- allows components relying on persisted props to wait for this property.
bug: 35178781
Test: reboots
Change-Id: I06cbf2a6b375654fcc277a2699fceeb23846a241
Current early mount has some hard-coded paths that are not easy to extend
when we switch verified boot to AVB (external/avb/libavb). This CL uses some
C++ containers to replace those fixed paths.
Bug: 33254008
Test: early mount /vendor with dm-verity on sailfish
Test: early mount /vendor without dm-verity on sailfish
Test: early mount /vendor with dm-verity on bullhead
Change-Id: I32a22fe486d7649e33bb23c9018ddc0428df6069
Treblization requires to locate partner-specific modules in its own
partition. So their own init.rc file could be located in /odm or
/vendor.
This CL is to support those locations for the init.rc.
Additionally thic CL modified import parser to support importing a
relative path.
Test: building succeeded and tested on sailfish with enabling early
mount.
Bug: 35269867
Change-Id: I1bce924a32c8a2b53fb5d981d35d758cf9ddd9a6
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
The clang static analyzer is complaining that we are not checking the
setegid() return value, so let's add these checks. We should never
fail to return to AID_ROOT, so fail hard in this case.
Bug: 26962034
Test: Boot bullhead
Test: export WITH_STATIC_ANALYZER=1 and run 'mm' in the project directory
Change-Id: I62e95b045c5734305c71502871b6cf17f152edbc
* changes:
fs_mgr: add a generic fs_mgr_get_boot_config internal API
init: early_mount: create device node for verity metadata partition
init: early_mount: disallow partitions to be verified at boot
init: early_mount: add support to mount verity enabled partitions early
fs_mgr: make fs_mgr_setup_verity public API
fs_mgr: fix the fs_mgr_setup_verity param name
init: refactor to allow successive device_init calls
fs_mgr: add fs_mgr_do_mount_one() API
Most devices pass the veritymode through 'androidboot.veritymode' kernel
cmdline partition. However, for those who don't, the verity state is
read from a different block device whose path it passed to "verify="
fs_mgr option in fstab.
This change add support for such a case if the partition that needs to
be mounted early requires this additional block device to load the
verity state from.
Note that, there can only be 1 partition to get the verity state
regardless of the number of partitions we enable verity for.
Bug: 27805372
Test: Test angler by removing the metdata argument in fstab when it
boots fine. Tested by adding the argument when it fails to boot as
veritymode gets set to EIO during early mount due to lack of access to
properties as expected.
TODO: fs_mgr must pull the veritymode from kernel cmdline or device tree
by itself
Change-Id: I9e62b8c1bf2c0ae0365677df697a0cbe9e5810c1
Signed-off-by: Sandeep Patil <sspatil@google.com>
While technically possible, the verification at boot basically will
block init for as long as the entire partition is read while nothing
else is running. Disallow that as this is not going to be used anywhere.
Bug: 27805372
Test: boot angler with verifyatboot fs_mgr option for early mounted
vendor partition. That resulted in a panic() as expected.
Change-Id: I9da5caa163cae8bce6dbfb630f0ed5605ea044a0
Signed-off-by: Sandeep Patil <sspatil@google.com>
support mounting partitions early regardless of their "verified" status.
uses the newly exported fs_mgr APIs to split verity setup and mount
operations.
b/27805372
Test:
Angler:
- Early mount /vendor without dm-verity
Sailfish:
- Early mount /vendor without dm-verity
- Early mount /vendor with dm-verity
TODO:
add support for metadata partition used in angler
to load dm-verity data
Change-Id: Ie2768d4d895c19d045293c573773ee7bb03fff99
Signed-off-by: Sandeep Patil <sspatil@google.com>
device_init opens the uevent socket and sehandle when called.
For early_mount however, depending on the fs_mgr flags we may call this
in order to run coldboot for device mapper, dm-verity devices etc.
