This adds three more diagnostics to stuck exec services:
1. /proc/pid/fds is dumped
2. /proc/pid/status is dumped
3. HandleSignalFd is called to see if a SIGCHLD got stuck somewhere
Bug: 223076262
Test: while (1) in linkerconfig
Ignore-AOSP-First: diagnostics
Change-Id: Ida601d86e18be9d49b143fb88b418cbc171ecac6
writepid usage to add a task to a cgroup was deprecated in favor of the
task_profile command. The reason is that writepid hardcodes cgroup path
and makes it hard to change it in the future, whereas task profiles
configure cgroup paths in one centralized place and are easy to change.
Log a warning when writepid is used with cgroups and try converting it
into a task_profiles command for well-known cgroups. If conversion is
not possible the writepid operation will still be attempted to avoid
breaking existing use cases and an error will be logged.
Bug: 191283136
Test: build and boot
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ie58393468ef7d92ab0ffb41e6f339e36d21f7478
During process startup, system creates a process group and places the
new process in it. If process group creation fails for some reason, the
new child process will stay in its parent's group. This poses danger
when the child is being frozen because the whole group is affected and
its parent is being frozen as well.
Fix this by treating group creation failure as a fatal error which would
prevent the app from starting.
Bug: 227395690
Test: fake group creation failure and confirm service failure to start
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I83261bef803751759c7fd709bf1ccd33ccad3a0b
It could be the case that /dev/console is created at the first stage
boot. ueventd doesn't have a permission to relabel from tmpfs to
console_device, so we should try restorecon /dev/console, together with
/dev.
Bug: 193118220
Test: atest MicrodroidHostTestCases
Change-Id: Ic538bc9214d3996fe7b37fa2224c1f0c6eb373d1
Includes extracting the APEX-specific SDK version naming scheme filter
logic so it can be reused when host_apex_verifier looks at rc files
inside the APEX.
Bug: 222121216
Test: Use in host_apex_verifier
Change-Id: I0396a455f30d2de71525ccd3fa69c75576054048
Certain binaries, such as snapuserd, are only available under
/system/bin. To make them accessible by first stage init, we copy
/system/bin/snapuserd to /first_stage_ramdisk/system/bin/snapuserd .
Test: th
Bug: 219841787
Change-Id: I913425a82905c745a05ac32d488f08506dc264ff
First, we load independent module in parallel, then we singly load
modules which have soft-dependencies. then remove them from dependency
list of other modules. Repeat these steps until all modules are loaded.
Bug: 180676019
Test: boot successfully, and save more than 400 ms on Pixel 6 Pro.
Signed-off-by: chungkai <chungkai@google.com>
Change-Id: Ib844cfee72d4049bd951528692c818b4fa6c8e8f
* changes:
Init: add dev.mnt.blk.bootdevice to access device sysfs
init: mount_handler: detect main block device more reliably
init.rc: use /sys/class/block instead of /sys/devices/virtual/block
This adds two new diagnostics. First, signalfd reads are now non-blocking. If the read takes more than 10 seconds, we log an error.
Second, init now wakes up from epoll() every 10 seconds. If it waits on an "exec" command for more than 10 seconds, it logs an error.
This change will be reverted as soon as we get feedback.
Bug: 223076262
Test: device boots
Change-Id: I7ee98d159599217a641b3de2564a92c2435f57ef
This patch adds a new property, 'dev.mnt.root.<mount_point>', which provides,
for example of /data,
1. dm-N
dev.mnt.dev.data = dm-N
dev.mnt.blk.data = sdaN or mmcblk0pN
dev.mnt.rootdisk.data = sda or mmcblk0
2. sdaN or mmcblk0pN
dev.mnt.dev.data = sdaN or mmcblk0pN
dev.mnt.blk.data = sdaN or mmcblk0pN
dev.mnt.rootdisk.data = sda or mmcblk0
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I0a58a62d416f966f26b5de04112c2f9a7eceb22c
Current code is not portable beyond SCSI devices (e.g., UFS).
For example, eMMC and NVMe devices fail due to their extra postfix.
Change its logic to rewind each character until "queue" directory appears.
Test: Confirm md0p1, sda20, nvme0n1p3, mmcblk0p3 are all handled well.
Change-Id: I585ccf2d4a72f6ef8ecb203acdd72a1e32d3e749
Signed-off-by: Juhyung Park <qkrwngud825@gmail.com>
This reverts commit 471643a909.
Reason for revert: Given https://r.android.com/1960063, it is safe to revert this diagnostics patch
Change-Id: Ib3600c1982ee10a0204ac0fdbc3e160c2833ed07
These aren't actually duplicate interfaces because we
are overriding the service so interfaces in the original
definition will never be used.
Test: Verify 'm dist' works without complaining about
duplicate interfaces.
Change-Id: Iab5e1d8bb4cb7d5b2608028c3cee73af94c47424
This kernel command-line parameter may be used to alter the loading of
firmware.
Bug: 222166126
Test: n/a
Change-Id: I6dc1ae92694cf08b11ab6c3c41aa3d62c992a72a
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: I5a6f587ecc5e6470137de6cceda7e685bce28ced
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: I972f4e60844bb0d133b1cca1fd4e06bb89fc5f37
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The Service::Start() method is so long that its length negatively
affects readability of the code. Hence this patch that splits
Service::Start().
Test: Booted Android in Cuttlefish.
Change-Id: Ib8e1e87fbd335520cbe3aac2a88d250fcf3b4ff0
Signed-off-by: Bart Van Assche <bvanassche@google.com>
In Android S and later, androidboot.* kernel cmdline parameters are
moved to bootconfig instead the kernel cmdline. This includes the
androidboot.force_normal_boot.
Bug: 219951268
Test: N/A
Change-Id: Id0328ad09a34d654de9936e37a576a8a9f44de6c
The SetTaskProfiles() call modifies cgroup attributes. Modifying cgroup
attributes can only succeed after the cgroups and cgroup attributes have
been created. Hence this patch that makes the child process wait until
the parent has finished creating cgroups and activating cgroup
controllers.
