A previous change moved property_service into its own thread, since
there was otherwise a deadlock whenever a process called by init would
try to set a property. This new thread, however, would send a message
via a blocking socket to init for each property that it received,
since init may need to take action depending on which property it is.
Unfortunately, this means that the deadlock is still possible, the
only difference is the socket's buffer must be filled before init deadlocks.
There are possible partial solutions here: the socket's buffer may be
increased or property_service may only send messages for the
properties that init will take action on, however all of these
solutions still lead to eventual deadlock. The only complete solution
is to handle these messages asynchronously.
This change, therefore, adds the following:
1) A lock for instructing init to reboot
2) A lock for waiting on properties
3) A lock for queueing new properties
4) A lock for any actions with ServiceList or any Services, enforced
through thread annotations, particularly since this code was not
designed with the intention of being multi-threaded.
Bug: 146877356
Bug: 148236233
Test: boot
Test: kill hwservicemanager without deadlock
Merged-In: I84108e54217866205a48c45e8b59355012c32ea8
Change-Id: I84108e54217866205a48c45e8b59355012c32ea8
(cherry picked from commit 7205c62933)
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included. To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources. Additionally, expose these sources as a
default for users of libinit_test_utils.
Bug: 148236233
Test: build
Merged-In: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
(cherry picked from commit a2f9136b2c)
When bind-mounting flattened APEX, use the apex name found in
apex_manifest.pb as the mount point, instead of the directory name which
might be different from apex name in case when the apex is overridden.
This allowed us to remove the special casing for the ART apex since we
/system/apex/com.android.art.release will be mounted to
/apex/com.android.art instead of /apex/com.android.art.release.
Bug: N/A
Test: m
Test: OVERRIDE_TARGET_FLATTEN_APEX=true m, device is bootable
Change-Id: Ibdde7002b9078db390e6672b0eb82c474925451d
sys.init.userspace_reboot.in_progress will be used to notify all
the processes (including vendor ones) that userspace reboot is
happening, hence it should be treated as stable public api.
All other sys.init.userspace_reboot.* props will be internal to /system
partition and don't require any stability guarantees.
Test: builds
Test: adb reboot userspace
Bug: 135984674
Change-Id: Ifb64a6bfae2de76bac67edea68df44e33c9cfe2d
We have all of the 'type' information for properties available during
build time, so let's check this when setting properties in init.
Test: setprop apexd.status bad results in:
host_init_verifier: Command 'setprop apexd.status bad'
(out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc:927)
failed: Property type check failed, value doesn't match expected type
'enum starting ready'
host_init_verifier: Failed to parse init script
'out/soong/.intermediates/system/core/rootdir/init.rc/android_x86_core/init.rc'
with 1 errors
Test: CF builds without that error
Change-Id: Iaad07747c09f4a10b2b816c455d6e8a485357ab9
There is no reason for these scripts to continue to exist in /, when
they are better suited for /system/etc. There are problems keeping
them at / as well, particularly that they cannot be updated with
overlayfs.
Bug: 131087886
Bug: 140313207
Test: build/boot
Merged-In: I043d9a02ba588ca37ceba2c4e28ed631792b2586
Change-Id: I043d9a02ba588ca37ceba2c4e28ed631792b2586
init should be able to register native services with lmkd so that they
can be killed when needed. Only processes with oom_score_adjust not
equal to the default -1000 will be registered with lmkd because with the
score that low the process is unkillable anyway.
Inform lmkd when a registered process is killed so that the record can be
removed.
Change init.rc to start lmkd during init phase so that it is there to
register other services.
Replace hardcoded oom_score_adj values with appropriate definitions.
Bug: 129011369
Test: boot and verify native service registration
Change-Id: Ie5ed62203395120d86dc1c8250fae01aa0b3c511
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Also put libfscrypt into fs_mgr via whole_static_libs
since it's now a dependency.
Bug: 143307095
Test: we can use the inline policy on it
Change-Id: I82d7d5330abef76ce82accea25d2663748e87a8b
This patch translates UpdateState states into a MergeStatus from
IBootControl 1.1, and asks the HAL to store it. Unfortunately this patch
has to work around a few issues.
The first issue is that Soong doesn't allow including only the headers
from a HAL. The second issue is that entraining the headers requires
linking to libraries that would otherwise not be needed in init.
To address this, we now have three ways of linking to libsnapshot:
1. libsnapshot - Has access to gsid and HALs.
2. libsnapshot_nobinder - Has access to HALs, but not binder (for
recovery).
3. libsnapshot_init - Does not use binder or HALs.
The HAL code is #ifdef'd behind LIBSNAPSHOT_USE_HAL and we make use of
forward declarations and dependency injection to minimize its spread.
Bug: 139154945
Test: libsnapshot_test gtest
Change-Id: I21ffd8a79a43d0589f2f71f346ac1b019584a183
Since it's available in C++, it's easier to build host_init_verifier
with this than create a new way to export the json file.
Bug: 141567104
Test: manually change hidl interface in a manifest
host_init_verifier: system/core/rootdir/init.rc: 69:
host_init_verifier: Interface is not in the known set of hidl_interfaces: 'android.hardwar.edne@1.0::IFoo'. Please ensure the interface is spelled correctly and built by a hidl_interface target.
Change-Id: Ic73dcb51855cb751734bc497d8e69f379966c511
When I previously tried this in https://r.android.com/1108553 , it broke on
some targets but I think that may have been fixed. I'm trying it again now
to see if this now passes treehugger and sticks.
Note: There is still an indirect dependency via libfs_mgr.