So the change makes sure we don't try to re-open the uevent socket,
file context handle and selinux status on successive calls to
device_init from within the same process.
b/27805372
Test: Boot saifish successfully
Change-Id: Ifa0e665403211684183efb9be66e4e8d0d86a206
Signed-off-by: Sandeep Patil <sspatil@google.com>
Treble allows framework-only (system.img) OTA. To libavb statically
linked in init/fs_mgr cannot parse the AVB metadata of system.img, add
this property for the Treble OTA match process.
Bug: 35236019
Test: Normal boots, use 'adb shell getprop' to check the property is set.
Test: Recovery boots, press 'Mount system' and use 'adb shell getprop'
to check the property is set
Change-Id: I552be229c4efd45088d93252ac67176606f75d4d
* changes:
init: fstab: add support to read fstab entries from device tree
init: early_mount: add support to mount non-verity partitions early
init: remove the existing early_mount code
init: refactor: add support for doing early coldboot
ueventd: make selinux labeling optional for device creation
Use this for bootstat and init. This replaces the custom uptime parser in
bootstat.
This is a reland of aosp/332854 with a fix for Darwin.
Bug: 34352037
Test: chrono_utils_test
Change-Id: Ib2567d8df0e460ab59753ac1c053dd7f9f1008a7
for early mount, we need a way to tell init where to find vendor,
odm partitions (also system in case of non-A/B devices). Also, that
needs to be independent of kernel cmdline since the cmdline will likely
exceed its limit.
The change adds support for parse and create fstab entries that can be
directly sent to the fs_mgr for mounting partitions early in init first
stage.
Sample DT entry to mount vendor partition early on angler-
firmware {
android {
compatible = "android,firmware";
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait";
};
};
};
};
b/27805372
Test: Boot angler and sailfish with early "vendor" partition mount by
adding aforementioned DT node and enable CONFIG_PROC_DEVICETREE in kernel
Change-Id: I669013e3fdb157e88719436534f63989dec95d60
Signed-off-by: Sandeep Patil <sspatil@google.com>
This is done by parsing 'androidboot.fstab=<fstab>' kernel cmdline
option to get the fstab file that *only* specifies partitions to be
mounted early (i.e. in init's first stage).
Note that, the same fstab file may not be used as an argument to
mount_all later in the boot as that will cause fs_mgr to fail with
EBUSY.
TODO:
- Possibly add a new mount_mode so the same fstab can be used for
early_mount, 'mount_all --early/--late' etc.
- Add support for dm-verity enabled partitions to mount early.
- Add support for getting fstab arguments through DT instead of kernel
cmdline.
Bug: 27805372
Test:
Boot angler by passing a seperate fstab file using the kernel
cmdline option to mount vendor partition early, remove the vendor
partition entry from the main fstab file for the test.
Boot sailfish by passing a seperate fstab entry via device tree
to mount vendor partition early. Remove vendor partition entry from
the main fstab file for the test
Change-Id: I18785b893c54c8cee960ab44d5e8f83e5d624aa8
Signed-off-by: Sandeep Patil <sspatil@google.com>
keeps parts of the code that are still needed for the fs_mgr
+ dt based implementation
b/27805372
Test: boot angler, sailfish without regressions
Change-Id: I1b08f8b7b4f2e67118d328443a5011c0f5ead919
Signed-off-by: Sandeep Patil <sspatil@google.com>
We don't want to spend time creating devices that are unncessesary
during early (init first-stage) mount. So, refactor the devices code
tha allows us to call into coldboot and has the
- ability to only create devices that are specified by the caller
- ability to stop coldboot cycle when all devices that the caller is
interested in
- ability to run coldboot for a specific syspath
- ability to run ueventd code unmodified
Test: Tested boot on angler, sailfish
Change-Id: Id8f3492380696760414eadc20d624d300c904f8e
Signed-off-by: Sandeep Patil <sspatil@google.com>
I find myself using something like this every time I add functionality
to init. I cannot possibly be the only one doing this. On the other
hand, if this hasn't been added for so long, maybe there's a reason
for that.
The advantage of using a test service versus modifying an existing
service is that the test service doesn't *require* any permissions or
privileges, so you can add and/or remove whatever you need to test
without breaking the service.
