Commit graph

10 commits

Author SHA1 Message Date
Elliott Hughes
eedd38a82a Let the kernel hwrng thread manage hw_random mixing.
This has been something the kernel does automatically since 2014, so
there's no obvious reason to add extra work during boot to duplicate
that effort.

Bug: http://b/179086242
Test: treehugger
Change-Id: I44cce99a892e4f2a6a303c2126bd29f955f5fb23
2021-02-05 11:10:00 -08:00
Ryan Savitski
ea93f110d2 dev devices with permissive boot: disable perf_event_paranoid
Some functionality based on eBPF attached to tracepoints (gpu memory
accounting and time-in-state) rely on newer devices running with
"disabled" perf_event_paranoid controls as a result of the kernel having
LSM hooks in the perf_event_open syscall instead. This is tested
for, and set up by init via the sys.init.perf_lsm_hooks sysprop.

Development devices that boot into permissive mode still want the
eBPF-based functionality to work, but end up with a paranoid value that
disallows the syscall, as the LSM hook test expects to observe a SELinux
denial (which doesn't happen due to permissiveness).

As a pragmatic way of achieving the paranoid value override, we pretend
that the hook test has succeeded if we detect permissive SELinux during
second-stage init. It'd be nicer if we had a sysprop to reflect the
device's on-boot status of SELinux, but it's not worth adding for this
case.

BYPASS_INCLUSIVE_LANGUAGE_REASON=technical term

Bug: 170674916
Tested: booted crosshatch-userdebug with permissive kernel cmdline,
        confirmed that the log message from the new codepath was present
        in logcat, sysprop is 1, and paranoid is -1.
Change-Id: I9df5da2076cdbd777d35e50e8cd7a483ec85e20a
2020-10-29 17:41:36 +00:00
Elliott Hughes
f77f6f003c Remove various bits of dead code and unused workarounds.
Test: treehugger
Change-Id: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e
Merged-In: I68fcd5da304d04ff4da3c3f3712fb79ce6b5791e
2020-02-22 16:53:24 +00:00
Ryan Savitski
f0f7e70186 init: add builtin check for perf_event LSM hooks
Historically, the syscall was controlled by a system-wide
perf_event_paranoid sysctl, which is not flexible enough to allow only
specific processes to use the syscall. However, SELinux support for the
syscall has been upstreamed recently[1] (and is being backported to
Android R release common kernels).
[1] da97e18458

As the presence of these hooks is not guaranteed on all Android R
platforms (since we support upgrades while keeping an older kernel), we
need to test for the feature dynamically. The LSM hooks themselves have
no way of being detected directly, so we instead test for their effects,
so we perform several syscalls, and look for a specific success/failure
combination, corresponding to the platform's SELinux policy.

If hooks are detected, perf_event_paranoid is set to -1 (unrestricted),
as the SELinux policy is then sufficient to control access.

This is done within init for several reasons:
* CAP_SYS_ADMIN side-steps perf_event_paranoid, so the tests can be done
  if non-root users aren't allowed to use the syscall (the default).
* init is already the setter of the paranoid value (see init.rc), which
  is also a privileged operation.
* the test itself is simple (couple of syscalls), so having a dedicated
  test binary/domain felt excessive.

I decided to go through a new sysprop (set by a builtin test in
second-stage init), and keeping the actuation in init.rc. We can change
it to an immediate write to the paranoid value if a use-case comes up
that requires the decision to be made earlier in the init sequence.

Bug: 137092007
Change-Id: Ib13a31fee896f17a28910d993df57168a83a4b3d
2020-01-15 20:58:15 +00:00
Tom Cherry
7c1d87e490 init: fix clang-tidy performance issues
Test: boot, init unit tests
Change-Id: Iccf34d2fedfa543dd9f29e010cbb6d8fe9cf5983
2019-07-10 12:59:02 -07:00
Tom Cherry
bbcbc2ffb3 init: replace Result<Success> with Result<void>
Now that Result<T> is actually expected<T, ...>, and the expected
proposal states expected<void, ...> as the way to indicate an expected
object that returns either successfully with no object or an error,
let's move init's Result<Success> to the preferred Result<void>.

Bug: 132145659
Test: boot, init unit tests
Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 12:39:18 -07:00
Tom Cherry
cb0f9bbc85 init: run vendor commands in a separate SELinux context
One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.

This change is meant to close that gap.  It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to.  Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.

Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.

Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish

Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
2017-09-29 13:06:26 -07:00
Tom Cherry
d8db7ab80d init: replace panic() with LOG(FATAL)
Test: boot bullhead
Test: Introduce LOG(FATAL) at various points of init and ensure that
      it reboots to the bootloader successfully
Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots
      instead of recursing infinitely
Test: Ensure that fatal signals reboot to bootloader

Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
2017-08-17 18:16:51 -07:00
Tom Cherry
557946e57c init: use Result<T> for builtin functions
We currently throw out the return values from builtin functions and
occasionally log errors with no supporting context.  This change uses
the newly introduced Result<T> class to communicate a successful result
or an error back to callers in order to print an error with clear
context when a builtin fails.

Example:

init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory

Test: boot bullhead
Merged-In: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
2017-08-14 14:07:39 -07:00
Tom Cherry
0c8d6d2730 init: split security functions out of init.cpp
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp.  It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.

It additionally cleans up sehandle and sehandle_prop.  The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users.  The latter is moved to
property_service.cpp as it is isolated to that file for its usage.

Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-14 09:40:01 -07:00