Increase size of the NETLINK_KOBJECT_UEVENT socket receive buffer to
16M. Also, use SO_RCVBUFFORCE to override any limits set by
/proc/sys/net/core/rmem_max.
We had a couple of instances, where we lost critical uevent messages due
to receive buffer overflows.
Bug: 119933843
Change-Id: I6aab183aa0194e173f9175b47c6beb0835cf6675
Currently, /system/bin, /system/xbin, /product/bin, and /vendor/bin
are 0755, which allows any process to iterate through those
directories and list out the contents. For the vast majority of
processes, this is unnecessary. They only need to know whether a
particular binary exists or doesn't exist, but they don't need to
know the other binaries within those directories.
Allowing this is particularly problematic for SELinux. In particular,
some third party Android applications try to examine every file in
the bin directories, generating SELinux audit noise along the
way. This audit noise makes it harder to see real bugs, and falsely
implies an architectural dependency between the application and random
files in directories like /system/bin.
This change removes the ability to list the contents of the various bin
directories, preventing random probing by such apps. The ability to
execute files, or to probe a specific file by name, remain unchanged.
Addresses SELinux denials similar to the following:
avc: denied { getattr } for comm="Thread-11" path="/system/bin/atrace" dev="dm-0" ino=189 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:atrace_exec:s0 tclass=file permissive=0 app=uk.co.santander.santanderUK
avc: denied { getattr } for comm="Binder:26637_2" path="/system/bin/atrace" dev="dm-0" ino=168 scontext=u:r:untrusted_app_25:s0:c512,c768 tcontext=u:object_r:atrace_exec:s0 tclass=file permissive=0 app=com.tencent.mm
avc: denied { getattr } for comm="Thread-12" path="/system/bin/apexd" dev="dm-0" ino=451 scontext=u:r:untrusted_app_27:s0:c512,c768 tcontext=u:object_r:apexd_exec:s0 tclass=file permissive=1 app=com.grppl.android.shell.CMBlloydsTSB73
Shell access to these directories continues to be allowed, to allow for
host-side CTS tests.
Also adjust the indentation of some clang directives, to make the
presubmit hooks happy.
Test: Device boots and no apparent problems.
Change-Id: Ibe75682fac1983d39f3f479a5850ab5a96f6627d
set_sched_policy checks that operations related to the kernel config
CONFIG_CGROUP_SCHEDTUNE are working properly, but this config is not
required so devices without this were failing the test.
This CL splits set_sched_policy into two tests so that the policy and
timerslack tests can be skipped individually when devices don't support
them.
Bug: 113185515, 112550681
Test: libcutils_test{32,64} now pass on aosp_x86_64 emulator
Change-Id: I31638b61e033f0c96b63428a8d27d27dbc36bce3
Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.
Bug: 112431447
Test: m
Change-Id: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
Merged-In: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
This CL is largely and adaptation of
Ie996def20e25dc1afe0c74af2096af844934b2dc
Bug: 80741439
Test: Successfully built product-services.img with one module in it, and
flashed on device. Also successfully built image with
/system/product-services and no dedicated /product-services partition.
Change-Id: I1046dfe19bf874da929c9131b76a1f85422fbb80
Callers already verify that they are calling ashmem API on a valid fd by
calling ashmem_valid first. Lets make the fstat syscall only if the
ioctl returns -ENOTTY. This means in the regular case, only 1 syscall is
needed (ioctl) vs the current 2 (fstat+ioctl).
Some data to show improvements in reduction of vfs_getattr calls in the
kernel by 10x when doing a camera.
Test: Boot and camera CTS
Bug: 111418894
Change-Id: I992620bbe44355e54ba19eeac81da586c5e5a6e0
Signed-off-by: Joel Fernandes <joelaf@google.com>
This change removes the CAP_SYSLOG file based capability from bootstat,
since the intention is that it should not be accessing the logs in the
long term. In order to avoid bitrot, the fallback code that depends on
CAP_SYSLOG has also been removed.