I found it useful to have the service check its own /proc/<pid>/status
from command-line arguments, so that's what the service does.
This CL also adds a .clang-format file for init.
Bug: None
Test: Service runs and exits successfully.
Change-Id: I3e7841a7283158e10c0bf55e0103c03902afb1f0
This is to setup a way for us to run coldboot during init first stage
and also at ueventd startup. We do not have all of the file context
during the first stage, so the "early" coldboot needs to proceed without
labelling the device nodes. However, the follow up in ueventd must label
these nodes. This change allows us to do both.
b/27805372
Test: Boot angler successfully and compare do before/after comparison of
the output of 'ls -AclpqRZ /dev' to ensure there are no differences.
Change-Id: I5e88bd7da8a1d2cc41e3abba30dda463ecbde32e
Signed-off-by: Sandeep Patil <sspatil@google.com>
While keeping the old /ueventd.$ro.hardware.rc configuration for devices
without early mount or vendor,odm split
b/34967636
Test: Boot angler and sailfish without regressions
Change-Id: I8d671911fd23fb1c0b5624ae209bad86137c88b7
Signed-off-by: Sandeep Patil <sspatil@google.com>
Add wait time log for exec service execution time
Fix memory leak when exec service failed to start
Test: on marlin
Bug: 34518530
Change-Id: I01736bd9b1429414f3dc91dd5d02d88a681f0985
This reverts commit db929bf9b7.
Seccomp is now inserted at the zygote level, not in init
Bug: 34710876
Test: Boots, seccomp policy in zygote & zygote64 but not init
Change-Id: I9075a79793171a4eaccf6228e9ff3398c791f8bd
Add syscalls required by sanitizers.
Bug: 34606909
Test: Make sure Android boots when built with SANITIZE_TARGET='address'
Change-Id: Ifa223fb663a4ff43c8b8df9b7bf9452e41079e2e
There are many use cases from vendors to exec service in background and then
use a shell scriprt to wait for the command done.
This CL is to add a wait_for_prop command to suppor those use cases.
Bug: 34746108
Test: on marlin
Change-Id: Ia81290b0928f9d375710d2daa546714f0cd65b72
Bug: 34813887
Bug: 34809883
Bug: 34767389
Bug: 34719286
Test: Device boots, the app in b/34719286 runs when it didn't before
Change-Id: Iad198e3ca620e7a07464b0d182f969bb807bd948
* Nanosecond precision ended up being harder to grok.
* This change modifies the Timer class to have duration_ms instead of
duration_ns.
Bug: 34466121
Test: adb logcat | grep bootstat
Change-Id: Ibd1c27dc3cb29d838a956e342281b2fb98d752a6
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: Ib9c087115040c1609aa64a3ed66d4e67e937e33d
Signed-off-by: Sandeep Patil <sspatil@google.com>
Used by 32-bit debuggers
Bug: 34716063
Test: Make sure a Chrome crash produces a valid stack trace in logcat
Change-Id: Ie42f035da7f19ace403eb2111524f02c0bbfd0d5
When handling a property control message to start a service, the
connection socket was being left open. The child socket FD would then be
inherited by the service from init as "/null".
Bug: 34698883
Test: adb shell start webview_zygote32; adb shell ls -l /proc/<pid>/fd,
no "/null" FD open.
Change-Id: I25f34e1bfc1414e6143acf23414b05f5a241cace
external/avb/libavb provides the new Android Verified Boot (AVB) flow.
It has different verity metadata format than previous formats in
fs_mgr_verity.cpp fs_mgr should support using libavb to read the metadata
(a.k.a. HASHTREE descriptor in AVB) to enable dm-verity in kernel.
Two important files in this commit:
- fs_mgr_avb_ops.c: an implementation of struct AvbOps* for libavb to do
platform dependent I/O operations, e.g., read_from_partition.
- fs_mgr_avb.cpp: it reads the metadata (a.k.a. vbmeta images in AVB) from
all partitions, verifies its integrity against the values of
androidboot.vbmeta.{hash_alg, size, digest} passed from bootloader in
kernel command line. Then enable dm-verity for partitions having the
corresponding HASHTREE descriptor and with an 'avb' fstab flag.
