Introduce a standalone live-lock daemon (llkd), to catch kernel
or native user space deadlocks and take mitigating actions. Will
also configure [khungtaskd] to fortify the actions.
If a thread is in D or Z state with no forward progress for longer
than ro.llk.timeout_ms, or ro.llk.[D|Z].timeout_ms, kill the process
or parent process respectively. If another scan shows the same
process continues to exist, then have a confirmed live-lock condition
and need to panic. Panic the kernel in a manner to provide the
greatest bugreporting details as to the condition. Add a alarm self
watchdog should llkd ever get locked up that is double the expected
time to flow through the mainloop. Sampling is every
ro.llk_sample_ms.
Default will not monitor init, or [kthreadd] and all that [kthreadd]
spawns. This reduces the effectiveness of llkd by limiting its
coverage. If in the future, if value in covering kthreadd spawned
threads, the requirement will be to code drivers so that they do not
remain in a persistent 'D' state, or that they have mechanisms to
recover the thread should it be killed externally. Then the
blacklists can be adjusted accordingly if these conditions are met.
An accompanying gTest set have been added, and will setup a persistent
D or Z process, with and without forward progress, but not in a
live-lock state because that would require a buggy kernel, or a module
or kernel modification to stimulate.
Android Properties llkd respond to (*_ms parms are in milliseconds):
- ro.config.low_ram default false, if true do not sysrq t (dump
all threads).
- ro.llk.enable default false, allow live-lock daemon to be enabled.
- ro.khungtask.enable default false, allow [khungtaskd] to be enabled.
- ro.llk.mlockall default true, allow mlock'd live-lock daemon.
- ro.khungtask.timeout default 12 minutes.
- ro.llk.timeout_ms default 10 minutes, D or Z maximum timelimit,
double this value and it sets the alarm watchdog for llkd.
- ro.llk.D.timeout_ms default ro.llk.timeout_ms, D maximum timelimit.
- ro.llk.Z.timeout_ms default ro.llk.timeout_ms, Z maximum timelimit.
- ro.llk.check_ms default 2 minutes sampling interval
(ro.llk.timeout_ms / 5) for threads in D or Z state.
- ro.llk.blacklist.process default 0,1,2 (kernel, init and
[kthreadd]), and process names (/comm or /cmdline) init,[kthreadd],
lmkd,lmkd.llkd,llkd,[khungtaskd],watchdogd,[watchdogd],
[watchdogd/0] ...
- ro.llk.blacklist.parent default 0,2 (kernel and [kthreadd]) and
"[kthreadd]". A comma separated lists of process ids, /comm names
or /cmdline names.
- ro.llk.blacklist.uid default <empty>, comma separated list of
uid numbers or names from getpwuid/getpwnam.
Test: llkd_unit_test
Bug: 33808187
Bug: 72838192
Change-Id: I32e8aa78aef10834e093265d0f3ed5b4199807c6
Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid
and from AID_ROOT to AID_LMKD and AID_SYSTEM gid.
/dev/memcg/memory.pressure defaults to root.root mode 0000, set it up
as root.system mode 0040 to allow lmkd read access.
Instrument failure to set SCHED_FIFO.
Annotate access points that require elevated capabilities.
Test: check /proc/`pidof lmkd`/status for capability set
Test: lmkd_unit_test
Bug: 77650566
Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea
Multiple LTP tests require a "daemon" or "bin" user. These user ids
have been defined since UNIX incept, and even up to the '80s remained
in many of the tools as hard coded values. Add these two ids with
a cautionary note.
Test: compile
Bug: 31152327
Bug: 31226046
Bug: 32385889
Change-Id: Ida2fb6d817b8ada0624870439fcf848667b31fb3
Filesystems allow the setting of the "resgid" parameter to designate
a GID that is allowed to use the "reserved" disk space (in addition
to UID 0). We'll be granting this GID to critical system processes,
so that the system is usable enough for the user to free up disk
space used by abusive apps.
