NOTE: in master, but should be submitted in AOSP.
Waiting to hear from security folks. Also might
need cleanup.
Not currently done. Seems errorprone.
Bug: 276813155
Test: boot, check logs
Change-Id: I7cbc39b282889dd582f06a8eedc38ae637c8edec
Set the user explicitly.
For boringssl self-test, changed to 'nobody' since
this test doesn't require permissions.
Bug: 276813155
Test: boot, check can 'nobody' can still write to kmesg.
Change-Id: I32f7134e83183bd054bffbb22d412d7a2dc0ad09
This test requires root to run. Skip if not root.
Bug: 270052268
Test: CtsInitTestCases init#StartConsole
Change-Id: I8b54acf97cda4bc2cfa15d0e34c678ec2b13f83e
libselinux log messages usually end with a new line character. Android
log system does not require the new line character and will include the
character as-is in the log buffer.
This trimming was already implemented when the message is typed as
SELINUX_AVC (see SelinuxAvcLog). Move the truncation one level up so it
is occurring for all types of logs.
Test: boot & adb logcat & inspect SELinux logs
Change-Id: I360359c1b178ef24d555dd41f8d4a18b293a175c
Bazel's intermediates/inputs are symlinks in its execution root, unlike Soong.
e.g.
$ file $(readlink -f out/bazel/output/execroot/__main__/packages/modules/adb/apex/adbd.rc)
/usr/local/google/home/jingwen/aosp/master-with-phones/packages/modules/adb/apex/adbd.rc:
ASCII text
Test: presubmits
Change-Id: I3977a37ee989e07bee56abb019a21055b8cef567
Don't continue with a specific run if a service
is already dead.
Bug: 272618190
Test: init_kill_services_test
Change-Id: I1b1c0b4e87fd7a5200bd6e6e6af2eb9686d7367d
No longer installed on device, so we need to include
it as a static lib. This library was actually specified
as a dependency on vts_ibase_test in two places, so this
is the second CL doing the same thing but in another
project.
Fixes: 270497432
Test: readelf -d $ANDROID_BUILD_TOP/out/target/product/vsoc_x86_64/data/nativetest/vts_ibase_test/vts_ibase_test
no longer shows libhidl-gen-utils
Change-Id: Icf427085e3978906e82231c8faacb7bdbcbf4569
After introducing ro.boot.serialconsole=0, the console will no longer be
spawned, but a step was missed to disable the service to prevent
respawns.
Bug: 266982931
Bug: 223797063
Bug: 267428635
Change-Id: I12b159eaa1999781aec31c05ce431b55e2ba4017
Let the CheckShutdown() method clear the do_shutdown_ member instead of
clearing that member separately from calling CheckShutdown().
Bug: 266255006
Change-Id: Ifc1cff2be92a45db7f91be2fdb812930d2fd1ad5
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The DebugRebootLogging() function was introduced to help with
root-causing b/150863651. Remove this function since this logging
functionality is no longer needed. Also remove the functions and methods
that are only used by DebugRebootLogging().
Change-Id: Ia150604c6cd70f42b13d655ba43b95445a55b6e2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Combine two if-statements. This change is fine because:
* The code between the two if-statements does not queue actions.
* If an action is queued from another thread then WakeMainInitThread()
is called after the action has been queued.
Bug: 266255006
Change-Id: Id4b9565ff4fdb3ee2a2bbca316c8c78e0f2d38dd
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We could combine this with the existing log, but I
wouldn't want to make that appear later.
Ironically, adding this log to try to reduce logs.
Bug: 36785118
Test: :) adb logcat -d | grep "started service" | wc -l
131
Change-Id: I38f4e9740871aa256eef0c62e897038eb46871a5
Make the code that creates BuiltinArguments instances easier to read by
using initializer lists instead of constructor calls. Remove the
BuiltinArguments constructors.
Change-Id: I6cf215a81d298cf7e524e22fb75db820e0225c9a
Signed-off-by: Bart Van Assche <bvanassche@google.com>
For many years, services declaring "console" would only be started if the
console device specified by androidboot.console= was present under /dev.
However, they would also be started if the /dev/console node existed.