Bug: 213617178
Test: Without this patch the migration to the v2 hierarchy does not work reliably. With this patch applied, the migration to the v2 hierarchy works reliably.
Change-Id: I80a7c0a35453d8fd89ed798d077086aa8ba9ea17
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Non-GRF devices must read only the `ro.product.first_api_level` but
not the vendor build version because `ro.product.first_api_level` is
always less than or equal to `ro.vendor.build.version.sdk` for
non-GRF devices.
Bug: 218610653
Test: getprop ro.vendor.api_level
Change-Id: Ib98c33ae052daa949208c43bd441f98cf442da49
[reland aosp/1910032]
Updatable sepolicy is shipped within an zip within an APEX. Because
it needs to be available before Apexes are mounted, apexd copies
the zip from the APEX and stores it in /metadata/sepolicy. If there is
not updatable sepolicy in /metadata/sepolicy, then updatable policy is
loaded from /system/etc/selinux/apex. Init performs the following
steps on boot:
1. Validates the zip by checking its signature against a public key
that is stored in /system/etc/selinux.
2. Extracts files from zip and stores them in /dev/selinux.
3. Checks if the apex_sepolicy.sha256 matches the sha256 of
precompiled_sepolicy. if so, the precompiled sepolicy is used.
Otherwise, an on-device compile of the policy is used. This is the
same flow as on-device compilation of policy for Treble.
4. Cleans up files in /dev/selinux which are no longer needed.
5. Restorecons the remaining files in /dev/selinux.
6. Sets selinux into enforcing mode and continues normal booting.
Bug: 199914227
Test: adb root
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip \
/metadata/sepolicy/SEPolicy.zip
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.sig \
/metadata/sepolicy/SEPolicy.apk.sig
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.fsv_sig \
/metadata/sepolicy/SEPolicy.zip.fsv_sig
adb reboot
ls -laZ /dev/selinux/
Verify that files exist and that the labels are expected.
Change-Id: I2dbe43e329e91f46abedc7e44f7d24b220e19173
This reverts commit 97ff3ab852.
Reason for revert: b/216491364 boot time regression
Bug: 216491364
Change-Id: I6c9af0887affa130cc61edf70506e79453dbd228
Updatable sepolicy is shipped within an zip within an APEX. Because
it needs to be available before Apexes are mounted, apexd copies
the zip from the APEX and stores it in /metadata/sepolicy. If there is
not updatable sepolicy in /metadata/sepolicy, then updatable policy is
loaded from /system/etc/selinux/apex. Init performs the following
steps on boot:
1. Validates the zip by checking its signature against a public key
that is stored in /system/etc/selinux.
2. Extracts files from zip and stores them in /dev/selinux.
3. Checks if the apex_sepolicy.sha256 matches the sha256 of
precompiled_sepolicy. if so, the precompiled sepolicy is used.
Otherwise, an on-device compile of the policy is used. This is the
same flow as on-device compilation of policy for Treble.
4. Cleans up files in /dev/selinux which are no longer needed.
5. Restorecons the remaining files in /dev/selinux.
6. Sets selinux into enforcing mode and continues normal booting.
Bug: 199914227
Test: adb root
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip \
/metadata/sepolicy/SEPolicy.zip
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.sig \
/metadata/sepolicy/SEPolicy.apk.sig
adb shell cp /apex/com.android.sepolicy.apex/etc/SEPolicy-33.zip.fsv_sig \
/metadata/sepolicy/SEPolicy.zip.fsv_sig
adb reboot
ls -laZ /dev/selinux/
Verify that files exist and that the labels are expected.
Change-Id: I614e8d84892693ecc663b17eebd204096367693d
This is a race between init process and bionic libc initialization of
snapuserd.
init->fork() ----------------> SecondStageMain() -> PropertyInit()
|
|
v
execveat ---> __libc_init_common() -> __system_properties_init()
(snapuserd)
When init process calls PropertyInit(), /dev/__properties__ directory
is created. When bionic libc of snapuserd daemon invokes __system_properties_init
_after_ init process PropertyInit() function is invoked, libc will
try to initialize the property by reading
/system/etc/selinux/plat_property_contexts. Since any reads on /system
has to be served by snapuserd, this specific read from libc cannot be
serviced leading to deadlock.
Reproduce the race by inducing a sleep of 1500ms just before execveat()
so that init process calls PropertyInit() before bionic libc
initialization. This leads to deadlock
immediately and with additional kernel instrumentation with debug
logs confirms the failure:
======================================================
init: Relaunched snapuserd with pid: 428
ext4_file_open: SNAPUSERD: path /system/etc/selinux/plat_property_contexts - Pid: 428 comm 8
ext4_file_read_iter: SNAPUSERD for path: /system/etc/selinux/plat_property_contexts pid: 428 comm 8
[ 25.418043][ T428] ext4_file_read_iter+0x3dc/0x3e0
[ 25.423000][ T428] vfs_read+0x2e0/0x354
[ 25.426986][ T428] ksys_read+0x7c/0xec
[ 25.430894][ T428] __arm64_sys_read+0x20/0x30
[ 25.435419][ T428] el0_svc_common.llvm.17612735770287389485+0xd0/0x1e0
[ 25.442095][ T428] do_el0_svc+0x28/0xa0
[ 25.446100][ T428] el0_svc+0x14/0x24
[ 25.449825][ T428] el0_sync_handler+0x88/0xec
[ 25.454343][ T428] el0_sync+0x1c0/0x200
=====================================================
Fix:
Before starting init second stage, we will wait
for snapuserd daemon to be up and running. We do a simple probe by
reading system partition. This read will eventually be serviced by
daemon confirming that daemon is up and running. Furthermore,
we are still in the kernel domain and sepolicy has not been enforced yet.
Thus, access to these device mapper block devices are ok even though
we may see audit logs.
Note that daemon will re-initialize the __system_property_init()
as part of WaitForSocket() call. This is subtle but important; since
bionic libc initialized had failed silently, it is important
that this re-initialization is done.
Bug: 207298357
Test: Induce the failure by explicitly delaying the call of execveat().
With fix, no issues observed.