Bug: 137267623
Test: Treehugger
Change-Id: I2d8b909e451bb64a1eb0719a145dfd74da1dcbad
Userspace may want to load a different firmware than the one that the
kernel requests in some cases, therefore this change adds the ability
to ueventd to run an external handler that will determine the name of
the file that should actually be loaded.
Bug: 138352500
Test: unit tests
Change-Id: Ic5da37268fd78109f83ae52d1b903bf7322a5ee5
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Reland: during reboot, init stops processing property_changed messages
from property service, since it will not act on these anyway. This
had an unexpected effect of causing future property_set calls to block
indefinitely, since the buffer between init and property_service was
filling up and the send() call from property_service would then
block. This change has init tell property_service to stop sending it
property_changed messages once reboot begins.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: I26902708e8be788caa6dbcf4b6d2968d90962785
Added in af1a9bfb8f, but it's never been
used in practice because of the performance impact, and it's incompatible
with our ability to add new system calls via a bionic module update
because it defaults to disabling all unknown syscalls, and init will
still be using the non-updated bootstrap libc from when it first shipped.
Test: treehugger
Change-Id: I8e396675fcfaf0218a92f464d15e613f43319305
Instead of init.cpp knowning about the boringssl self
test, use init.rc to exec dedicated self test executables.
Advantages:
- The self test is run not only both the copy of libcrypto
in /system but also /apex/com.android.conscrypt.
- The self test is run not only for the primary (e.g. 64bit)
ABI but also for a secondarry (e.g. 32bit) ABI.
- The dependency on libcrypto is kept to the self test binary.
- The self test binary abstracts the exact native API for
running the self test (this will change soon because the
self test will be run when the library is loaded).
Bug: 137267623
Test: Check that logcat shows both binaries being started as root,
and finishing with exit code 0.
Change-Id: I1e716749ee2133993f0f7b2836483391fd1a62f0
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: I13b8bf240c9fcb1d2d5890a8be2f0ef74efd4adf
Note that /metadata must now be mounted before CreateLogicalPartitions()
is called. This is because SnapshotManager overrides the default
partitioning scheme, and the only way to tell if a SnapshotManager is
needed is via the metadata partition.
Bug: 139204329
Test: manual test
Change-Id: I812df6c4c0d4d8753b1516f63dc70c5bc3e1c09c
It's been a long standing issue that init cannot respond to property
set messages when it is running a builtin command. This is
particularly problematic when the commands involve IPC to vold or
other daemons, as it prevents them from being able to set properties.
This change has init run property service in a thread, which
eliminates the above issue.
This change may also serve as a starting block to running property
service in an entirely different process to better isolate init from
handling property requests.
Test: CF boots, walleye boots, properties are set appropriately
Change-Id: Id9534a5916abb2f7d2a49cda54e33c1b69c50c2f
host_init_verifier statically links libprocessgroup, which has shared
dependency on libjsoncpp. Right now it also has shared dependency on
libjsoncpp, resulting in ODR violation:
ERROR: AddressSanitizer: odr-violation (0x7fce895f3220):
[1] size=8 'Json::kNullRef' external/jsoncpp/src/lib_json/json_value.cpp:37:22
[2] size=8 'Json::kNullRef' external/jsoncpp/src/lib_json/json_value.cpp:37:22
These globals were registered at these points:
[1]:
#0 0x56276926ef0d (/usr/local/google/buildbot/src/android/master/out/host/linux-x86/bin/host_init_verifier+0xd1f0d)
#1 0x7fce894ac1d9 (/lib64/ld-linux-x86-64.so.2+0x101d9)
[2]:
#0 0x56276926ef0d (/usr/local/google/buildbot/src/android/master/out/host/linux-x86/bin/host_init_verifier+0xd1f0d)
#1 0x7fce894ac1d9 (/lib64/ld-linux-x86-64.so.2+0x101d9)
Move host_init_verifier to libjsoncpp_headers to fix the ODR violation.
Bug: 139546461
Bug: 131328001
Test: Run ASAN host_init_verifier
Change-Id: I54a51138d61fff37f092ffaa0758817600a0af9d
Includes refactoring out interface inheritance hierarchy logic to a new
interface_utils file.
Bug: 137397100
Test: 'm' with an init_rc that misspells an interface in an
interface_start, interface_restart, or interface_stop line.
Change-Id: I9f650289d64ae2b13435a81e1693c7ab5e6e9ecf
* changes:
Adds new property for service name -> PID.
Adds a library to parse service info from init_rc files for use in tests.
Adds a visibility rule for init defaults.
Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more. This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct. For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.
Test: build
Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b
This makes `pathmod init` and `gomod init` work, and it also reserves
the 'init' for potential future usage.
Change-Id: I6990bf421211b93d58d978d84d46474ff243e808
Bugs: me
Test: pathmod init; gomod init
clang-tidy hinted that some of this code wasn't right. Looking
deeper, there is really not much related to file and socket
descriptors, except that they're published in similar ways to the
environment. All of the abstraction into a 'Descriptor' class takes
us further away from specifying what we really mean.
This removes that abstraction, adds stricter checks and better errors
for parsing init scripts, reports sockets and files that are unable to
be acquired before exec, and updates the README.md for the passcred
option.
Test: build, logd (uses files and sockets) works
Change-Id: I59e611e95c85bdbefa779ef69b32b9dd4ee203e2
Bug: 118016875
Test: Added 'interface' lines to an init_rc file and observed errors
when misspelled or missing entire inheritance hierarchy.
Change-Id: I681420f15539742d8415808b2a0dcbf0bf6faaf1
- unused
- using binder requires twoway calls (since getting a service from
servicemanager requires two calls)
Bug: 135768100
Test: N/A
Change-Id: Idc41f487bad2d8343e99ded98812f3a84e2b8e37