This fallback causes problems with newer GKI kernel images which now
hard-code "console=ttynull" via CONFIG_CMDLINE, which essentially means
/dev/console always exists, even though this console points nowhere.
It also causes problems on devices where the androidboot.console was not
the same as the kernel dmesg console ("console="), such as cuttlefish,
because those platforms could not simultaneously enable kernel logging
but disable the interactive serial console feature. The framework just
assumed both would be muxed on the same serial port. Cuttlefish had a
workaround, to use "androidboot.console=invalid" to avoid the fallback,
but this doesn't work on devices which still want to mux the kernel logs
and interactive serial console.
This change resolves the issue in a better way, by introducing a new
boolean property called "androidboot.serialconsole". Setting this to "0"
will disable the console services, regardless of whether the
/dev/console or /dev/${ro.boot.console} devices exist. Older kernels
and bootloaders don't need to set this and can rely on the old behavior
in init, but bootloaders booting newer kernels must set it to avoid the
"performance is impacted" message due to console services being started.
Bug: 266982931
Bug: 223797063
Bug: 267428635
Test: "launch_cvd" with "androidboot.console=invalid" removed;
See the "performance is impacted" message.
Test: "launch_cvd" with "androidboot.serialconsole=0";
The "performance is impacted" message is gone.
Change-Id: Iaad4d27ffe4df74ed49606d3cabe83483c350df4
There can be more than one fstab entry of system partition.
For example, the filesystem of one entry is ext4 and another is erofs.
system /system ext4 ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
system /system erofs ro wait,slotselect,avb=vbmeta_system,logical,first_stage_mount,avb_keys=/avb/q-gsi.avbpubkey:/avb/r-gsi.avbpubkey:/avb/s-gsi.avbpubkey
If both filesystems of system and system_ext paritions are erofs,
only the ext4 fstab entry will be returned by GetEntryForMountPoint,
and system_ext cann't be mounted.
So we need to return both of the fstab entries and try all of them.
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.com>
Change-Id: I407553d48b1749cd0554f057a6bfd38daa96fdcb
Signed-off-by: Lianjun Huang <huanglianjun@xiaomi.corp-partner.google.com>
Let the compiler verify that lock_ is held when any of the data members
are accessed.
Bug: 266255006
Change-Id: I71b341815d84ab530627d934ad4d4681b652b9d8
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Let the compiler verify that shutdown_command_lock_ is held when
shutdown_command_ is accessed.
Bug: 266255006
Change-Id: Ibd05137ab65e20f247f35bbb2bb1865e05f51f41
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Wait until strace has attached to the service instead of assuming that
it has attached after one second.
Change-Id: Ifb71fa2419563e1334d8500ea867ec92121395e0
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Remove the ConvertToArgv() function. Do not cast the std::string::find()
result. Make the strace path absolute.
Change-Id: If329e91275c834ba375863e40901f6be07a5f347
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Without root, Service::Start() fails due to lack of permissions.
Bug: 267559075
Test: run cts -m CtsInitTestCases -t init#GentleKill
atest init#GentleKill
Will skip under cts, pass under atest
Change-Id: I69e8be7000718bdba1c2acd9675b5645c0891afc
PropertyInit loads the build.prop files and set the system properties.
Set the SELinux log callback before that to show the avc denials for debugging.
Test: $ make init_system
Push this module and ensure system property set denials are shown during boot
Bug: 185920634
Bug: 211547922
Change-Id: If9f34d469d3da2ebdfe64bb611de85a3ca37e000
Since we cannot create a gpt table on zoned LU, we cannot make a generic symlink
from it. Instead, let's make it by uevent, "/dev/block/by-name/zoned_device".
Note that, we support only one zoned device in the system.
Bug: 265180564
Change-Id: Ie62b0fd68b77e3e43cf0f5c5cad9503150174271
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
During selinux transition, daemon will notify `init` process
by writing to file "/metadata/ota/daemon-alive-indicator".
Init will wait until daemon notifies it. Furthermore, daemon
will only write to that file once all threads are spin up
and attached to dm-user misc devices.
Once snapshot-merge is completed, this file will be removed.