Tested incremental OTA on pixel ~15 times.
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I86c2de977de052bfe9dcdc002dcbd9026601d0f3
This patch attempts to diagnose snapuserd hangs by performing reads
immediately after entering second-stage init. This is done by spawning
two threads: one to perform the reads, and another to wait for the read
thread to finish. If any aspect of the read fails, or the read thread
does not complete in 10 seconds, then a list of snapuserd's open file
descriptors are logged.
Bug: 207298357
Test: apply working OTA, check logcat for success
apply broken OTA, check logcat for fd map
Change-Id: I549e07b7d576fcdaca9b2d6ff33e0924c3812c07
This change provide a specialization of android::base::OkOrFail for
status_t. As a result, a statement whose type is status_t can be used
with OR_RETURN.
The specialization also provides conversion operators to Result<T,
StatusT> where StatusT is a wrapper type for status_t. This allows
OR_RETURN macro to be used in newer functions that returns Result<T,
StatusT>.
Example usage:
\#include <utils/ErrorsMacros.h>
status_t legacy_inner();
status_t legacy_outer() {
OR_RETURN(legacy_inner());
return OK;
}
Result<T, StatusT> new_outer() {
OR_RETURN(legacy_inner()); // the same macro
return T{...};
}
Bug: 209929099
Test: atest libutils_test
Change-Id: I0def0e84ce3f0c4ff6d508c202bd51902dfc9618
They are changed to template classes. s/Error/Error<>/g to reflect that.
In addition, the direct uses of ResultError for error reporting is
replaced with Error and Errorf.
Bug: 209929099
Test: m
Change-Id: I815526a8e6fa30e63fa3efcf5700b146bf70a507
If surfaceflinger crashes before zygote starts, it will restart zygote
too early. Add this argument will allow it to only restart zygote if
it's already running.
Bug: 197224273
Test: manual test
Change-Id: I0ac8dbeaf0a002f8cfcfcc0f63d4b90d08393c5c
* changes:
snapuserd: Add unit test for test merge code path
libsnapshot: Add vts_userspace_snapshot_test
libsnapshot: Integrate userspace snapshots APIs
dm-user block device will be the snapshot device; thus, no
more explicit call to MapSnapshot(). Additionally, block device
name for dm-user will be the snapshot name so that mount works
seamlessly.
API's to query the snapshot status, merge progress has been
integrated. Since daemon requires base device for merge, we pass
additional parameter during initialization.
Add a new virtual a/b property flag to enable/disable
user-snapshots feature. Propagate this flag to init layer
for first stage mount during boot process.
Some minor cleanup and renaming of variables.
Bug: 193863443
Test: 1: Full OTA on CF and pixel and verify the merge completion.
Tested merge-resume path by rebooting device during merge.
2: Incremental OTA on CF and pixel
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: I5088f40a55807946cd044b3987678ead3696d996
class_restart accidentally restarts disabled services. Changing this
behavior is risky as it could break compatibility. Instead, add an
"--only-enabled" argument to class_restart to opt-in to the new
functionality. This syntax is backward compatible, as previously only a
1-argument form was accepted.
Bug: 190065372
Bug: 198105685
Test: add a class_restart action and a disabled service, make sure
service is not restarted.
Change-Id: Idb08779de7ac7a21e23f8b8a3276bd5a66a43299
Remove the class_start_post_data and class_reset_post_data commands,
since they aren't used anymore. They were only used on devices that
used FDE (Full Disk Encryption), via actions in rootdir/init.rc. These
actions have been removed, since support for FDE has been removed.
There is no use case for these commands in vendor init scripts either.
Keep the mark_post_data command, since DoUserspaceReboot() uses the
post-data service flag even on non-FDE devices.
Bug: 191796797
Change-Id: Ibcd97543daa724feb610546b5fc2a0dd7f1e62e7
"nonplat" was renamed to "vendor" in Android Pie, but was retained
here for Treble compatibility.
We're now outside of the compatbility window for these devices so
it can safely be removed.
While I'm here, improve accuracy of some comments and
in-code-documentation.
Test: build boot cuttlefish device. adb remount, modify
/system/etc/selinux/plat_sepolicy_and_mapping.sha256 to force
on-device policy compilation. reboot. Verify that device boots
without new selinux denials.
Change-Id: Ibe5c5fa1ea206c1b4d5ad8183433c332a8aaadbf
Should check ro.build.id instead of the ro.boot.build.id. The former
is a component of the build fingerprint.
Bug: 204507710
Test: run CtsInitTestCases
Change-Id: Iee13b30b195685c2461255f946685a288f352e06
This is required since Android 12, because
CtsNativeVerifiedBootTestCases will read property
"partition.${partition}.verified.hash_alg" to
check that sha1 is not used.
Also see https://r.android.com/1546980 for more details.
Bug: 175236047
Bug: 203720638
Test: build and boot a device
Change-Id: I300265f4af9c2781d40537f391bda9eaf62c27ba
ro.vendor.api_level must be the minimum of ro.product.first_api_level
and ro.board.(first_)api_level.
Bug: 202919753
Test: getprop ro.vendor.api_level
Change-Id: Ie70dd64b21c01ed8cd5e43b01095e1e0d8ff4444
Support an "init.#rc" versioning scheme for apex init files.
chooses highest # <= current system sdk.
".rc" (aka the old init.rc) is treated as sdk 0
Document these semantics in README.md
Bug: 198186200
Test: booting, lots of logcat output
Change-Id: I2d0405be73dae9bafa6f22535b29ed6b053ddbc4
This property will hold the major.minor part of the kernel version (e.g. "5.4"), allowing init scripts to act depending on that version, enabling and disabling certain features.
Bug: 194156700
Change-Id: Icec640b8a7150b344d9aa3bc0bdbcdae050c7c45
Test: manual on a Pixel device
Signed-off-by: Alexander Potapenko <glider@google.com>
vendor_init is a subcontext of init which is responsible for handling
the vendor-defined services and vendor-defined actions. This is mainly
to enforce the Treble architecture in which the vendor components are
provided with a less-privileged context than the system components
because they are less-trusted.
