ueventd may be asked to handle firmware during the time critical
coldboot process. If we double fork to avoid needing to reap the
firmware handler, then we may add significant delay to this process,
as the first child may not get scheduled quickly enough for waitpid()
to complete without delay.
Bug: 63081260
Test: boot bullhead and sailfish, check that firmwares are loaded,
no zombie ueventd processes remain, and no new errors are shown
Change-Id: I2bac3b1fbc3a58557a00326e491c104656db27ae
- "shutdown critical" prevents killing the service during
shutdown. And the service will be started if not running.
- Without it, services will be killed by SIGTERM / SIGKILL during shutdown.
- Even services with "shutdown critical" will be killed if shutdown
times out.
- Removes ueventd and vold from hard coded list. Each service's rc will
be updated to add "shutdown critical". watchdogd is still kept in the list.
bug: 37626581
Test: reboot and check last kmsg
Change-Id: Ie8cc699d1efbc59b9a2561bdd40fec64aed5a4bb
We have been seeing panics and errors during shutdown sequence in
some vendor's platform, and it is required to disable error handling
during shutdown.
This CL separates the shutdown request to execute another "shutdown"
trigger at the beginning of shutdown stage. And vendor can use this
trigger to add custom commands needed for shutting down gracefully.
Bug: 38203024
Bug: 62084631
Test: device reboot/shutdown
Change-Id: I3fac4ed59f06667d86e477ee55ed391cf113717f
It's not a error case if we do not find a device that we're attempting
to regenerate uevents for during first stage mount, but it is likely
to increase boot time, so we log a message to attribute this delay.
Bug: 63327193
Test: Boot bullhead, sailfish
Change-Id: I97c2e5aefd218bbdd87717ff3c375381f725de08
When Android is running in a container, some of the securebits might be
locked, which makes prctl(PR_SET_SECUREBITS) fail.
This change gets the previous state of the process' securebits and adds
the desired bits.
Bug: 62388055
Test: aosp_bullhead-eng boots
Test: If init has non-zero securebits, it can also boot
Change-Id: Ie03bf2538f9dca40955bc58314d269246f5731bd
When init gets SIGCHLD, it uses waitpid() to get the pid of an exited
process. It then calls kill(-pid, ...) to ensure that all processes
in the process group started by that process are killed as well.
There is a bug here however as waitpid() reaps the pid when it
returns, meaning that the call to kill(-pid, ...) may fail with ESRCH
as there are no remaining references to that pid. Or worse, if the
pid is reused, the wrong processes may get the signal.
This fixes the bug by using waitid() with WNOWAIT to get the pid of an
exited process, which does not reap the pid. It then uses waitpid()
with the returned pid to do the reap only after the above kill(-pid,
...) and other operations have completed.
Bug: 38164998
Test: kill surfaceflinger and see that processes exit and are reaped
appropriately
Test: `adb reboot` and observe that the extraneous kill() failed
messages do not appear
Change-Id: Ic0213e1c97e0141e6c13129dc2abbfed86de138b
This change homogenizes the use of std::unique_ptr for storing
capabilities in system/core/.
Bug: None
Test: m
Change-Id: I0a95f87a27b0261e9d321841d5140fc000473293
This change makes it possible for Android running in a container to
terminate cleanly instead of calling abort() when requested to shut
down.
Bug: 62388055
Test: `adb reboot` on bullhead causes no kernel panics
Test: `adb reboot` on a system without CAP_SYS_BOOT makes init terminate
nicely
Change-Id: I36b2298610f5b4a2bf8b05103d04804883df2c88
This change makes it possible for Android running in a container to
terminate cleanly instead of calling abort() when requested to shut
down.
Bug: 62388055
Test: setprop sys.powerctl reboot makes init terminate nicely
Change-Id: I31c7b475d89d7cbd665e135d9b8951dfd4bca80d
While refactoring ueventd, I was looking for code the character device
symlinks (/dev/usb/*) that ueventd creates, such that I could test it
on a real device. I found none in our tree, and history showing Xoom,
which was last supported years ago, was the last user. If this code
is in fact obsolete, let's remove it.