Additionally, during boot, init will also ensure that
there are no stale files and will try to remove just
before selinux transition.
Bug: 262407519
Test: OTA on Pixel - Verify new file exits and init waits until daemon
is fully up.
Change-Id: Iabef58ad282d80a7afa493e9df9468ae41a13e44
Signed-off-by: Akilesh Kailash <akailash@google.com>
ParseApexConfigs() uses Parser::ParseConfigFile() to parse .rc files in
the target apex. ParseConfigFile() returning bool (with logging on
error) doesn't propagate the error message back to the callers
(including apexd or PackageManager).
We'd better to migrate other Parse*() methods of Parser class to return
Result<T>. But this change focuses on plumbing error progagation for
APEX configs.
Bug: 238820991
Test: atest CtsInitTestCases
Change-Id: Ifad97635dbb53a70053ec73a7a5b7e742466daf6
Tests that a service marked as gentle_kill terminiated with SIGTERM
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Change-Id: I169b52cfd74f07b4d2439761ea315117323b3fcb
If a service specifies gentle_kill, attempt to stop it will send SIGTERM
instead of SIGKILL. After 200ms, it will issue a SIGKILL.
Bug: 249043036
Test: atest CtsInitTestCases:init#GentleKill
Added in next patch
Change-Id: Ieb0e4e24d31780aca1cf291f9d21d49cee181cf2
Persistent properties are flushed with fsync which can cause the
non-persistent property write path to block.
Bug: 250125146
Test: manual test with ro.property_service.async_persist_write = true
Change-Id: Id123bfc7de948b76c51b4d98d00c8cb4a0850bf1
Defaulting Android to limit memlock to 64KB. This will help preventing
pages from being swapped until the app is killed it's memory will stay
resident. CTS test is enforced only in U+ devies.
Bug: 201797650
Test: Added new test to verify we are memlock at or under 64KB
Change-Id: I5a9e9da12f6df5a056ee47d0593c13e9c779e054
From
https://android-build.googleplex.com/builds/tests/view?testResultId=TR66328435937757440&invocationId=I00700010119503421:
system/core/init/init_test.cpp:219: Failure
Failed
Value of: service->Start()
Actual: createProcessGroup(0, 15611) failed for service 'console'
Expected: is ok
The above error message does not contain enough information to
root-cause the test failure. Hence this CL that makes an error message
more informative.
Bug: 262090304
Change-Id: I09929b2f2aabf1eec4d90ec93234a9e968888da4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If a service that runs under root doesn't have the capabilities field in
it's definition, then it will inherit all the capabilities that init
has.
This change adds a linter to detect such services and ask developers to
explicitly specify capabilities that their service needs. If service
doesn't require any capabilities then empty capabilities fields should
be added in the service definition.
The actual access control list on what capabilities a process can use is
controlled by the SELinux, so inheriting all the init capabilities is
not a security issue here. However, asking services to explicitly
specify the capabilities they need is a good defense-in-depth mechanism.
So far this linter only checks the services on /system partition.
All currently offending services are added to the exempt list. I will
work on fixing some of them in the follow-up changes.
Bug: 249796710
Test: m dist
Change-Id: I2db06af165ae320a9c5086756067dceef20cd28d
It runs a service with root privilege which can't be done on user
builds. Until the issue is resolved, skip the test on user builds.
Bug: 262090304
Test: N/A
Change-Id: I690ffbd7fdaef688a0c862e0c653e9b21e281ece
Current documentation is misleading: if a service runs as root and
doesn't specify any capabilities, then it will start with all the
capabilities (note that whether it can use them is controlled by
selinux).
Test: n/a
Bug: 249796710
Change-Id: I0d6a884127c6a6c5b651c1222fcf48322065daae
The availability of /dev/console varies across different devices and
even across different build variants (ex: userdebug/user). Instead of
relying on the device-specific condition, use the /dev/null as the
console device for the test.
Bug: 262090304
Test: atest CtsInitTestCases on raven-user
Change-Id: I3b12d66e94609328dfdd6f640d1adb88a773fa38
process_cgroup_empty_ is used to indicate that a service is already
killed or not. If cgroup support lacks, services cannot be killed
because process_cgroup_empty_ is always true.