However, in case of microdroid, both the system and the vendor
partitions are from the same entity. As VMs don't have direct access to
any of the underlying hardware, the vendor partition is targeting the
virtual platform, not the real hw platform. There really is no need for
the discrimination.
This CL disables the creation of the vendor_init subcontext when init
runs in microdroid.
Bug: 201363575
Test: atest MicrodroidHostTestCases
Change-Id: Ie5e47d84e9e245565239b4f2159e8182b457699d
This test requires running test services, which causes test to crash
(and still incorrectly be reported as passing) when running on
non-rooted device.
Ignore-AOSP-First: reboot_test is not in AOSP yet
Bug: 190958734
Test: atest CtsInitTestCases
Merged-In: I3c5c9917d0a787d66272ccf4aefc57e6573841bc
Change-Id: I3c5c9917d0a787d66272ccf4aefc57e6573841bc
This test spawns several services backed by /system/bin/yes executable,
and then stops them either while SIGTERM or SIGKILL.
Ideally we want to unit test more of reboot logic, but that requires a
bigger refactoring.
Test: atest CtsInitTestCases
Bug: 170315126
Bug: 174335499
Merged-In: Ife48b1636c6ca2d0aac73f4eb6f4737343a88e7a
Change-Id: Ife48b1636c6ca2d0aac73f4eb6f4737343a88e7a
ro.vendor.api_level will have the api_level that the vendor images
are required to implement based on the various api level properties.
ro.board.api_level and ro.board.first_api_level explicitly states
the api level of the vendor images for grf.
If these properties are not provided, it reads the device's launching
api level.
The rest of the properties may show the implemented api level of the
vendor images.
Bug: 200258600
Test: getprop ro.vendor.api_level
Change-Id: Id4131b53d6db00d5bbef3b048384d33c1736d681
This change only *adds* /system_ext/etc/selinux to the debug policy
search path, and does not change any preconditions to load the debug
policy. The device still needs to be bootloader-unlocked and has the
debug ramdisk flashed to be able to use the debug policy. The only thing
changed is that now the debug policy can be loaded from /system_ext or
/debug_ramdisk when system partition is compliance testing GSI.
The debug policy in the boot ramdisk may be outdated if the system
partition is flashed with a image built from a different revision.
This happens frequently when running the compliance testing VTS, where
the device is flashed with (A) GSI and (B) device vendor image & debug
boot image, and (A) and (B) are built from different git revisions.
To address this, we install a copy of the debug policy under
/system_ext, so that the version desync between (A) & (B) wouldn't be a
problem anymore because (A) no longer relies on the debug policy file
from (B).
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: Ibe17eb1ecb0e813309c9596d1f152b7455686b26
Revert "Add a copy of debug policy to GSI system image"
Revert "Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT"
Revert "Add system_ext_userdebug_plat_sepolicy.cil for GSI"
Revert submission 1824717-gsi_debug_policy
Reason for revert: Breaks the build (see b/200933187).
Reverted Changes:
I37ef02628:Add a copy of debug policy to GSI system image
I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT
I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI...
I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s...
Change-Id: I2eb3b00abb981c25514b75b2e7b4b7b203653390
This change only *adds* /system_ext/etc/selinux to the debug policy
search path, and does not change any preconditions to load the debug
policy. The device still needs to be bootloader-unlocked and has the
debug ramdisk flashed to be able to use the debug policy. The only thing
changed is that now the debug policy can be loaded from /system_ext or
/debug_ramdisk when system partition is compliance testing GSI.
The debug policy in the boot ramdisk may be outdated if the system
partition is flashed with a image built from a different revision.
This happens frequently when running the compliance testing VTS, where
the device is flashed with (A) GSI and (B) device vendor image & debug
boot image, and (A) and (B) are built from different git revisions.
To address this, we install a copy of the debug policy under
/system_ext, so that the version desync between (A) & (B) wouldn't be a
problem anymore because (A) no longer relies on the debug policy file
from (B).
Bug: 188067818
Test: Flash RQ2A.201207.001 bramble-user with debug ramdisk & flash
gsi_arm64-user from master, device can boot and `adb root` works
Change-Id: I4d6235c73472e4d97619b2230292e6a0bc4b3e05
It's requested by the partner engineering team to uniquely
identify a partition.
Bug: 197973981
Test: boot the device and check props
Change-Id: I0f7aa34dd0087f0698fe90b9df6c0eae06fc4f5d
Add a simple SIGCHLD handler to reap zombie processes given to init.
Bug: 197662257
Change-Id: I6e7930cfd7c311c454b361b9a541369ece2eb744
Signed-off-by: Elliot Berman <quic_eberman@quicinc.com>
Microdroid shares init with its host, defined under system/core/init.
This change adds MicrodroidHostTestCases to TEST_MAPPING to ensure that
Microdroid tests can verify patches to init.
Test: presubmit
Change-Id: I55f7e3ffbaf3401d145afac5f7c53d83f69e6ba7
I've actually left the two other scripts on python2, since they're not
used in the build, and I don't actually know whether anyone's still
using them manually. Leaving them on python2 should be a sign to future
maintainers (assuming they're far enough in the future) that maybe
no-one's using them and they can just be deleted instead.
Test: treehugger
Change-Id: I4d7dfdbf9f2a34ddd15cd4be077eeef2248cc596
Android uses an out-of-tree /proc/sys/vm/extra_free_kbytes kernel knob
to increase low watermark. A similar /proc/sys/vm/watermark_scale_factor
knob supported in upstream kernel can be used for the same purpose.
The script implements conversion from desired extra_free_kbytes value
to watermark_scale_factor value and sets watermark_scale_factor according
to the value for extra_free_kbytes provided as a parameter.
Note that watermark_scale_factor affects high watermark differently
from extra_free_kbytes. While extra_free_kbytes increases low and high
watermarks by the same amount, watermark_scale_factor affects high
watermark 2x times. Therefore it is expected that replacing the usage
extra_free_kbytes with watermark_scale_factor will keep the same low
watermark but high watermark will be higher than before.