Bug: 31264231
Test: Enable dm-verity on /system partition
Test: Enable dm-verity with FEC on /system partition
Change-Id: I4652806984fe5a30c61be0839135b5ca78323d38
tkill and tgkill are syscalls that do not have glibc wrappers, but
they are required in order to send a signal to a specific thread.
Non-android software may call them directly with syscall(). Bionic
provides a wrapper for tgkill, so seccomp allows it, but not for
tkill. Add tkill to the whitelist.
This can be reproduced with:
sleep 1000 & sleep 1 ; strace -p $!
then hit ctrl-C, and the shell will print "Bad system call" because
the strace process died with SIGSYS
Bug: 34586922
Test: repro case is fixed
Change-Id: Ib6962a967f2cc757f2906de7905e75e1b6d6f39f
restart_syscall is used by the kernel whenever a syscall with a
timeout is interrupted. Whitelist it in seccomp to prevent
processes being killed with SIGSYS when being ptraced.
Bug: 34586922
Test: hwui_unit_tests
Change-Id: Ic47dcad33f3082eb5673c3c67fe17200d4daaf74
New protocol assumes that there is no limit on name or value
and effectively removed limit on property name length.
It also send back a uint32_t with error code (or 0 on success)
Bug: http://b/33926793
Test: mm, boot, run bionic-unit-tests --gtest_filter=prop*
Change-Id: Iac6290398ddc495e03f8fbbc3a79e923eff5df6f
Also ensure that it uses the highest supported value, and
abort if the value is not above a minimum threshold.
Test: Tested against the curent kernel (maximum value of 2,
set to 0 by the kernel initially) and against a
modified kernel (maximum value of 4, set to 4 by the
kernel initially)
Bug: 30368199
Change-Id: I608db577258b68b390ffe96f452e1f7c0bc9ad8a
The following files will be loaded additionally.
- /odm/default.prop and /vendor/default.prop for default props.
- /odm/build.prop for build props.
The props files must follow the following priority order.
- /default.prop > /odm/default.prop > /vendor/default.prop
- /system/build.prop > /odm/build.prop > /vendor/buid.prop
Test: tested default/build prop files with enabling early mount, but
didn't test files of odm partition because odm partition doesn't
exist now.
Bug: 34116668
Change-Id: I946d076dae38f2288865dd986fb16d801d4abcc0
SoC vendors and ODMs need a way to run different init scripts under
different boot modes. This patch adds a new ro.boot.init_rc kernel
cmdline argument to support this.
Bug: 26639863
Test: Tested on bullhead with androidboot.init_rc given a
non-existent .rc file which leads to expected boot failures.
Boot succeeds if androidboot.init_rc is not specified.
Change-Id: I2bca1cc3de6720feced041fe87266fb8afcce8b0
This now combines all the "libsparse" libraries into the same soong
target. A minor side-effect of this change is that the libsparse
static library depends on the libz shared library instead of the libz
static library. This minor change has no effect since targets using
the static libsparse library need to explicitly include either the
static libz or the shared one.
Bug: 34220783
Change-Id: I8f41586cf4c3336791cfa57ab4f5ae59a76d7ffa
SoC vendors and ODMs need a way to run different init scripts under
different boot modes. This patch adds a new ro.boot.init_rc kernel
cmdline argument to support this.
This patch also changes late-init trigger. Now late-init is only
triggered in "normal" boot (where boot mode is not specified). This is
to make AOSP init.rc re-usable in other boot modes as the operations
in late-init are less common.
Bug: 26639863
Test: Tested on bullhead with
androidboot.init_rc = {non-existent .rc file}
and/or
androidboot.init_rc = {none empty string}
both of which lead to expected boot failures.
Boot succeeds if androidboot.init_rc is not specified.