This change fixes it by not assigning process_cgroup_empty_ as true.
Instead, make KillProcessGroup send signals even when cgroup is
disabled. Also DoKillProcessGroupOnce() is updated so it returns a number of killed processes, excluding already dead processes. This behavior agrees with its name (DoKillProcessOnce), and it prevents regression upon missing cgroups, because kill(-pgid) will always
"succeed" so KillProcessGroup will loop even when all processes are
already dead.
Bug: 257264124
Test: boot microdroid, see services are terminated
Change-Id: I19abf19ff1b70c666cd6f12d0a12956765174aaa
DM_DEV_CREATE no longer creates sysfs nodes. Note this in ueventd and
add some helper APIs to libdm, so devices can be created with a
placeholder table.
This also fixes a bug in dmctl where the detailed info on suspended
devices was wrong.
Bug: 259328366
Test: dmctl with "uevents" tool
Change-Id: I822f8010e48d32841aa0ee508822f76d03a3dd85
Service objects have external state (the child process) and hence must
not be duplicated. Disable the copy constructor and the assignment
operator to prevent that these objects get duplicated accidentally.
Bug: 213617178
Change-Id: Ia5391154b94eca7f12be69eabcdf3f173fc06452
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make it easier to diagnose service failures.
Bug: 213617178
Change-Id: I27135cb32b6a98b2fe24ab2324dffbf5b591fdd5
Signed-off-by: Bart Van Assche <bvanassche@google.com>
From the Google C++ style guide: "Objects with static storage duration
are forbidden unless they are trivially destructible." Hence this CL.
Bug: 213617178
Change-Id: I4c9a51618ee1eb14ed439295a5fc0101b940a63d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
From the unique_fd.h header file: "unique_fd's operator int is
dangerous, but we have way too much code that depends on it, so make
this opt-in at first."
From the Google C++ style guide: "Do not define implicit conversions."
See also go/cstyle#Implicit_Conversions.
Hence this CL that disables unique_fd::operator int().
Change-Id: I28d94755d5408f63e5819da8d1cbc285057f867f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Sort the compiler flags alphabetically before adding a new macro
definition.
Change-Id: If919333302817406a890c9622396ec96920adf29
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Simplify PollIn() by converting a single-element array into a scalar. No
functionality is changed.
Change-Id: I3ef36b9c0daafeed3a92f90c7a7c4fe0654dd586
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Skip the test if /dev/console does not exist. Fix the console service
security label. Fix the getsid() test.
Bug: 260104465
Test: atest 'CtsInitTestCases:init#StartConsole' on a P2023 development board
Change-Id: If2533a3f205f922a9b04a748cb558a09c5925986
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Revert commit 14f9c15e05 ("init: Add more diagnostics for signalfd
hangs") because:
* That commit was intented to help with root-causing b/223076262.
* The root cause of b/223076262 has been fixed (not blocking SIGCHLD
in all threads in the init process).
Test: Treehugger
Change-Id: I586663ec0588e74a9d58512f7f31155398cf4f52
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Change-Id: Ieb9e6908df725447e3695ed66bb8bd30e4e38aa9
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for adding more code in the parent process that depends on
whether or not a console is required.
Bug: 213617178
Change-Id: I066ede32fcd4ce09d06be23158f3c1970064a697
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make the code easier to read by introducing symbolic names for the
constants used by Service::Start() for communication between the parent
and child processes.
Bug: 213617178
Change-Id: I3e735e149682fa9df2ed57f75eb5a67d7c68bd92
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change setpgid(0, getpid()) into setpgid(0, 0). This patch removes one
system call but does not change the behavior of the code. From the
setpgid() man page: "If pgid is zero, then the PGID of the process
specified by pid is made the same as its process ID."
Bug: 213617178
Change-Id: I7031d9eb3711f526751da495c07a8927f9386d97
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Revert commit 9c61dad67e in preparation of
introducing a second interprocess communication channel.
