Commit graph

129 commits

Author SHA1 Message Date
Deyao Ren
238e909349 Remove and add service and action during apex load and unload
Bug: 232114573
Test: atest CtsInitTestCases ApexTestCases
Change-Id: I1f91ada1d44ac2380e2faf8fc25e0a521cc1a826
2022-08-30 17:31:00 +00:00
Deyao Ren
df40ed1be1 Add apex name to service
Passed apex file name to service. The file name will be parsed
to determine 1) whether the service is from an apex; 2) apex name

Bug: 236090201

Change-Id: I2c292c0c067f4bf44bb25b1f80e4f972b94f7258
2022-07-22 04:00:30 +00:00
Jiyong Park
11d7bc52df init: don't touch mmap_rnd_compat_bits on 64-bit only builds
mmap_rnd_compat_bits is for address space randomization of 32-bit
applications on 64-bit system. Configuring it is not only unnecessary
for 64-bit "only" builds, but also can cause a boot failure if the
kernel is built without CONFIG_COMPAT which is the case for Microdroid.

Use ro.product.abilist32 to determine whether 32-bit applications are
supported and if not, don't configure it, but mmap_rnd_bits.

Bug: 237950549
Test: run Microdroid with the kernel built with aosp/2153639

Change-Id: Ifca6fa02f14ad4c7d8f9b2ab8852494c12945c3a
2022-07-18 14:31:13 +09:00
Eric Biggers
48c05a6d03 init: remove unneeded special cases from FscryptInferAction
All the individual directories being treated specially by
FscryptInferAction() already have an explicit encryption action in the
corresponding mkdir commands.  The explicit action is the source of
truth, so the special cases in FscryptInferAction() are unnecessary.

Also, some of these cases were outdated.  For example, /data/app-staging
was changed from encryption=None to encryption=DeleteIfNecessary at some
point, but FscryptInferAction() was not updated.  This is causing the
warning "Inferred action different from explicit one" to be logged.

Additional "Inferred action different from explicit one" warnings are
logged due to subdirectories of /data/apex being explicitly encrypted.

Change FscryptInferAction() to only do what it needs to do: check
whether the directory is a top-level directory of /data or not.  Remove
the above-mentioned warning which is not useful.

Bug: 232554803
Change-Id: If6611d64107a19d242892c92dfea095577e193e5
2022-05-16 19:06:22 +00:00
Eric Biggers
6cb5a36f4c init: fix mkdir to reliably detect top-level /data directories
To determine the default encryption action, the mkdir command checks
whether the given path is a top-level directory of /data.  However, it
assumed a path without any duplicate slashes or trailing slash(es).

While everyone *should* be providing paths without unnecessary slashes,
it is not guaranteed, as paths with unnecessary slashes still work
correctly for all other parts of the mkdir command, including the
SELinux label lookup and the actual directory creation.  In particular,
the /data/fonts directory is being created using 'mkdir /data/fonts/'.

The effect is that the mkdir command thinks that /data/fonts/ is *not* a
top-level directory of /data, so it defaults to no encryption action.
Fortunately, the full command happens to use "encryption=Require", so we
dodged a bullet there, though the warning "Inferred action different
from explicit one" is still triggered.

There are a few approaches we could take here, including even just
fixing the /data/fonts/ command specifically, but I think the best
solution is to have mkdir clean its path at the very beginning.  This
retains the Linux path semantics that people expect, while avoiding
surprises in path processing afterwards.  This CL implements that.

Note, this CL intentionally changes the behavior of, and thus would
break, any existing cases where mkdir is used to create a top-level
/data directory using a path with unnecessary slashes and without using
an explicit encryption action.  There are no known cases where this
already occurs, however.  No cases exist in platform code, and vendor
init scripts shouldn't be creating top-level /data directories anyway.

Test: atest CtsInitTestCases
Test: Booted and verified that a trailing slash is no longer present in
      the log message "Verified that /data/fonts/ has the encryption
      policy ...".  Also verified that the message "Inferred action
      different ..." is no longer present just above it.
Bug: 232554803
Change-Id: Ie55c3ac1a2b1cf50632d54a1e565cb98c17b2a6a
2022-05-13 19:29:00 +00:00
Eric Biggers
ef9275223c Move creation of /data/user/0 and /data/media/obb to vold
To prevent bugs, directory creation and encryption should happen
together.  /data/user/0 (and its "alias" /data/data) is a per-user
encrypted directory; such directories can only be encrypted by vold.
Therefore, move its creation to vold as well.