Change-Id: Ie5f08c3914f2f825ad3c401fde6741459668c523
Test: Ran script to test performance - https://b.corp.google.com/issues/32313202#comment3
Saw no significant regression with this change on or off
Removed chroot from SYSCALLS.TXT - chroot blocked
Boot time appears reasonable
Device boots with no SECCOMP blockings
Measured per syscall time of 100ns
Empirically counted <100,000 syscalls a second under heavy load
Bug: 32313202
Change-Id: Icfcfbcb72b2de1b38f1ad6a82e8ece3bd1c9e7ec
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: I62689b229a67e319c65bf034da804f660f82bd35
Signed-off-by: Sandeep Patil <sspatil@google.com>
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.
Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.
After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:
type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
tcontext=u:object_r:default_prop:s0 tclass=property_service'
Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
Commit 9596d2b95d changes how
availability of console is checked by only checking access bits for
the console device. However, in cases where there is no console it
defaults to /dev/console. This device is always enumerated by tty
driver (i.e. file and access bits may be correct), but it doesn't
always map to an underlying console driver. Because the lookup for the
underlying console driver happens during the open system call, checking
only the access bits is not sufficient and need to make sure open
system call is successful, we can safely close the FD afterwards to
avoid FD leaks.
Test: boot device and check console svc doesn't continuously restart
Bug: 33691649
Change-Id: Ia51a8a2f56c345b70db55e95f61a057a98b52895
The mismatch of return values makes reasoning about the correctness of
CLs like https://android-review.googlesource.com/317923 quite hard.
Bug: 33941660
Test: Init builds, HiKey boots.
Change-Id: Ia4b8a9af420682997b154a594892740181980921
This reduces the overhead when bootcharting is on (obviously), but also
removes the "do we need to do anything for bootcharting?" check in cases
where we're not bootcharting.
Bug: http://b/23478578
Bug: http://b/33450491
Test: rebooted with bootcharting on/off
Change-Id: Id8746b5023b17d7615679eba0bcd02aee048ef1a
Compile policy from disparate sources at beginning of init and use to load
rather than relying on prebuilt policy.
Bug: 31363362
Test: Policy builds on-device and boots.
Change-Id: I681ec3f7da351d0b24d1f1e81e8a6b00c9c9d20c
Partners have expressed interest in using the 'capabilities' keyword
in init, so make the code more resilient:
-Check that ambient capabilities are supported by the kernel.
-Check that the last valid cap at runtime is not higher than what's in
kernel headers.
-Check that the user is not requesting a capability present in kernel
headers but not supported by the kernel at runtime.
-Don't attempt to drop bounding set capabilities not supported at
runtime.
This CL also fixes a small bug where < should have been used instead of
<=, and uses 'static' instead of anonymous namespaces.
Bug: 32438163
Test: Use a test service that uses capabilities.
Test: Apply in internal tree and test with angler and rild.
Change-Id: Ia271cc7eb389d1d526d61f897261e4bac4d19e5d
This is a cherry-pick of internal commit:
f611291688 which was a revert of a
revert, specifically a revert of commit:
c8f026fc9c.
The above revert was meant only for AOSP, since the kernel prebuilts
were not yet available there. The revert was reverted internally so
that internal builds, which have the appropriate kernel prebuilts,
operated properly.
The very first commit was originally done in nougat-dev and cherry-picked
to AOSP, so it was not picked up again when nougat landed in master. Add
it now.
Bug: 27681085
Test: Builds and boots.
Change-Id: If1cb6308e61aaaabca5b5bd30df78aab49e7b0d5
When init starts a service with a console, it tests for the presence of
a readable/writable console device. The test results in a leaked file
descriptor.
Use access() instead of open() to avoid leaking file descriptors.
Bug introduced in 70daa67062.
Test: compiles and device boots
Change-Id: I4efcfa0bb2cdb09f0455bc04a3a91e784bda7962
Most notably, there's no longer any need to guess an end time.
Bug: http://b/23478578
Bug: http://b/33450491
Test: rebooted with bootcharting on/off
Change-Id: Icb7d6859581da5526d77dfc5aa4d57c9bfbfd7e2
bionic was the only listener, and it was doing nothing useful when the
property changed, so we've removed that listener.
