T.  This allows you to return a type T directly from a function that
returns Result<T>.

Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure.  ErrnoError()
additionally appends ": " + strerror(errno) to the end of  the failure
string to aid in interacting with C APIs.

The end result is that the above code snippet is turned into the much
clearer example below:

Result<U> CalculateResult(const T& input);

Result<Success> CalculateAndUseResult(const T& input) {
  auto output = CalculateResult(input);
  if (!output) {
    return Error() << "CalculateResult " << input << " failed: "
                   << output.error();
  }
  UseResult(*output);
  return Success();
}

This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.

Test: boot bullhead, init unit tests
Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-14 14:07:30 -07:00
Tom Cherry
0c8d6d2730 init: split security functions out of init.cpp
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp.  It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.

It additionally cleans up sehandle and sehandle_prop.  The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users.  The latter is moved to
property_service.cpp as it is isolated to that file for its usage.

Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-14 09:40:01 -07:00