Besides closing the uncomfortably-large gap between the creation and
encryption of /data/user/0, this allows removing init's write access to
/data/user and similar directories (SELinux type system_userdir_file) to
prevent any such issues from being reintroduced in the future.

To also allow removing init's write access to /data/media (SELinux type
media_userdir_file), which also contains per-user encrypted directories,
also move the creation and encryption of /data/media/obb to vold.

Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=Linux API ("slave" mount flag)
Change-Id: I7245251eeb56b345b6c7711482c0aa5848648edb
2022-05-11 21:50:35 +00:00
Jiyong Park
3b3d87de79 Don't create vendor_init in microdroid
vendor_init is a subcontext of init which is responsible for handling
the vendor-defined services and vendor-defined actions. This is mainly
to enforce the Treble architecture in which the vendor components are
provided with a less-privileged context than the system components
because they are less-trusted.

However, in case of microdroid, both the system and the vendor
partitions are from the same entity. As VMs don't have direct access to
any of the underlying hardware, the vendor partition is targeting the
virtual platform, not the real hw platform. There really is no need for
the discrimination.

This CL disables the creation of the vendor_init subcontext when init
runs in microdroid.

Bug: 201363575
Test: atest MicrodroidHostTestCases
Change-Id: Ie5e47d84e9e245565239b4f2159e8182b457699d
2021-09-29 21:35:08 +09:00
Devin Moore
6d5445b9f4 init: remove extra space in list of bootconfig values
If a bootconfig argument has a list of values, it has a space between
them in /proc/bootconfig.

Example:
BOARD_BOOTCONFIG := parameter=value1,value2,value3

In /proc/bootconfig, it looks like:
parameter = "value1", "value2", "value3"

Before this CL, that example would end up with the value string of:
"value1, value2, value3"

To keep consistent behavior with kernel cmdline the value string should be:
"value1,value2,value3"

Test: Boot cuttlefish with test bootconfig params and verify ro.boot.*
Bug: 192257482
Change-Id: Iccdec451f53330162fa2c9ad2b7c2630f32b4168
2021-07-08 01:52:46 +00:00
Alistair Delva
3bb240bd4c Allow android_dt_dir to be set by bootconfig
The androidboot.android_dt_dir property is special, because it is loaded
to find out where to get the other DT properties from, and those DT
properties are supposed to override the cmdline/bootconfig ones. So, it
need special casing, and that special case lacked bootconfig support.

Bug: 173815685
Test: launch_cvd -extra_kernel_cmdline androidboot.android_dt_dir=/tmp
[..]
init: Using Android DT directory /tmp
[..]
Change-Id: Ie0958dd0a96394d65f6568653b754ea6f885212e
2021-03-09 19:14:17 +00:00
Kiyoung Kim
0cbee0de2a Check if service is executed before APEX is ready
Any service which is executed when Runtime apex is mounted, but
linkerconfig is not updated can fail to be executed due to missing
information in ld.config.txt. This change updates init to have a status
variable which contains if current mount namespace is default
and APEX is not ready from ld.config.txt, and use bootstrap namespace if
it is not ready.

Bug: 181348374
Test: cuttlefish boot succeeded
Change-Id: Ia574b1fad2110d4e68586680dacbe6137186546e
2021-03-05 16:42:20 +09:00
Devin Moore
a4ef15bebb Support bootconfig in first stage init and fs_mgr
Androidboot parameters are being moved from the kernel commandline to
bootconfig.
fs_mgr looks for these parameters in properties and falls back to
reading directly from /proc/cmdline. So both of these sources are
updated for bootconfig.
The androidboot parameters from /proc/bootconfig
are added as ro.boot properties, and fs_mgr will fall back to searching
/proc/bootconfig if it is too early.

Test: boot cuttlefish with androidboot.fstab_suffix and
androidboot.hardware in bootconfig and not in cmdline.
Test: atest CtsFsMgrTestCases
Bug: 173815685

Change-Id: Iea36a0da94c26e1aa37d97c576725e0ad77cd3ad
2021-02-23 07:42:06 -08:00
Tom Cherry
959ea63b30 init: remove DumpShutdownDebugInformation()
This hasn't helped investigating the issue, and the issue itself isn't
a problem anymore, so we remove these logs.