Bug: 62845925
Test: system/core/bootstat/boot_reason_test.sh
Change-Id: I899be44ef3ac1c4d81072f801d55c928ae09bb15
This change moves logd's capabilities from being file based to being set
by init through ambient capabilities.
Bug: 62845925
Test: sailfish:/ # grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000440000000
CapEff: 0000000440000000
CapBnd: 0000000440000040
CapAmb: 0000000000000000
$ capsh --decode=0x440000040
0x440000040=cap_setgid,cap_audit_control,cap_syslog
Test: liblog-unit-tests, logd-unit-tests, logcat-unit-tests
Change-Id: I28c7c4ad37ad5eafd399aef78c303ce31298a9ef
1. TEMP_FAILURE_RETRY() isn't necessary with getsockname() because
it's a synchronous syscall.
2. There's no need to allocate and free a temporary buffer for the
full pathname of the socket.
Test: Manually, as follows:
- added temporary ALOG output
- flashed and booted a device
- checked expected output from all system daemons
- removed log statements
Change-Id: I4550a2d67fdffe6aff3c1050f8eeeaca0f985fb3
Libraries that are direct or indirect dependencies of modules installed
to recovery partition (e.g. toybox) are marked as recovery_available:
true. This allows a recovery variant of the lib is created when it is
depended by other recovery or recovery_available modules.
Bug: 67916654
Bug: 64960723
Test: m -j
Change-Id: Ie59155c08890e96ce1893fa3687afcf763d7aea3
This commit excludes `qtaguid.cpp` from the VNDK-SP variant of
`libcutils.so` because the interface of `libnetd_client.so` may vary
between AOSP releases.
Besides, these functions don't work in vendor processes either because
VNDK-SP libraries are loaded in an isolated `vndk` linker namespace,
which cannot access `/system/lib[64]/libnetd_client.so` directly. This
change makes it easier to spot the issue at build time and saves several
bytes.
Test: Build aosp_walleye-userdebug and
/system/lib[64]/vndk-sp-$VER/libctuils.so no longer exports qtaguid_*
functions.
Bug: 79329469
Change-Id: Idf6b60f6e58371ea320193641669d1e4412d62b8
Merged-In: Idf6b60f6e58371ea320193641669d1e4412d62b8
(cherry picked from commit 25b742c627)
Normally, the whole configfs is mounted on /config and /config will be
word readable:
sailfish:/ $ ls -ld /config/*
drwxrwx--- 258 system package_info 0 2018-05-08 16:08 /config/sdcardfs
sailfish:/ $ ls -ld /config/
drwxr-xr-x 3 root root 0 1969-12-31 16:00 /config/
On ARC++, we only mount-bind config/sdcardfs, so it is important that
/config is set properly.
It is actually 0500, so system could not see /config/sdcardfs, even if
/config/sdcardfs is set properly:
Although root can, as system uid, we can not reach /config/sdcardfs:
:/ $ ls -ld /config
dr-x------ 3 root root 31 2018-05-02 21:56 /config
:/ $ ls -ld /config/sdcardfs
ls: /config/sdcardfs: Permission denied
With this change, system (and systemservice) is able to reach
/config/sdcardfs:
:/ $ ls -ld /config
dr-xr-xr-x 3 root root 31 2018-05-02 21:56 /config
:/ $ ls -ld /config/sdcardfs
drwxrwx--- 109 system package_info 0 2018-05-08 15:29 /config/sdcardfs
Bug: 63876697
Test: After change, package service is able to create the bindings in
/config/sdcardfs.
Change-Id: I7e9b99d7af2ad001fbb1b95bee35d494e861be78
Signed-off-by: Gwendal Grignou <gwendal@google.com>
This commit excludes `qtaguid.cpp` from the VNDK-SP variant of
`libcutils.so` because the interface of `libnetd_client.so` may vary
between AOSP releases.
Besides, these functions don't work in vendor processes either because
VNDK-SP libraries are loaded in an isolated `vndk` linker namespace,
which cannot access `/system/lib[64]/libnetd_client.so` directly. This
change makes it easier to spot the issue at build time and saves several
bytes.