Usage:
extra_free_kbytes.sh <extra_free_kbytes value>
Bug: 109664768
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Id8949be731da77be884cdeec3a765ea291dbc2f0
A lot of things had moved out of system/core/ without their TEST_MAPPING
entries having gone with them, reducing the amount of presubmit coverage
for those things.
In order to reduce the likelihood of that happening again, I've pushed
all that remained in the system/core/ TEST_MAPPING down into the
individual subdirectories.
Test: treehugger
Change-Id: Ib75d65f9200fa64ae1552471da6fbe5b7023cf94
Don't start shutdown critical service or turn off
backlight, when ro.init.shutdown_animation=true
Bug: 196511757
Test: config ro.init.shutdown_animation=true and build
shutdownanimation.zip to /system/media/
Signed-off-by: zengshuchuan <zengshuchuan@allwinnertech.com>
Change-Id: I5932b7281af630e80247048a70fe1b24f536d1d9
Also the check that linker configuration should not be updated if APEX
is in updatable state, is removed as now with refactoring of code and its
movement to apex project, that is also needed.
Resolves: https://b.corp.google.com/issues/192838499
Test: Run the AVD Device and check that it boots and run atest
ApexTestCases
Change-Id: I80a94fa0a4145d30546bb34a6d478a20a2881368
Allow mapping of raw block devices (those without a partition table)
to partition names for first stage mount and ueventd. For example, a
block device `vdb` that contains only an ext4 metadata partition could
be mapped to `metadata` such that /dev/block/by-name/metadata is
created.
The mapping is provided by the `androidboot.partition_map` bootconfig
or kernel command line parameter.
Bug: 159943320
Test: boot with raw vdb,metadata;vdc,userdata partitions
Change-Id: Ib6a939d6fb88b85c46c81d613425a127627a734b
The reason for two mount namespace (bootstrap/default) is that we have
two sets of different APEXes to activate. But in microdroid, we don't
need two separate mount namespaces because there's only one set of
non-updatable APEXes in built-in directories and payloads (passed from
host Android).
Bug: 185991357
Test: MicrodroidHostTestCases
Change-Id: I4469f3b1d90f9543ecb980a450eaaf1c20b94c58
Currently there is no socket for daemon instances launched during the
selinux phase of init. We don't create any sockets due to the complexity
of the required sepolicy.
This workaround will allow us to create the socket with very minimal
sepolicy changes. init will launch a one-off instance of snapuserd in
"proxy" mode, and then the following steps will occur:
1. The proxy daemon will be given two sockets, the "normal" socket that
snapuserd clients would connect to, and a "proxy" socket.
2. The proxy daemon will listen on the proxy socket.
3. The first-stage daemon will wake up and connect to the proxy daemon
as a client.
4. The proxy will send the normal socket via SCM_RIGHTS, then exit.
5. The first-stage daemon can now listen and accept on the normal
socket.
Ordering of these events is achieved through a snapuserd.proxy_ready
property.
Some special-casing was needed in init to make this work. The snapuserd
socket owned by snapuserd_proxy is placed into a "persist" mode so it
doesn't get deleted when snapuserd_proxy exits. There's also a special
case method to create a Service object around a previously existing pid.
Finally, first-stage init is technically on a different updateable
partition than snapuserd. Thus, we add a way to query snapuserd to see
if it supports socket handoff. If it does, we communicate this
information through an environment variable to second-stage init.
Bug: 193833730
Test: manual test
Change-Id: I1950b31028980f0138bc03578cd455eb60ea4a58
Move all the code relevant to snapuserd to a seperate
directory. Add OWNERS file.
No other code changes apart from moving files around
and fixing couple location of header paths
at few places.
Bug: 194642092
Test: Compile, Full OTA
Signed-off-by: Akilesh Kailash <akailash@google.com>
Change-Id: Ib1d852bfeda4eca5c996d6cd7b057f141cb5ddad
So that init_second_stage (core) depends on core variant tools and rc
files, and init_second_stage.recovery depends on recovery variant tools
and recovery specific rc files.
Bug: 191369319
Test: Presubmit
Test: Check the ninja graph, init_second_stage.recovery no longer depend
on core variation modules
Test: Check out/soong/Android-${PRODUCT}.mk
Change-Id: I03f0cf6af10617fe2e7de677e9dde1aecb2afc74
This reverts commit 1c51525f66 because it
accidentally made reboot_on_failure be a no-op for all services. This
is because Reap() itself calls KillProcessGroup() on devices with a
vendor level >= R, which in turn sets SVC_STOPPING. I had overlooked
this somehow, probably because I didn't consider that a service can
consist of multiple processes.
It turns out that real FDE devices don't actually need the above commit
because FDE devices aren't allowed to have updatable apexes enabled, and
without updatable apexes enabled, apexd exits automatically and
therefore doesn't have to be stopped. This can be verified by using the
aosp_cf_x86_phone_noapex build target, rather than aosp_cf_x86_phone
which I had used for testing before. So just revert it for now.
Bug: 194370048
Change-Id: I90eddf2a87397449b241e5acaaa8d4a4241d73a9
This reverts commit 4818f74888.
The previous commit might introduce a build break on legacy
devices that with a smaller /boot partition size, because it
outputs the first-stage init and the second-stage init binaries
in the following locations, respectively (when
BOARD_USES_RECOVERY_AS_BOOT is true).
* $OUT/recovery/root/first_stage_ramdisk/init
* $OUT/recovery/root/system/bin/init
The first one is not needed because there is already a symlink
under $OUT/recovery/root: init -> /system/bin/init.
Bug: 193565271
Test: `lunch aosp_flame-userdebug`, `make bootimage_debug` then
checks the output under $OUT/debug_ramdisk/.
Test: Performs the same check for `lunch aosp_bramble-userdebug`.
Change-Id: I6277a6c4c0980bd976cc35db6ca99eafc6bf3f5a
This has kept adb_debug.prop from being installed for
legacy devices with BOARD_USES_RECOVERY_AS_BOOT set to
true.