Bug: 155203339
Test: reboot
Change-Id: I20e51d8fcad5572906a8d556bec8a8dee4522834
2020-12-10 07:34:29 -08:00
Alistair Delva
de28a8651f Respect ro.boot.fstab_suffix in swapon_all
While mount_all and umount_all were updated to use ro.boot.fstab_suffix,
I neglected to update swapon_all. Trivially copied from umount_all.

Bug: 142424832
Change-Id: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
Merged-In: Icd706fe7a1fe16c687cd2811b0a3158d7d2e224e
2020-06-08 23:41:40 +00:00
Alistair Delva
a2cc1ebb72 Add ro.boot.fstab_suffix and modify mount_all to use it
Currently the ReadDefaultFstab function, which calls GetFstabPath,
makes some assumptions about what the fstab will be called and where
it is located. This is being used by vold to set up userdata encryption
and for gsid, and is even used in the default boot control HAL, so it
has become quite baked.

The original way for a board to specify things to mount was to use the
"mount_all /path/to/fstab" command in init.rc. However, due to the
above functionality, the path after mount_all is no longer very useful,
as it cannot differ from the inferred path, or userdata encryption and
other features will be broken.

On Cuttlefish, we have an interest in being able to test alternative
userdata configurations (ext4 vs f2fs, encryption on/off, etc.) and
currently the only way to achieve this is to either a) modify the
ro.hardware or ro.hardware.platform properties, which breaks a bunch
of things like default HAL filenames, or regenerate our odm.img or
vendor.img filesystems. We can't simply install another fstab and
point to it with "mount_all".

This change allows the fstab path to be omitted from "mount_all", and
adds another property which overrides the existing checks for
fstab.${ro.hardware} and fstab.${ro.hardware.platform}. Specifying
${ro.boot.fstab_suffix} will cause fstab.${ro.boot.fstab_suffix}
to be checked first.

Bug: 142424832
Test: booted cuttlefish with 'mount_all ${ro.hardware} --late'
Test: booted cuttlefish with 'mount_all --late'
Test: booted cuttlefish with 'mount_all --late' and fstab_suffix=f2fs
Test: partially booted cuttlefish with 'mount_all ${ro.hardware}'
Test: partially booted cuttlefish with 'mount_all'
Change-Id: I3e10f66aecfcd48bdb9ebf1d304b7aae745cbd3c
2020-05-21 16:38:40 -07:00
Tom Cherry
1c84135144 init: add even more debugging information for reboot
There are devices stuck waiting for vendor_init to finish a command,
without giving much more information.  Instead of setting aside the
last run command, it's more valuable to store and dump the last 30
logs seen.

Bug: 155203339
Test: these logs appear during hung reboots
Test: normal reboots have no difference.
Change-Id: I99cae248eb81eaf34ef66b910fa653a9fa135f68
2020-04-29 09:01:53 -07:00
Tom Cherry
a2f9136b2c Refactor libinit_test_utils to not use libinit and expose its libraries
Users of libinit_test_utils must include all libraries that it uses.
If it uses libinit, then there is a large number of libraries that
must be included.  To avoid this, make libinit_test_utils only use
init_common_sources and the small number of required libraries that go
along with those sources.  Additionally, expose these sources as a
default for users of libinit_test_utils.

Test: build
Change-Id: I224fa7e0590d073e4cd40412b5dcb6f72a64b6bf
2020-02-20 11:31:35 -08:00
Bernie Innocenti
cecebbbacc Convert system/core to Result::ok()
No functionality changes, this is a mechanical cleanup.

Test: m
Test: cd system/core && atest
Change-Id: Ifdaa3ce1947ed578f656d5a446978726eb416c36
2020-02-06 17:04:27 +00:00
Tom Cherry
c88d8f93cf init: Replace property_set() with android::base::SetProperty()
Init is no longer a special case and talks to property service just
like every other client, therefore move it away from property_set()
and to android::base::SetProperty().

In doing so, this change moves the initial property set up from the
kernel command line and property files directly into PropertyInit().
This makes the responsibilities between init and property services
more clear.