Test: Build aosp_walleye-userdebug and
/system/lib[64]/vndk-sp-$VER/libctuils.so no longer exports qtaguid_*
functions.
Bug: 79329469
Change-Id: Idf6b60f6e58371ea320193641669d1e4412d62b8
This way you'll get a build time error if you make the usual mistake of
adding to the enum but not adding an entry to the array.
Also improve the unit tests, and fix get_sched_policy_name's incorrect
behavior on invalid inputs.
Bug: N/A
Test: ran tests
Change-Id: Iefcb1ec9ef66267837da7a576c8be3d0cfb16cd0
Introduce a standalone live-lock daemon (llkd), to catch kernel
or native user space deadlocks and take mitigating actions. Will
also configure [khungtaskd] to fortify the actions.
If a thread is in D or Z state with no forward progress for longer
than ro.llk.timeout_ms, or ro.llk.[D|Z].timeout_ms, kill the process
or parent process respectively. If another scan shows the same
process continues to exist, then have a confirmed live-lock condition
and need to panic. Panic the kernel in a manner to provide the
greatest bugreporting details as to the condition. Add a alarm self
watchdog should llkd ever get locked up that is double the expected
time to flow through the mainloop. Sampling is every
ro.llk_sample_ms.
Default will not monitor init, or [kthreadd] and all that [kthreadd]
spawns. This reduces the effectiveness of llkd by limiting its
coverage. If in the future, if value in covering kthreadd spawned
threads, the requirement will be to code drivers so that they do not
remain in a persistent 'D' state, or that they have mechanisms to
recover the thread should it be killed externally. Then the
blacklists can be adjusted accordingly if these conditions are met.
An accompanying gTest set have been added, and will setup a persistent
D or Z process, with and without forward progress, but not in a
live-lock state because that would require a buggy kernel, or a module
or kernel modification to stimulate.
Android Properties llkd respond to (*_ms parms are in milliseconds):
- ro.config.low_ram default false, if true do not sysrq t (dump
all threads).
- ro.llk.enable default false, allow live-lock daemon to be enabled.
- ro.khungtask.enable default false, allow [khungtaskd] to be enabled.
- ro.llk.mlockall default true, allow mlock'd live-lock daemon.
- ro.khungtask.timeout default 12 minutes.
- ro.llk.timeout_ms default 10 minutes, D or Z maximum timelimit,
double this value and it sets the alarm watchdog for llkd.
- ro.llk.D.timeout_ms default ro.llk.timeout_ms, D maximum timelimit.
- ro.llk.Z.timeout_ms default ro.llk.timeout_ms, Z maximum timelimit.
- ro.llk.check_ms default 2 minutes sampling interval
(ro.llk.timeout_ms / 5) for threads in D or Z state.
- ro.llk.blacklist.process default 0,1,2 (kernel, init and
[kthreadd]), and process names (/comm or /cmdline) init,[kthreadd],
lmkd,lmkd.llkd,llkd,[khungtaskd],watchdogd,[watchdogd],
[watchdogd/0] ...
- ro.llk.blacklist.parent default 0,2 (kernel and [kthreadd]) and
"[kthreadd]". A comma separated lists of process ids, /comm names
or /cmdline names.
- ro.llk.blacklist.uid default <empty>, comma separated list of
uid numbers or names from getpwuid/getpwnam.
Test: llkd_unit_test
Bug: 33808187
Bug: 72838192
Change-Id: I32e8aa78aef10834e093265d0f3ed5b4199807c6
Set F() capability set and 'drop' lmkd from AID_ROOT to AID_LMKD uid
and from AID_ROOT to AID_LMKD and AID_SYSTEM gid.
/dev/memcg/memory.pressure defaults to root.root mode 0000, set it up
as root.system mode 0040 to allow lmkd read access.
Instrument failure to set SCHED_FIFO.
Annotate access points that require elevated capabilities.
Test: check /proc/`pidof lmkd`/status for capability set
Test: lmkd_unit_test
Bug: 77650566
Change-Id: I986081a0434cf6e842b63a55726380205b30a3ea