Bug: 192432810
Bug: 193291885
Test: `lunch aosp_flame-userdebug` and checks `get_build_var
BOARD_USES_RECOVERY_AS_BOOT` is true.
Test: `make bootimage_debug` then checks
$OUT/debug_ramdisk/adb_debug.prop exists
Test: build/soong/build_test.bash --dist --incremental
Change-Id: I28e2c082512791407167b610843f18731ed6d673
If a bootconfig argument has a list of values, it has a space between
them in /proc/bootconfig.
Example:
BOARD_BOOTCONFIG := parameter=value1,value2,value3
In /proc/bootconfig, it looks like:
parameter = "value1", "value2", "value3"
Before this CL, that example would end up with the value string of:
"value1, value2, value3"
To keep consistent behavior with kernel cmdline the value string should be:
"value1,value2,value3"
Test: Boot cuttlefish with test bootconfig params and verify ro.boot.*
Bug: 192257482
Change-Id: Iccdec451f53330162fa2c9ad2b7c2630f32b4168
The chown() call will fix the uid for pre-existing nodes, but not the
gid. This fix ensures the correct gid is set if needed.
Bug: 187738549
Test: manual test modifying ueventd.rc
Change-Id: I0fadd745a7c57a089fed9afc2572ace597a05396
[Description]
In the Quiescent Reboot process,
the android init process will pass the reboot target name "quiescent"
to the kernel through reboot syscall.
Kernel will write the boot-quiescent flag
to the misc partition to notify the bootloader.
When rebooting, bootloader will be added to
bootargs androidboot.quiescent=1 to notify android .
In the new version of GKI,
the filp_open function is not allowed
so that it is impossible to write the quiescent flag
in the Kernel to the misc partition.
https://android-review.googlesource.com/c/kernel/common/+/1705108
/1..29/android/abi_gki_aarch64_mtk#b641
Bug: 192634025
Test:
adb reboot quiescent
adb shell setprop sys.powerctl reboot,quiescent
Change-Id: I5ac982a1f16df39fa6bf567729a18ca8225f21f2
This has kept adb_debug.prop from being installed.
Ignore-AOSP-First: fixes sc-release test breakage
Bug: 192432810
Test: build ramdisk-debug.img and see contents
Change-Id: I254579d2c6427213f40e9ae8e50d046e19390ba5
This test requires running test services, which causes test to crash
(and still incorrectly be reported as passing) when running on
non-rooted device.
Ignore-AOSP-First: reboot_test is not in AOSP yet
Bug: 190958734
Test: atest CtsInitTestCases
Change-Id: I3c5c9917d0a787d66272ccf4aefc57e6573841bc
This reverts commit 0a799bdfd6.
Now that the kernel bootconfig feature has been to updated to handle
mixed subkeys and values, androidboot.hardware parameter is supported.
Test: build and boot Cuttlefish with "androidboot.hardware=cutf_vm"
Bug: 191502832
Merged-In: I0e436a27730d20689bc6974562c3e88d744385db
Change-Id: I0e436a27730d20689bc6974562c3e88d744385db
The sysfs node of sd blk_device is /sys/fs/f2fs/sd-<num>, we shouldn't
skip partition number at this time.
Bug: 189257443
Test: access sd-<num> sysfs correctly
Signed-off-by: Guo Weichao <guoweichao@oppo.com>
Signed-off-by: Huang Jianan <huangjianan@oppo.com>
Change-Id: Ibcd7bb265f8fca9cd26f8770403f1bafad433acb
Androidboot parameters have moved from /proc/cmdline to /proc/bootconfig
so we need to check both places in reboot_utils.
"ro.boot.*" properties can not be used because this is initialized
before the properties are set.
Test: boot Cuttlefish with init_fatal_panic and
init_fatal_reboot_target in bootconfig and in cmdline
Bug: 191494101
Merged-In: I6c230496ec1c3632470d20ff4a31f28db96ea71b
Change-Id: I6c230496ec1c3632470d20ff4a31f28db96ea71b
adb_debug.prop is migrated too. And ramdisk_available is added to all
dependencies.
Bug: 187196593
Test: boot
Change-Id: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
Merged-In: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
This reverts commit 0a799bdfd6.
Now that the kernel bootconfig feature has been to updated to handle
mixed subkeys and values, androidboot.hardware parameter is supported.
Test: build and boot Cuttlefish with "androidboot.hardware=cutf_vm"
Bug: 191502832
Change-Id: I0e436a27730d20689bc6974562c3e88d744385db
Androidboot parameters have moved from /proc/cmdline to /proc/bootconfig
so we need to check both places in reboot_utils.
"ro.boot.*" properties can not be used because this is initialized
before the properties are set.
Test: boot Cuttlefish with init_fatal_panic and
init_fatal_reboot_target in bootconfig and in cmdline
Bug: 191494101
Change-Id: I6c230496ec1c3632470d20ff4a31f28db96ea71b
adb_debug.prop is migrated too. And ramdisk_available is added to all
dependencies.
Bug: 187196593
Test: boot
Change-Id: I59cd149e0021211b8fd59c44b93bbf18dc8637bf
Ban weird paths such as /../system or //vendor in first stage mount.
Add utility function fs_mgr_create_canonical_mount_point() that:
* mkdir(mount_point) to ensure mount_point's existence
* Test that realpath(mount_point) =?= mount_point
Bug: 188898525
Test: Presubmit
Test: Boot CF
Change-Id: Iaf2ec52701277f26cc81f3e15a47b6083a788334
Merged-In: Iaf2ec52701277f26cc81f3e15a47b6083a788334
(cherry picked from commit 3431d52675)
PD#SWPL-45884
BUG:187441275
Problem:
ueventd: coldboot took too much time
Solution:
1.The parallel restorecon dirs can be configured in ueventd.rc
2.Add 'parallel_restorecon_dir' keywords
parallel_restorecon_dir <directory>
Verify:
redi
Change-Id: Id5b13f18d36afb894891697f21ac63e78b3fe130
Signed-off-by: yuehu mi <yuehu.mi@amlogic.com>
Ban weird paths such as /../system or //vendor in first stage mount.