Bug: http://b/33308258
Test: DNS still works
Change-Id: I15292e8e58e6b87cdad8f73e449ccaf334dff68b
Mixing open or create, along with attribute(MAC) and permissions(DAC)
is a security and confusion issue.
Fix an issue where fcntl F_SETFD was called to clear O_NONBLOCK, when
it should have been F_SETFL. Did not present a problem because the
current user of this feature does writes and control messages only.
Test: gTest logd-unit-tests and check dmesg for logd content.
Bug: 32450474
Bug: 33242020
Change-Id: I23cb9a9be5ddb7e8e9c58c79838bc07536e766e6
This issue reproduces in the following senario.
1. ("", "") is added to queue;
2. property_triggers_enabled is set to 1;
3. user defined property is triggered, like sys.usb.config=adb;
4. ("sys.usb.config", "adb") is added to queue;
5. main loop interpret ("", "") and queue all current triggers to execution,
so ("sys.usb.config", "adb") is queued for execution for the first time.
6. main loop interpret ("sys.usb.config", "adb"), it is queued for
execution for a second time.
The second time makes ASIT fail.
Bug: http://b/28218187
Change-Id: I230e175e0dca8989f1e5bd812398da90082d0ec1
Signed-off-by: caozhiyuan <cao.zhiyuan@zte.com.cn>
Bug: 31800756
Instead of strictly timing out after 1s waiting for COLDBOOT_DONE,
we wait for a considerably longer period of time, which would also
allow slower non-production heavily instrumented debug builds to
boot up.
Upon successful wait, we measure the time taken and record the
value into a system property: ro.cold_boot.duration.
If timeout is still reached, we log an error message and abandon
boot process, rebooting into recovery mode instead.
Change-Id: Ic1df80546d8721b0e8c998ff294d5c5102de4e98
files.[h|cpp] is bound to be abused with junk, replace with
android_get_control_file.[h|cpp]. Plus some sundry cleanup.
Test: gTest libcutils-tests, logd-unit-tests, liblog-unit-tests,
logcat-unit-tests and init_tests
Bug: 32450474
Change-Id: Ibd4a7aa4624ea19a43d1f98a3c71ac37805d36b5
ExecuteCommand may change command_ vector which leads undefined behavior
This bug is found when adding logs in ExecuteCommand printing our Command class fields
Bug: 32838381
Test: on emulator
Change-Id: I96468bd2192ca80013871a3a6ac4132149363fff
Use to solve the problem of tracefs conditionally being mounted
under debugfs and needing restorecon'd without boot performance
penalty.
Also move skip-ce to a flag for consistency.
Test: Check that trace_mount has correct attributes after boot
Bug: 32849675
Change-Id: Ib6731f502b6afc393ea5ada96fa95b339f14da49
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed. This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.
This CL changes the implementation of the "restorecon_recursive"
built-in command to use the new SKIPCE flag to avoid labeling files
in CE directories. vold will request a restorecon when the keys
are actually installed.
(cherrypicked from commit 1635afe83d)
Bug: 30126557
Test: Cherry-picked from master
Change-Id: I320584574a4d712c493b5bbd8a79b56c0c04aa58
With this change, init sets a property "init.start" to show the
CLOCK_BOOTTIME time at which init itself started, and for each service
an "init.svc.<name>.start" property to show the CLOCK_BOOTTIME time at
which that service was most recently started.
These times can be used by tools like bootstat to track boot time.
As part of this change, move init over to std::chrono. Also, rather than
make the command-line argument handling more complex, I've switched to
using an environment variable for communication between first- and
second-stage init, and added another environment variable to pass the
start time of the first stage through to the second stage.
Bug: http://b/32780225
Test: manual
Change-Id: Ia65a623e1866ea688b9a5433d6507926ce301dfe
- This error led into not handling highest priority,
which made zygote's priority boost no-op
bug: 32718256
Test: check init log during bootup
Change-Id: I959eb94912a9c1d95bfdb98ee675fdd12cf85699
Solve one more issue where privilege is required to open a file and
we do not want to grant such to the service. This is the service side
of the picture, android_get_control_file() in libcutils is the client.