Test: boot bullhead
Test: init unit tests
Change-Id: I601f7165eb06d36b31b6dcf69ee9e0a449d81a96
The generic system.img released from project Treble can't contain any verity
metadata (e.g., vboot 1.0, AVB, or any other implementation) because it's
*generic*. To make any device can boot with it, `avbctl disable-verification`
is introduced to set a new flag AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED
in the top-level vbmeta to disable the entire AVB verification process. This
should be done prior to flash the generic system.img. See the following link
for details:
https://android-review.googlesource.com/#/c/418399/
This CL checks whether AVB_VBMETA_IMAGE_FLAGS_VERIFICATION_DISABLED is
set in the top-level vbmeta. When set, skip verifying the vbmeta structs
against androidboot.vbmeta.{hash_alg, size, digest} because it will be
absent in kernel cmdline. Also, only top-level vbmeta struct is read then
returned by libavb in this case.
Note that another flag AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED, usually
set by `adb disable-verity`, is used to signal fs_mgr to skip setting up
dm-verity, but libavb still verifies all vbmeta structs. fs_mgr will
also verify all vbmeta structs against androidboot.vbmeta.{hash_alg,
size, digest} from kernel cmdline as well.
Also rename SetUpAvb() to SetUpAvbHashtree() to better fit its usage.
This function will return kDisabled when any of the above two flags is set.
Finally, regardless of which flag is set or not set, we still only allow two
return values from avb_slot_verify():
- AVB_SLOT_VERIFY_RESULT_OK: it's still possible to get this value
when any of these flags are set in build time. e.g.,
BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2
- AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: in most cases we should
get this value, because the flags are likely set at run time.
Bug: 62523303
Test: boot device with 'avbctl disable-verification'.
Test: boot device with 'avbctl enable-verification'.
Test: boot device with 'adb disable-verity'.
Test: boot device with 'adb enable-verity'.
Test: build image with BOARD_AVB_MAKE_VBMETA_IMAGE_ARGS=--flags 2, then boot device.
repeat the above steps to boot device again.
Change-Id: Ie8436f3e0e82c78490208f3b85eac5238a9fdfdb
1) property_set() takes const std::string& for both of its arguments,
so stop using .c_str() with its parameters
2) Simplify a few places where StringPrintf() is used to concatenate strings
3) Use std::to_string() instead of StringPrintf() where it's better suited
Test: Boot bullhead
Test: init unit tests
Change-Id: I68ebda0e469f6230c8f9ad3c8d5f9444e0c4fdfd
In case of non-secure builds (eng variant) fs_mgr_setup_verity() skips
verity checks regardless of fstab options. This is slightly different
than 'adb disable-verity' where it would first read the verity metadata
to check if verity is disabled.
So, this change adds a new return value of FS_MGR_SETUP_VERITY_SKIPPED
instead of piggy backing on the FS_MGR_SETUP_VERITY_DISABLED.
Bug: 62864413
Test: Boot sailfish
Change-Id: I42bf2bdce0ecb18b4c3b568e2bc96bf1590dfb35
Signed-off-by: Sandeep Patil <sspatil@google.com>
First stage mount in init currently attempts to regenerate uevents for
specific devices to create the corresponding dev nodes. However, this
is racy as first stage mount happens early in the boot process and
it's possible that some of these devices have not yet been created by
the kernel.
To fix this issue, init will poll on the uevent socket for up to 10
seconds waiting for the kernel to create the required device. It will
return false and panic if this 10 second timeout passes.
Note that the same uevent socket is used in the uevent regeneration
and the polling code, so there is no race if the device is created
after the uevent regeneration and before polling starts; the first
poll will pick up the device.
Bug: 62681642
Bug: 62682821
Test: Boot bullhead
Test: Boot sailfish
Test: Boot hikey + hotplug/unplug sdcard
Change-Id: I4a6ff043eb7115b729ca4954ebc6c9e000132993