Bug: 213617178
Change-Id: I2959a3902a1b994cca2ac99855be1fc60d63bcbb
Signed-off-by: Bart Van Assche <bvanassche@google.com>
It is nontrivial to derive from the implementation of class Service
which members are not modified. Hence this CL that documents this by
declaring these members 'const'.
Change-Id: I27b907a1c7044376d5c5393a29050c66cbdab7bf
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Treehugger starts Cuttlefish with the console disabled. Add a test that
enables the console. The purpose of this test is to trigger the code paths
in Service::Start() that are unique to processes associated with a
console.
Bug: 213617178
Change-Id: I834632ce6ec5c237c9c2c3f5b1aa7bc98c3ef260
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Test: Cuttlefish + atest 'CtsInitTestCases'
Change-Id: I6931cd579e607c247b4f79a5b375455ca3d52e29
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In microdroid, APEXes are passed as block devices from host, and then
mounted directly, without using /data. Unmounting APEXes on reboot is
for clean unmount of /data, so it's not needed in microdroid.
This skips unmounting in microdroid to remove unnecessary SELinux
denials.
Bug: 256793087
Test: run microdroid and reboot, see no denials happen
Change-Id: Iaf737876f5ab5de5e8f76ed8bb0963cc25d73a80
Prepare for using the interprocess communication channel in two
directions.
Bug: 213617178
Change-Id: Ic78a3d8a2ec1f808fa5b4c4b198051655ee1b0ec
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Multiple tests in CtsInitTestCases, e.g. RebootTest#StopServicesSIGKILL,
can trigger the following race condition:
* A service is started. This involves calling fork() and also to call
RunService() in the child process. RunService() calls setpgid().
* Service::Stop() is called and calls KillProcessGroup().
KillProcessGroup() calls kill(-pgid, SIGKILL) before the child process
has called setpgid(). pgid is the process ID of the child process. The
kill() call fails because setpgid() has not yet been called.
Fix this race condition by adding a setpgid() call in the parent process
and by waiting from the parent until the child has called setsid() if a
console is attached.
Bug: 213617178
Test: Cuttlefish + atest 'CtsInitTestCases'
Change-Id: I4c55790c2dcde8716b860aecd57708d51a081086
Signed-off-by: Bart Van Assche <bvanassche@google.com>
It is essential for correct operation of ReapAnyOutstandingChildren()
that ReapOneProcess() does not modify 'pid'. Make it easier to verify
for humans that ReapOneProcess() does not modify the 'pid' local
variable. Document the value of siginfo.si_signo with DCHECK_EQ()
statements.
Bug: 213617178
Change-Id: I14baaa7adbe5416b7f777f32fb76896f2ae27b4e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The newly logged information includes the pending signals bitmask (SigPnd).
That information allows to determine whether kill() did not deliver a
signal or whether SIGCHLD has not been processed in time. This patch is
expected to help with root-causing b/254878413.
Bug: 254878413
Change-Id: Id33d1fb724163f8e5d4b3edfeb6c4be5321c0d95
Signed-off-by: Bart Van Assche <bvanassche@google.com>
There are two bugs in HandleSignalFd():
* If the one_off argument is true and if no data is read from the
signalfd, 'siginfo' is left uninitialized and used in the switch
statement in HandleSignalFd().
* The PLOG() statement in the switch statement should be a LOG()
statement since it does not report a failed system call.
This CL has been tested by changing kDiagnosticTimeout locally from 10s
into 100ms.
Change-Id: I0e488dd95bc13e1befaef770c0748d1d47f6e431
Signed-off-by: Bart Van Assche <bvanassche@google.com>
This change prevents that a later CL will trigger the following warning:
parameter 'test_context' is passed by value and only copied once; consider
moving it to avoid unnecessary copies
Change-Id: If5837ee6438efdf194781de041779c1089897789
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Allow us to check if check_at_most_once is set for any partitions.
This property should be false for any device with a reasonable amount of
RAM and a modern CPU. Enabling check_at_most_once violates AVB best
practices, it should only be allowed on performance limited devices.
Bug: 253033920
Test: Ensure that avbHashtreeNotUsingSha1 CTS test still passes
and that partition.system.verified.check_at_most_once is set.