The file's descriptor is placed into the environment as
"ANDROID_FILE_<path>". For socket and files where non-alpha and
non-numeric characters in the <name/path> are replaced with _. There
was an accompanying change in android_get_control_socket() to match
in commit 'libcutils: add android_get_control_socket() test'
Add a gTest unit test for this that tests create_file and
android_get_control_file().
Test: gTest init_tests --gtest_filter=util.create_file
Bug: 32450474
Change-Id: I96eb970c707db6d51a9885873329ba1cb1f23140
Ambient capabilities are inherited in a straightforward way across
execve(2):
"
If you are nonroot but you have a capability, you can add it to pA.
If you do so, your children get that capability in pA, pP, and pE.
For example, you can set pA = CAP_NET_BIND_SERVICE, and your
children can automatically bind low-numbered ports.
"
This will allow us to get rid of the special meaning for AID_NET_ADMIN
and AID_NET_RAW, and if desired, to reduce the use of file capabilities
(which grant capabilities to any process that can execute the file). An
additional benefit of the latter is that a single .rc file can specify
all properties for a service, without having to rely on a separate file
for file capabilities.
Ambient capabilities are supported starting with kernel 4.3 and have
been backported to all Android common kernels back to 3.10.
I chose to not use Minijail here (though I'm still using libcap) for
two reasons:
1-The Minijail code is designed to work in situations where the process
is holding any set of capabilities, so it's more complex. The situation
when forking from init allows for simpler code.
2-The way Minijail is structured right now, we would not be able to
make the required SELinux calls between UID/GID dropping and other priv
dropping code. In the future, it will make sense to add some sort of
"hook" to Minijail so that it can be used in situations where we want
to do other operations between some of the privilege-dropping
operations carried out by Minijail.
Bug: 32438163
Test: Use sample service.
Change-Id: I3226cc95769d1beacbae619cb6c6e6a5425890fb
bootcharts currently only show root's processes, which isn't very
useful. To investigate and track boot duration issues, we need a way for
init to see all the pids. Add init to GID 3009 (aka AID_READPROC)
Ensure that init's children don't inherit this GID by always clearing
supplementary group IDs on fork.
Bug: 32506197
Test: Device boots and /proc/1/status says init is in gid 3009
Test: zygote starts and the Group: line in /proc/ZYGOTEPID/status is empty
Change-Id: Iba90717aaa591f1d6030a379a272aee003600c0a
Not-Tested: bootchart actually works. Speculative fix.
Services implementing HIDL HALs must be named the same as the HIDL
package, e.g. android.hardware.nfc@1.0. Allow init to accept names
containing '.' and '@'.
Also combined logic for legal property names and legal service names.
Bug: 31458381
Bug: 32109611
Test: Tested creating service nfc@1.0-service which creates property
'init.svc.nfc@1.0-service' with and without this change. This service
successfully started only with this change.
Change-Id: Ie7a4310742bc03498d774d37b3b5fafa7c6068cc
Signed-off-by: Iliyan Malchev <malchev@google.com>
For each service ${service} described in a .rc file, init creates the
property init.svc.${service}. This implies that service-name lengths
are bound by the maximum size of a property. This patch accounts for
the "init.svc." prefix and the maximum property-name length when
validating a service name.
Test: pass
Change-Id: I32dffa37363b41a8211f7644600b81973d30a3b2
Signed-off-by: Iliyan Malchev <malchev@google.com>
These events are _somewhat_ normal, in that not all devices have all
partitions, but not logging anything makes it unnecessarily hard for
folks to debug simple failures.
Bug: http://b/31186390
Test: booted, checked dmesg
Change-Id: I403377c585ea35cfe73b0bed9443b75e3a84dc8d
This will make it possible to start some key services before mounting
data partition
Bug: 30118894
Change-Id: Ia9f8cc035de6cc0df9a61605864915efa0266d7f
(cherry picked from commit abfbec342f)
This will make it possible to start some key services before mounting
data partition
(cherry picked from commit abfbec342f)
Bug: 30118894
Change-Id: Ia9f8cc035de6cc0df9a61605864915efa0266d7f
Create /dev/random and /dev/urandom in the first stage, so that when we
reexec, arc4random is available for libc initialization.