Add utility function fs_mgr_create_canonical_mount_point() that:
* mkdir(mount_point) to ensure mount_point's existence
* Test that realpath(mount_point) =?= mount_point
Bug: 188898525
Test: Presubmit
Test: Boot CF
Change-Id: Iaf2ec52701277f26cc81f3e15a47b6083a788334
Rename fs_mgr_overlayfs_mount_fstab_entry() to
fs_mgr_mount_overlayfs_fstab_entry() and move it out of
fs_mgr_overlayfs.cpp to make it available for user builds.
Add checks to unsure overlayfs mount point doesn't contain symbolic
link or /../.
Check the mount point with an allowlist if user build. The mount point
should either be /vendor, /product ... or their submounts, or strict
submounts of /mnt/vendor and /mnt/product.
Bug: 188862155
Test: Boot test with overlayfs mount entries on user build
Change-Id: I3b60dfa4b63cf2ae0754f53d1d08365aa7be1ee0
Merged-In: I3b60dfa4b63cf2ae0754f53d1d08365aa7be1ee0
(cherry picked from commit 23816e84ca)
* Add logs.
* Append "override_creds=off" overlayfs mount flag only if
fs_mgr_overlayfs_valid() returns kOverrideCredsRequired.
Pre-4.6 kernels or kernels without the override_creds patch don't
need or don't recognize the override_creds mount flag.
(Background: I832c8ca3fce0269bdef4ce988541adb7ba9662ed)
* mkdir(mount_point) before mount() to ensure the mount point exists.
This could happen if the mount point is in a tmpfs, such as /mnt.
Bug: 188862155
Test: Boot to normal with overlayfs mount entries in first stage fstab
Change-Id: I1a05696346610d7fd61de6d25c379520fd58ca9b
Merged-In: I1a05696346610d7fd61de6d25c379520fd58ca9b
(cherry picked from commit dcf1c1f462)
GetDmVerityDevices() should filter out overlayfs fstab entries in the
first place, so InitRequiredDevices() don't need to filter out overlayfs
pseudo device names.
Bug: 188862155
Test: Boot to normal with overlayfs mount entries in first stage fstab
Change-Id: I0ac8b7ac0f21daa0c191580d9349adf217854864
Merged-In: I0ac8b7ac0f21daa0c191580d9349adf217854864
(cherry picked from commit 87290f8e9b)
Rename fs_mgr_overlayfs_mount_fstab_entry() to
fs_mgr_mount_overlayfs_fstab_entry() and move it out of
fs_mgr_overlayfs.cpp to make it available for user builds.
Add checks to unsure overlayfs mount point doesn't contain symbolic
link or /../.
Check the mount point with an allowlist if user build. The mount point
should either be /vendor, /product ... or their submounts, or strict
submounts of /mnt/vendor and /mnt/product.
Bug: 188862155
Test: Boot test with overlayfs mount entries on user build
Change-Id: I3b60dfa4b63cf2ae0754f53d1d08365aa7be1ee0
* Add logs.
* Append "override_creds=off" overlayfs mount flag only if
fs_mgr_overlayfs_valid() returns kOverrideCredsRequired.
Pre-4.6 kernels or kernels without the override_creds patch don't
need or don't recognize the override_creds mount flag.
(Background: I832c8ca3fce0269bdef4ce988541adb7ba9662ed)
* mkdir(mount_point) before mount() to ensure the mount point exists.
This could happen if the mount point is in a tmpfs, such as /mnt.
Bug: 186342252
Test: Boot to normal with overlayfs mount entries in first stage fstab
Change-Id: I1a05696346610d7fd61de6d25c379520fd58ca9b
GetDmVerityDevices() should filter out overlayfs fstab entries in the
first place, so InitRequiredDevices() don't need to filter out overlayfs
pseudo device names.
Bug: 186342252
Test: Boot to normal with overlayfs mount entries in first stage fstab
Change-Id: I0ac8b7ac0f21daa0c191580d9349adf217854864
It's possible that CONFIG_ZRAM_WRITEBACK is y,
but userspace doesn't set the /sys/block/zram0/backing_dev,
so its value is 'none'.
It's the same with "CONFIG_ZRAM_WRITEBACK is not set".
Change-Id: I2df89ceee68e4685deef5113bada21be96779e9b
Signed-off-by: shisiyuan <shisiyuan@xiaomi.com>
The external firmware handler always has root group privileges because
it is forked/executed without setgid() by ueventd which has root
privileges. This patch calls setgid() with group ID specified in
ueventd.rc before execv().
Test: atest CtsInitTestCases
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Id1430e783b0e409d55ac80fe213e81ba099729e2
Add a test to check the build fingerprint when the dynamic build
id is in use.
Bug: 186786987
Test: th
Change-Id: I44d6be0c18552f319bcb8d19cca5659ce580d26c
Background in http://go/compatible-build-fingerprint. To uniquely
identify the mixed build, we plan to append the unique vbmeta digest
to ro.build.id.
If BOARD_USE_VBMETA_DIGTEST_IN_FINGERPRINT is true, the build system
will not set ro.build.id. Instead, init will set it at runtime, by
appending the digest to the legacy build id.
Bug: 186786987
Test: build and boot a device with new build id
Change-Id: Idea57df599bfd6eede760671e2555541f7dc3f21
emulator migrated to bootconfig, we don't use
the kernel command line to pass userspace properties.
Bug: 182291166
Test: boot
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Iff2f627aec64b7ba2240444639acedc76a1aa806
This reverts commit 6cb4311f4d.
Reason for revert: no need to keep the compatibility now
Bug: 186485355
Change-Id: Iffdf3abebc17f32e36f3b3fe2b4f9c2592da9653
Test: TreeHugger
Add a new service flag SVC_STOPPING which tracks whether a service is
being manually stopped by init, and make the "reboot_on_failure" service
setting not apply when SVC_STOPPING is set.
This is needed for devices that use FDE, because otherwise the device
reboots during the following init script fragment:
on property:vold.decrypt=trigger_shutdown_framework
class_reset late_start
class_reset main
class_reset_post_data core
class_reset_post_data hal
... because that stops all services, including apexd which has been
marked with reboot_on_failure since
https://android-review.googlesource.com/c/platform/system/apex/+/1325212.