Change-Id: I8174adf81111cc0df547ea01f81b0dfaca32631f
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Prepare for introducing a second interprocess communication channel by
introducing the class InterprocessFifo. Stop using std::unique_ptr<> for
holding the pipe file descriptors. Handle EOF consistently.
Bug: 213617178
Change-Id: Ic0cf18d3d8ea61b8ee17e64de8a9df2736e26728
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The documentation added by commit c9c0bbac53 ("init: Add task_profiles
init command") mentions that the task_profiles keyword sets process
attributes. Make the implementation of that keyword match the
documentation.
Change-Id: Ia080132f16bfc2488f8c25176d6aed37a2c42780
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Bring the host_init_stubs.h header file in sync with the
<android/api-level.h> header file.
Change-Id: I0d344b5f89f909e5315a0075773efd0b725a72a4
Signed-off-by: Bart Van Assche <bvanassche@google.com>
We are planning to remove cgroups from the Micrdroid kernel, since the
entire VM belongs exclusively to a single owner, and is in the control
of the cgroups on the host side.
This patch expoxes CgroupAvailable API from libprocessgroup, and changes
init to query the CgroupAvailable API before doing any
cgroups/task_profiles related work.
Bug: 239367015
Test: run MicrodroidDemoApp
Test: atest --test-mapping packages/modules/Virtualization:avf-presubmit
Change-Id: I82787141cd2a7f9309a4e9b24acbd92ca21c145b
Change the type of 'handler' from std::shared_ptr<Handler> into Handler.
This change is safe since a previous CL moved the handler calls from the
Epoll::Wait() caller into Epoll::Wait() itself.
Bug: 213617178
Change-Id: Ife79e6863536b96ee4bb3cd778f6b0b164a95fed
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Invoke the callback functions from inside Epoll::Wait() instead of
returning a vector with pointers to callback functions. Remove handlers
after handler invocation finished to prevent that self-removal triggers
a use-after-free.
The CL that made Epoll::Wait() return a vector is available at
https://android-review.googlesource.com/c/platform/system/core/+/1112042.
Bug: 213617178
Change-Id: I52c6ade5746a911510746f83802684f2d9cfb429
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Make it easier to verify for humans that all data structure members are
initialized. No functionality is changed.
Bug: 213617178
Change-Id: I1ce2af566dba51f2032f2e7518576a67e666d12e
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Change the type of epoll_timeout from
std::optional<std::chrono:milliseconds> into std::chrono::milliseconds.
No functionality is changed.
Bug: 213617178
Change-Id: Ieb150e0aeabdb79c8da4649875ea3ed59297343b
Signed-off-by: Bart Van Assche <bvanassche@google.com>
If UnregisterHandler() is called from inside a handler for an event that
has not yet been processed then that will result in a use-after-free.
Fix this by passing file descriptors to epoll_ctl() instead of pointers
to map elements.
Bug: 213617178
Change-Id: Ie62e3a299af964271ec24cd8fc2e794042b77ee6
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Prepare for optimizing Epoll::Wait() by moving the
ReapAnyOutstandingChildren() call into Epoll::Wait(). No functionality
is changed.
Bug: 213617178
Change-Id: I280ea0069ed29cf323e4177ec500b30b900f7c8d
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Add a move constructor in the CatchDtor class. Check the .emplace()
result. Simplify the destructor. Initialize handler_invoked. Explain the
purpose of this test.
Bug: 213617178
Change-Id: I4d6f97dbb2705a2f2dd78e449ae8de74e90b102f
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The new sequence of operation would be:
1: Load sepolicy - Daemon will continue to be alive and serve any I/O request
2: After sepolicy loading is complete - Switch the device-mapper tables.
3: Kill the block device daemon launched in the first-stage init.
4: Re-launch the daemon with the correct selinux labels set.
5: Enforce the sepolicy
Bug: 240321741
Test: Full OTA on pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Idd392f0f0aae7d93e546c0ec0762e6c07b6263e4
Thermal shutdown could be due to tskin temperature or
battery temperature. Pass reason while rebooting the
system to reflect properly in boot.reason
Bug: 238464124
Test: Build and boot on device. Check reboot reason
for thermal shutdown and battery thermal shutdown with
thermal warmreset enabled.