Test: boot, unit test cases
Change-Id: I36b8c83e845d887f1b203355c2391ec123c3d05f
2019-12-04 15:43:21 -08:00
Tom Cherry
18278d2e9c init: make triggering shutdown from vendor_init better
Previously, we assumed that TriggerShutdown() should never be called
from vendor_init and used property service as a back up in case it
ever did.  We have since then found out that vendor_init may indeed
call TriggerShutdown() and we want to make it just as strict as it is
in init, wherein it will immediately start the shutdown sequence
without executing any further commands.

Test: init unit tests, trigger shuttdown from init and vendor_init
Change-Id: I1f44dae801a28269eb8127879a8b7d6adff6f353
2019-11-13 12:41:34 -08:00
Paul Crowley
68258e8444 Make encryption action an argument to mkdir
FscryptSetDirectoryPolicy no longer tries to infer the action from the
filename. Well mostly; it still assumes top-level directories in /data
should be encrypted unless the mkdir arguments say otherwise, but
it warns.

Bug: 26641735
Test: boot, check log messages
Change-Id: Id6d2cea7fb856f17323897d85cf6190c981b443c
2019-11-05 16:26:43 -08:00
Elliott Hughes
636ebc9b3b init: actually report which signal is causing the reboot.
It wasn't clear to me why init was rebooting until I saw that it was
SIGABRT, which then made me read through earlier log spam to work out
what was actually unhappy (the SELinux compiler, in my case).

Test: worked out why init was rebooting my device
Change-Id: I605d8956213c4c23711073fd4b0ff99562b7f351
2019-10-07 18:16:23 -07:00
Tom Cherry
4772f1da47 init: check the arguments of builtins during the build
Host init verifier already checks that the names and number of
arguments for builtins are correct, but it can check more.  This
change ensures that property expansions are well formed, and that
arguments that can be parsed on the host are correct.  For example it
checks that UIDs and GIDs exist, that numerical values can be parsed,
and that rlimit strings are correct.

Test: build

Change-Id: Ied8882498a88a9f8324db6b8d1020aeeccc8177b
2019-08-01 10:54:47 -07:00
Tom Cherry
c5cf85db23 init: don't log in expand_props directly
It's better to pass the error message to the caller to determine how
best to print the error.

Test: build
Change-Id: Id8857c459df2f26c031650166609608d20e4d051
2019-08-01 10:34:58 -07:00
Tom Cherry
2e4c85f157 init: clean up file / socket descriptor creation
clang-tidy hinted that some of this code wasn't right.  Looking
deeper, there is really not much related to file and socket
descriptors, except that they're published in similar ways to the
environment.  All of the abstraction into a 'Descriptor' class takes
us further away from specifying what we really mean.

This removes that abstraction, adds stricter checks and better errors
for parsing init scripts, reports sockets and files that are unable to
be acquired before exec, and updates the README.md for the passcred
option.

Test: build, logd (uses files and sockets) works
Change-Id: I59e611e95c85bdbefa779ef69b32b9dd4ee203e2
2019-07-15 12:17:30 -07:00
Tom Cherry
247ffbf314 Fix a few clang-tidy issues and add NOLINT for others
android-base:
* Add NOLINT for expanding namespace std for std::string* ostream
  overload

libdm:
* Fix missing parentesis around macro parameters

init:
* Fix missing CLOEXEC usage and add NOLINT for the intended
  usages.
* Fix missing parentesis around macro parameters
* Fix erase() / remove_if() idiom
* Correctly specific unsigned char when intended
* 'namespace flags' should be signed, since 'flags' it signed for
  clone()
* Add clear to property restore vector<string> to empty after move
* Explicit comparison against 0 for strcmp

Test: build
Change-Id: I8c31dafda2c43ebc5aa50124cbbd6e23ed2c4101
2019-07-09 16:17:36 +00:00
Tom Cherry
172c83f972 init: remove last init.cpp global
By moving it into builtins.cpp..., but that's less bad than it is
now, especially since this is defunct in code targeting Q+.  Remove
the guards that init.h isn't being included by other files too as it's
not useful anymore.

Test: build
Change-Id: Ic564fcff9e8716ec924098b07a8c9d94ca25f960
2019-06-26 14:46:58 -07:00
Tom Cherry
bbcbc2ffb3 init: replace Result<Success> with Result<void>
Now that Result<T> is actually expected<T, ...>, and the expected
proposal states expected<void, ...> as the way to indicate an expected
object that returns either successfully with no object or an error,
let's move init's Result<Success> to the preferred Result<void>.