Test: builds, boots
Bug: 62024591
Change-Id: I2d166f3b730f0a3e7279fb40f12db7413c1dadad
Just the minimial changes to get this to actually build, because otherwise
we always bog down trying to rewrite everything (when the real answer
is usually "stop using libcutils, it's awful").
This doesn't move a handful of files: two are basically just BSD libc
source, a couple have outstanding code reviews, and one can be deleted
(but I'll do that in a separate change).
I'm also skipping the presubmit hooks because otherwise clang-format
wants to reformat everything. I'll follow up with that...
Bug: N/A
Test: builds
Change-Id: I06403f465b67c8e493bad466dd76b1151eed5993
This change adds user namespace-awareness to uevent_kernel_* in
libcutils. Instead of assuming that root is always uid 0, it detects
whether the uid 0 is mapped in the current user namespace and returns
the appropriately mapped uid (or the kernel's "overflowuid" in case it
is not mapped).
In older kernels, or those where user namespaces are not enabled, this
still uses uid 0 for root.
Bug: 62378620
Test: bullhead networking still works
Test: Android in Chrome OS can now receive netlink-related messages
Change-Id: I7ea3454e8f38b9c70c65294d6b2a99e5a88f9d70
The non AID_ things in android_filesystem_config.h are moved
to fs_config.h. For libcutils.vendor and libcutils_headers.vendor,
fs_config.h is not exported.
An empty system/core/include/private/fs_config.h is placed to
appease the dependency from certain modules (logd, etc.)
that includes system/core/include/private/android_filesystem_config.h
directly.
Test: m -j
Test: BOARD_VNDK_VERSION=current m -j
Bug: 63135587
Change-Id: I95dfb874a426941022b100c0ca26a0576b0f4aa3
Merged-In: I95dfb874a426941022b100c0ca26a0576b0f4aa3
The EVS HAL and related software stack will use this id when running
daemons that monitor car state, capture and display video, and interact
with users.
Test: visual inspection
Change-Id: I53404c624933b7f55f1292c041c6c712522ab13b
This CL is in support of another CL c/2048848, topic
'Refactor hid command in /frameworks/base/cmds' in
internal master. Adding the permissions for
shell here to access uhid_node as part of the
new 'uhid' group.
Bug: 34052337
Test: Tested on angler, bluetooth mouse works OK.
Change-Id: If9e100aa1262d689fb8adc5c0ce93f157c96399e
The fallback android_filesystem_capability.h doesn't play nicely with
other kernel headers, since it #undef's __user. If we're building with
bionic (either for device or host), we use the same kernel headers, so
just use those.
Bug: 38056396
Test: build with Host_bionic:true
Change-Id: Idc61b6d96d86891164abe71604924638d67aefe2
We can't reuse the GID range for internal cache files, otherwise
we don't have a way to tease apart the difference when deciding if
it's safe to move apps.
Test: builds, boots
Bug: 37193650
Change-Id: I22c4e575cd557636e74c5c73035adb1d4dcbb7f7
private/fs_config.h is required in order to build an independent
test that requires internal binary knowledge of the
etc/fs_config_(files|dirs) files.
Test: compile
Bug: 36071012
Change-Id: I268bcfdbb6d45b7bf6040cbf307a4e34812f5fef
This reverts commit 82f8bb785e.
Sadly, we'd have to extend CAP_SYS_RESOURCE to a bunch of execution
domains to make this work, which isn't feasible.
Bug: 36450358
Change-Id: Iffe88e45d538c044382eb0d0ac24ff11a10d73c3
Filesystems like ext4 allow the setting of the "resgid" parameter
to designate a GID that is allowed to use the "reserved" disk space
(in addition to UID 0). We'll be granting this GID to critical
system processes, so that the system is usable enough for the user
to free up disk space used by apps.
Test: builds
Bug: 36450358
Change-Id: I224bd1e597130edb411a1528872faff1ada02a89
Bug: 33241851
Test: No changes needed for modules not using VNDK.
For VNDK, enable BOARD_VNDK_VERSION in BoardConfig.mk
and add libcutils to modules that need these headers.
Change-Id: I6102778aab35ed26a5ddde11230502dcd4edc852