Change-Id: I192562fed48ae7da7843e383362cd22a76ce479f
This variable is always false or empty now, so clean up remaining
references of the variable.
Bug: 241346584
Test: Presubmit
Change-Id: Id5c37a1391239206477fd802d364a2678692f513
Added SPDX-license-identifier-Apache-2.0 to:
init/fuzzer/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I2db55c80799d0a8fc5935d9b07a2ddb17eb7235e
This is to resolve idiosyncracies with test packaging.
Bug: 244284630
Test: ldd -d -r CtsInitTestCases
Change-Id: Iec2c14c3ca5cd359b79d9e1f12e689c0eeffb122
Review note: Original change was a p-o-c by agl in
https://r.android.com/2094350 which I think is actually
production quality. I'm just taking it over so that he doesn't
get spammed by any review comments as that's not a good use
of his time.
Needed for the hardware entropy daemon (see bug).
Original commit message:
If one needs to create a service that synchronously starts listening on
a socket then there are currently no good options.
The traditional UNIX solution is to have the service create the socket
and then daemonise. In this situation, init could start the service with
`exec_start` and yet not block forever because the service forks and
exits. However, when the initial child process exits, init kills the
daemon process:
> init: Killed 1 additional processes from a oneshot process group for
> service 'foo'. This is new behavior, previously child processes
> would not be killed in this case.
Next, there is a `socket` option for services and (although the
documentation didn't nail this down), the socket is created
synchronously by `start`. However, init doesn't call `listen` on the
socket so, until the service starts listening on the socket itself,
clients will get ECONNREFUSED.
This this change adds a `+listen` option, similar to `+passcred` which
allows a socket service to reliably handle connections.
Bug: 243933553
Test: Started prng_seeder from init using the new listen flag
Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5
Services created during new tests weren't properly cleaned up after tests. It caused slowdown of subsequent tests as described in b/244486404.
This change kills/terminates services after test with apex services.
To provide some context, original change is at https://android-review.googlesource.com/q/topic:vapex_stop_service. The issue was discovered by android test monitor and filed as a P0 bug.
Bug: 244486404
Change-Id: Ie64e0eb1686e94ef543a457ea49d1d7aeab38c97
extra_free_kbytes.sh accepts a parameter representing the number of KB
to add to low and high watermarks. It adds this margin to the current
watermark levels, however this is not how /proc/sys/vm/extra_free_kbytes
knob that it replaces used to work. The old knob would add the margin
relative to the original and not the current level of the watermarks.
Change extra_free_kbytes.sh to add the specified margin to the original
watermark levels to act as correct replacement of the old knob.
Bug: 242837506
Fixes: 642048d969 ("init: Add extra_free_kbytes.sh script to adjust watermark_scale_factor")
Test: repeatedly run 'setprop sys.sysctl.extra_free_kbytes 30375'
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I8af603ba00bd4fb8182b80b3c0969fa96cdd7311
Added SPDX-license-identifier-Apache-2.0 to:
init/test_upgrade_mte/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I77b956ed672a2f171b78ab1e7bfddc09bd0dc158
The /dev/selinux folder is normally created by first-stage-init
https://cs.android.com/android/platform/superproject/+/master:system/core/init/first_stage_init.cpp;l=299-300;drc=07c86bace1e7a7cc4dd975f10b077d21c3743749
However, in some cases the first-stage-init comes from a GKI prebuilt
boot.img and doess not create the required folder (see for example
b/217677967), resulting in bugs like b/244793900.
I modified the selinux.cpp code to create the /dev/selinux folder if it
does not exist already, as a safety measure.
To verify these changes for b/244793900, follow gpaste/4922166775644160
Bug: 243923977
Test: atest SeamendcHostTest, manual verification
Change-Id: I8fe798643b1aeab2b4caac837055348febf70b94
Tests using Service::Start() should run under root. Otherwise tests fail
to start services from the test binary due to lack of permission.
Bug: 244748231
Test: CtsInitTestCases
Change-Id: Ia4eb8457cfad7d44da6b171e44f64238e08af9f7