So init was killing apexd, then rebooting the device because apexd
"failed" due to having been killed. Making reboot_on_failure not apply
when init stops a service itself fixes the problem.
This is one of a set of changes that is needed to get FDE working again
so that devices that launched with FDE can be upgraded to Android 12.
Bug: 186165644
Test: Tested FDE on Cuttlefish
Change-Id: I599f7ba107e6c126e8f31d0ae659f0ae672a25e4
If precompiled vendor policy has system_ext hash, system_ext also has to
have its hash, to use precompiled sepolicy.
Bug: 186727553
Test: remove system_ext's hash and see sepolicy compiled in runtime
Change-Id: I4af3418d614156b5e9cd0b0116c2814ba994ee81
The existing code has a lot of references to the
`ro.boot.qemu` and `ro.boot.qemu.something` properties
which is not supported by the bootconfig if we place
everything under `androidboot.qemu`.
Bug: 182291166
Test: getprop | grep qemu
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Icb9d29c8dc39e1fa52a6f2ce43b4f42182b7995d
Currently the gki_4_19_pixel5 presubmit test uses an old
vendor_boot-debug.img from a release branch. Adding fallback
paths to load debug resources from /first_stage_ramdisk dir to
pass the presubmit.
This CL should be reverted later once the vendor_boot-debug.img
gets updated to store the debug resources on the root dir.
Bug: 186082603
Test: boot a device with boot-debug.img
Test: boot a device with vendor_boot-debug.img
Change-Id: I9fcd77fc5a60a15cff254e432e05f1c9122ad80d
Currently the debug resources might under /first_stage_ramdisk/*
of the ramdisk, if there is androidboot.force_normal_boot=1 in the
kernel cmdline to request init chroot into /first_stage_ramdisk dir.
To make a generic boot-debug.img works on devices with and without
this chroot, moving the debug resources to the root of the ramdisk.
And copy them for later use before the chroot.
Bug: 186082603
Test: boot a device with boot-debug.img
Test: boot a device with vendor_boot-debug.img
Change-Id: I052a92b2d26c7fdf749991fc55015ff68743efc2
PropertyInit loads the build.prop files and set the system properties.
Set the SELinux log callback before that to show the avc denials for debugging.
Test: $ make init_system
Push this module and ensure system property set denials are shown during boot
Bug: 185920634
Change-Id: Ifc228985a990f6938ad2a93790eb3607b2d12b5a
init starts services in "bootstrap" mount namespace until the "default"
mount namespace is ready even when init's current mount namespace is
"default".
apexd and linkerconfig are those processes to set up the mount
namespaces: apexd activates apexes and linkerconfig generates linker
configs.
Previously apexd is allowed to be started in the "current" namespace by
checking its "service name"(it should be "apexd"). But there can be a
certain environment apexd is started in a different way. For example, in
microdroid, apexd is started using "exec -- /system/bin/apexd --vm"
because it wants to run in a different execution mode.
So, instead of checking the service name, its executable's path is
checked against to allow apexd to be started in the current mount
namespace.
Bug: 179342589
Test: MicrodroidTestCase (microdroid boots)
Test: cuttlefish boots
Change-Id: I7c2490e15d481c28ddf382d2d3fdf58a78e467ec
Only the exact same devpath uevent can launch external handler specified
in ueventd.rc. So, you should specify all possible devpaths, even
firmware with different filenames on the same device. Pattern mactching
can be used to simplify this.
Test: atest CtsInitTestCases
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: If3b7a2cabb8055bf4b768d928f0fc0012da3c177
'/sys/block/zram0/backing_dev' will exist even if zram is not swapped on in some devices. And there is no reason to ensure that zram is swapped on if '/sys/block/zram0/backing_dev' exists. So, if we want to kill backing_dev during userspace reboot, we should check if zram is swapped on first.
TEST: as follow
- adb root
- adb shell swapoff /dev/block/zram0
- adb shell echo 1 > /sys/block/zram0/reset
- adb shell setprop test.userspace.reboot.flag 1
- adb reboot userspace
- (wait reboot ending) adb shell getprop test.userspace.reboot.flag (1 will be show if successful)
Signed-off-by: luwei9 <luwei9@xiaomi.com>
Change-Id: Icca569cf8d64bc024b867dae2ab789fc9e76445a
emulator passes `android.checkjni` in the kernel
command which we want to use in
frameworks/base/core/jni/AndroidRuntime.cpp
Bug: 182291166
Test: getprop ro.boot.dalvik.vm.checkjni
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: If9473aa9492fa09d8de7cc8fb08614380e4e15f3
emulator passes `android.bootanim=0` in the kernel
command line to disable boot animation.
Bug: 182336906
Test: boot emulator with -np-boot-anim
Signed-off-by: Roman Kiryanov <rkir@google.com>
Change-Id: Id89a6c92dd4724cac414ffbf8ee731b2bfcc7195
args[2](user name to run as) is used instead of args[1](devpath).
Test: atest CtsInitTestCases
Signed-off-by: Suchang Woo <suchang.woo@samsung.com>
Change-Id: Id271755993d55e332bad54d0414e2232071e5e8e
restrictions
Use the property ro.product.enforce_debugfs_restrictions to enable
debugfs restrictions instead of checking the launch API level. Vendors
can enable build-time as well as run-time debugfs restrictions by
setting the build flag PRODUCT_SET_DEBUGFS_RESTRICTIONS true which in
turn sets ro.product.enforce_debugfs_restrictions true as well enables
sepolicy neverallow restrictions that prevent debugfs access. The
intention of the build flag is to prevent debugfs dependencies from
creeping in during development on userdebug/eng builds.
Test: build and boot
Bug: 184381659
Change-Id: If555037f973e6e4f35eb7312637f58e8360c3013
Minor refactoring and renaming, goal is to make the follow-up patch
easier to read.
Bug: 184132970
Test: Presubmit
Change-Id: I66416161b30ac310934d901cbaf11bc926e2cbf7