Bug: http://b/29622562
Change-Id: I5b2071539a17eec609faac91dc28b08eba5ff89b
Right now these two partitions are mounted in the fs stage of the init
process. As a result, many vendor/ODM files needed earlier in the boot
process (e.g., init.<hardware>.rc, fstab.<hardware>.rc,
uevent.<hardware>.rc, SELinux policy files etc) can only live on the root
partition.
To prevent vendors/ODMs from polluting the root partition, this patch makes
it possible to mount the vendor and ODM partitions in the first stage of the
init process. The fstab info of both partitions to be mounted early is
composed from new kernel cmdline arguments android.early.prefix and
android.early.fstab.
For example, with:
android.early.prefix=/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/
android.early.fstab=mmcblk0p10+/odm+ext4+ro+verify\nmmcblk0p09+/vendor+ext4+ro+verify
the final fstab string will be:
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p10 /odm ext4 ro verify
/sys/devices/1010000.msdc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mmcblk0p09 /vendor ext4 ro verify
The android.early.prefix is optional. When it is missing, the final fstab
string will be directly converted from android.early.fstab.
This patch also makes sure that the early mounted partitions are dm-verity
enabled so that they are trust worthy to store system files.
BUG=27805372
Change-Id: I3cf32482a5ec65445ba3aedab2164c7ba8f12694
killProcessGroup actually works on cgroups. Kill the POSIX process
group ourselves.
Bug: http://b/29751426
Change-Id: I1a2808488510f4262811b6407bcd0948ad23bc60
* Use const reference type for parameters to avoid unnecessary copy.
* Suppress warning of not using faster overloaded string find function.
Bug: 30407689
Bug: 30411878
Change-Id: I6cfdbbd50cf5e8f3db6e5263076d3a17a9a791ee
Test: build with WITH_TIDY=1
Merged-In: Ie79dbe21899867bc62031f8618bb1322b8071525
Often a bugreport is accidentally triggered by the combo keys, but there
is nothing in the bugreport to confirm that action because init's
klog level is KLOG_NOTICE_LEVEL.
This change change keychord's INFO messages to NOTICE, and also logs the
case where a service was not launched because ADB was disabled.
BUG: 30440213
BUG: 30345559
Change-Id: I6ccadef1621cb41dcd15e7c1660366f0e147dc7a
Remove the /dev/__kmsg__ workarounds (which can then be removed
from sepolicy), and fix confusion in the translation between
android-base logging and kernel logging priorities (in particular,
where 'notice' comes in the hierarchy).
Bug: http://b/30317429
Change-Id: I6eaf9919904b6b55bc402c20bf1a4ae269014bc7
Test: adb shell dmesg | grep init
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed. This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.
This CL changes the implementation of the "restorecon_recursive"
built-in command to use the new SKIPCE flag to avoid labeling files
in CE directories. vold will request a restorecon when the keys
are actually installed.
Bug: 30126557
Change-Id: I320584574a4d712c493b5bbd8a79b56c0c04aa58
Right now we set sys.usb.controller property in init.$platform.usb.rc
to enable ConfigFS gadgets.
Let system detect and set UDC driver name from /sys/class/udc instead.
Change-Id: I99ad49d24dc53b543c5573e209bf00d6c2d91dd4
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
Arguments of commands are expanded based on properties if they contain
${property.name}, however this is not currently done for arguments of
services.
This patch makes it that arguments of services are expanded each time
that the service starts at the point immediately before execve().
Bug: 28788401
Change-Id: Iba581a8377e25a6478d4d2ec2e8b29e181d8640c
This CL extracts code from Service::Start into four helper functions,
bringing Service::Start down to 134 lines vs 212 lines originally. This
makes the method a lot easier to follow. There is no change in behaviour.
Also, make error messages consistent (start with lowercase) and
format Service::Start to fit in 100 cols.
Bug: 30035168
Change-Id: If979976fba4d339a336d030f802ca9f169fd012c