Bug: 132145659
Test: boot, init unit tests
Change-Id: Ib2f98396d8e6e274f95a496fcdfd8341f77585ee
2019-06-10 12:39:18 -07:00
Vic Yang
92c236e41b init: Refactor selinux.h/cpp
This change factors out functions that handle selabels from
selinux.h/cpp into selabel.h/cpp.  This allows util.cpp to be used by
the upcoming native zygote without a bunch of define flags that are
required for selinux.cpp.

Bug: 133443795
Test: Build and boot cuttlefish.
Change-Id: Ie238a96c6407c6698a605dd8803c1727abfaae7b
2019-05-29 15:09:39 -07:00
Tom Cherry
75e13baf32 init: make fatal reboot target configurable
Currently, if init encounters a fatal issues it reboots to fastboot
but this may be not desirable in all cases, especially the case of
critical services crashing.  Therefore this change adds the ability
for vendors to customize the reboot target via the
androidboot.init_fatal_reboot_target= kernel command line.

This applies to all LOG(FATAL) messages as well as fatal signals in
userdebug/eng builds, except for signals before logging is enabled in
first stage init.

Bug: 121006328
Test: device reboots to configurable target with LOG(FATAL)
Test: device reboots to configurable target after a segfault in the
      various stages of init
Test: device reboots to fastboot without a configured target
Change-Id: I16ea9e32e2fee08dece3d33b697d7a08191d607b
2019-05-29 09:14:17 -07:00
Tom Cherry
59656fb377 init: dump stack when aborting
Dump init stacks when aborting either due to LOG(FATAL) or in
userdebug/eng builds due to signals, including signals from
sanitizers.

Doesn't work for static first stage init yet, b/133450393 tracks
that.

Also, ensure that LOG(FATAL) in child processes calls abort() in all
stages of init, not just 2nd stage init.

Bug: 131747478
Test: abort init in various ways and see stacks
Test: hang or crash in backtrace handler and see child reboot
Change-Id: Ib53b5d3e7e814244203f875de016ada9900dfce8
2019-05-29 08:58:29 -07:00
Jiyong Park
6866041ff0 Proper mount namespace configuration for bionic
This CL fixes the design problem of the previous mechanism for providing
the bootstrap bionic and the runtime bionic to the same path.

Previously, bootstrap bionic was self-bind-mounted; i.e.
/system/bin/libc.so is bind-mounted to itself. And the runtime bionic
was bind-mounted on top of the bootstrap bionic. This has not only caused
problems like `adb sync` not working(b/122737045), but also is quite
difficult to understand due to the double-and-self mounting.

This is the new design:

Most importantly, these four are all distinct:
1) bootstrap bionic (/system/lib/bootstrap/libc.so)
2) runtime bionic (/apex/com.android.runtime/lib/bionic/libc.so)
3) mount point for 1) and 2) (/bionic/lib/libc.so)
4) symlink for 3) (/system/lib/libc.so -> /bionic/lib/libc.so)

Inside the mount namespace of the pre-apexd processes, 1) is
bind-mounted to 3). Likewise, inside the mount namespace of the
post-apexd processes, 2) is bind-mounted to 3). In other words, there is
no self-mount, and no double-mount.

Another change is that mount points are under /bionic and the legacy
paths become symlinks to the mount points. This is to make sure that
there is no bind mounts under /system, which is breaking some apps.

Finally, code for creating mount namespaces, mounting bionic, etc are
refactored to mount_namespace.cpp

Bug: 120266448
Bug: 123275379
Test: m, device boots, adb sync/push/pull works,
especially with following paths:
/bionic/lib64/libc.so
/bionic/bin/linker64
/system/lib64/bootstrap/libc.so
/system/bin/bootstrap/linker64
Change-Id: Icdfbdcc1efca540ac854d4df79e07ee61fca559f
2019-01-30 19:18:22 +09:00
Tom Cherry
d6c2feb9fa init: delete code that sets ro.recovery_id
It looks like this code is dead currently.  From history, this was
meant to be used as a way to check that the recovery image is what was
expected during runtime, but that effort never completed, and we have
full verification of the recovery image when booting into recovery
anyway.

The code is functionally dead as is too, since /recovery doesn't
actually exist in any fstab, since recovery is either mounted as a
ramdisk during recovery or not mounted during normal boot.

Test: boot
Change-Id: I48cd324ef0d5a163db2df2648f6042174b83f10e
2019-01-29 21:17:53 +00:00
Tom Cherry
48e83e629f init: move InitKernelLogging() to first stage init
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr.  InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.

Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.

In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.

Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources.  Therefore, it must be done for a second time in second
stage init.

Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
2018-10-05 10:36:38 -07:00
Tom Cherry
40acb379cd Move watchdogd out of init
We're moving past a world where static executables are needed,
including watchdogd, so treat this like any other executable and place
it in /system/bin.

Bug: 73660730
Test: watchdogd still runs
Change-Id: I1f7508fd55dce6e9ee72a6ab7a085011a76c0053
2018-08-02 12:25:58 -07:00
Tom Cherry
f02506938e init: removed unused includes
Test: build
Change-Id: Ie3020491f67f6930acebe6397be6997b59477b96
2018-07-20 22:48:51 +00:00
Elliott Hughes
dc80312628 libbase: add host properties support.
Move init and libprocessgroup away from their existing hacks.

Bug: N/A
Test: ran tests
Change-Id: Ifabdd38e0cc4ab2582f1ea59d32159d386f48eb6
2018-05-24 18:04:31 -07:00
Tom Cherry
de6bd50d42 init: add host side parser for init
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.

Bug: 36970783
Test: run the parser on init files on host

Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
2018-02-28 10:45:45 -08:00
Joel Galenson
4b591f1851 Run restorecon after init creates a symlink or writes to a file.
Init currently sets the SELinux context on a mkdir but not on
other operations.  This patch modifies it to do so when creating
symlinks, writing to a file, or copying a file.

Test: Built, flashed, and booted.  Added fake init entries and
verified that they received the proper SELinux context.

Change-Id: I836b570fef81d74f3b6c8e7ce0274e94ca7b12d3
2017-11-29 15:29:49 -08:00
Wei Wang
4cea121872 init: add log to time spent in waiting for file
Bug: 64925999
Test: boot and take log
Change-Id: I7d37906708b5a4a195fb1ba1113641656d419e62
2017-08-22 14:09:11 -07:00
Tom Cherry
d8db7ab80d init: replace panic() with LOG(FATAL)
Test: boot bullhead
Test: Introduce LOG(FATAL) at various points of init and ensure that
      it reboots to the bootloader successfully
Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots
      instead of recursing infinitely
Test: Ensure that fatal signals reboot to bootloader

Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
2017-08-17 18:16:51 -07:00
Tom Cherry
11a3aeeae3 init: introduce Result<T> for return values and error handling
init tries to propagate error information up to build context before
logging errors.  This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:

bool CalculateResult(const T& input, U* output, std::string* err)

bool CalculateAndUseResult(const T& input, std::string* err) {
  U output;
  std::string calculate_result_err;
  if (!CalculateResult(input, &output, &calculate_result_err)) {
    *err = "CalculateResult " + input + " failed: " +
      calculate_result_err;
      return false;
  }
  UseResult(output);
  return true;
}

Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.

This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string.  If the functional only returns success or a failure with
an error message, Result<Success> may be used.  The classes Error and
ErrnoError are used to indicate a failed Result<T>.

A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T.  This allows you to return a type T directly from a function that
returns Result<T>.

Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure.  ErrnoError()
additionally appends ": " + strerror(errno) to the end of  the failure
string to aid in interacting with C APIs.

The end result is that the above code snippet is turned into the much
clearer example below:

Result<U> CalculateResult(const T& input);

Result<Success> CalculateAndUseResult(const T& input) {
  auto output = CalculateResult(input);
  if (!output) {
    return Error() << "CalculateResult " << input << " failed: "
                   << output.error();
  }
  UseResult(*output);
  return Success();
}

This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.

Test: boot bullhead, init unit tests
Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
2017-08-14 14:07:30 -07:00
Tom Cherry
0c8d6d2730 init: split security functions out of init.cpp
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp.  It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.

It additionally cleans up sehandle and sehandle_prop.  The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users.  The latter is moved to
property_service.cpp as it is isolated to that file for its usage.

Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
2017-08-14 09:40:01 -07:00
Yu Ning
c01022a62e Allow the use of a custom Android DT directory
On platforms that use ACPI instead of Device Tree (DT), such as
Ranchu x86/x86_64, /proc/device-tree/firmware/android/ does not
exist. As a result, Android O is unable to mount /system, etc.
at the first stage of init:

 init: First stage mount skipped (missing/incompatible fstab in
 device tree)

Those platforms may create another directory that mimics the layout
of the standard DT directory in procfs, and store early mount
configuration there. E.g., Ranchu x86/x86_64 creates one in sysfs
using information encoded in the ACPI tables:

 https://android-review.googlesource.com/442472
 https://android-review.googlesource.com/443432
 https://android-review.googlesource.com/442393
 https://android-review.googlesource.com/442395

Therefore, instead of hardcoding the Android DT path, load it from
the kernel command line using a new Android-specific property key
("androidboot.android_dt_dir"). If no such property exists, fall
back to the standard procfs path (so no change is needed for DT-
aware platforms).

Note that init/ and fs_mgr/ each have their own copy of the Android
DT path, because they do not share any global state. A future CL
should remove the duplication by refactoring.

With this CL as well as the above ones, the said warning is gone,
but early mount fails. That is a separate bug, though, and will be
addressed by another CL.

Test: Boot patched sdk_phone_x86-userdebug system image with patched
      Goldfish 3.18 x86 kernel in patched Android Emulator, verify
      the "init: First stage mount skipped" warning no longer shows
      in dmesg.

Change-Id: Ib6df577319503ec1ca778de2b5458cc72ce07415
Signed-off-by: Yu Ning <yu.ning@intel.com>
2017-07-28 11:10:48 +08:00
Tom Cherry
ede0d53850 Move Timer from init to libbase
Test: boot bullhead
Test: new libbase unit tests

Change-Id: Ic398a1daa1fe92c10ea7bc1e6ac3f781cee9a5b5
2017-07-10 09:28:24 -07:00
Wei Wang
eeab491efd init: Support custom shutdown actions
We have been seeing panics and errors during shutdown sequence in
some vendor's platform, and it is required to disable error handling
during shutdown.

This CL separates the shutdown request to execute another "shutdown"
trigger at the beginning of shutdown stage. And vendor can use this
trigger to add custom commands needed for shutting down gracefully.

Bug: 38203024
Bug: 62084631
Test: device reboot/shutdown
Change-Id: I3fac4ed59f06667d86e477ee55ed391cf113717f
2017-07-05 14:49:57 -07:00
Tom Cherry
81f5d3ebef init: create android::init:: namespace
With some small fixups along the way

Test: Boot bullhead
Test: init unit tests
Change-Id: I7beaa473cfa9397f845f810557d1631b4a462d6a
2017-06-23 13:21:20 -07:00
Tom Cherry
482f36cf74 init: remove restorecon() from util.cpp
restorecon() has become nothing more than a small wrapper around
selinux_android_restore().  This itself isn't super problematic, but
it is an obstacle for compiling util.cpp on the host as that function
is not available on the host.

Bug: 36970783
Test: Boot bullhead
Merged-In: I7e209ece6898f9a0d5eb9e5d5d8155c2f1ba9faf
Change-Id: I7e209ece6898f9a0d5eb9e5d5d8155c2f1ba9faf
2017-05-09 02:25:32 +00:00
Mark Salyzyn
b066fccc5c init: add "+passcred" for socket to set SO_PASSCRED
In the init scripts for socket, the type can have a suffix of
"+passcred" to request that the socket be bound to report SO_PASSCRED
credentials as part of socket transactions.

Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
      (fails without logd.rc change)
Bug: 37985222
Change-Id: Ie5b50e99fb92fa9bec9a32463a0e6df26a968bfd
2017-05-08 14:04:13 -07:00
Tom Cherry
2cbbe9f7a3 init: do not log directly from read_file() and write_file()
Their callers may be able to add more context, so use an error string
to record the error.

Bug: 38038887
Test: boot bullhead
Test: Init unit tests
Change-Id: I46690d1c66e00a4b15cadc6fd0d6b50e990388c3
2017-05-05 14:37:12 -07:00
Tom Cherry
517e1f17cf init: Check DecodeUid() result and use error string
Check the result of DecodeUid() and return failure when uids/gids are
unable to be decoded.

Also, use an error string instead of logging directly such that more
context can be added when decoding fails.

Bug: 38038887
Test: Boot bullhead
Test: Init unit tests
Change-Id: I84c11aa5a8041bf5d2f754ee9af748344b789b37
2017-05-05 14:37:01 -07:00