Commit graph

1678 commits

Author SHA1 Message Date
Jeffrey Huang
5c1d43f732 Merge "Create new directory for statsd restricted configs" 2023-02-15 00:26:17 +00:00
Jeffrey Huang
01a73d74d8 Create new directory for statsd restricted configs
Bug: 264407489
Test: m -j
Change-Id: I10e7d6a4a6d011eb9a7453191ab90771b82aa9b3
2023-02-14 11:25:45 -08:00
Hongwei Wang
231e80db35 Grant wmtrace access to platform_app:systemui
Grant read/write access to anyone for /data/misc/wmtrace folder on
debuggable builds, it's further protected by the selinux policy.

This is to allow systemui process to write proto logs to the same folder
on device as WindowManager, both can contribute to the transitions like
PiP, Split-Screen and etc.

Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
      WMShell protolog [start | stop]
Change-Id: Ice57efa17c61d132b02c0a11a762c24d772bd90a
2023-01-30 12:03:54 -08:00
Eric Biggers
5265b8d425 Clean up references to FDE in documentation and comments
Bug: 208476087
Change-Id: I328026d68c9dd7a5042ef4b5369f34af93760b37
2023-01-18 02:17:43 +00:00
Gabriel Jacobo
12f9ff8951 init: Make console a shutdown critical service
A critical shutdown service is one that stays on right until the system
is rebooted. In order to be able to capture kernel messages right until
reboot this is required, otherwise after the console service is
terminated some messages can be lost.

Test: Reboot and verify messages show up on serial further down the reboot process
Change-Id: Iea58b5a76afe45b3346803021e3be81742b02ea0
2023-01-12 16:46:38 -08:00
Carlos Galo
177f5b1822 Merge "Set memlock rlimit to 64KB" 2023-01-09 19:05:59 +00:00
David Brazdil
468c62a037 Merge "Change permissions of /data/misc/virtualizationservice" 2023-01-06 16:13:32 +00:00
Jooyung Han
c7a6fe684c Revert "Migrate the blkio controller to the v2 cgroup hierarchy"
Revert submission 2218645-blkio-cgroup-v2

Reason for revert: 260143932, 264620181

Reverted changes: /q/submissionid:2218645-blkio-cgroup-v2

Change-Id: I8bf1592cd5f7234f28094fe80341c37d42fa609b
2023-01-06 06:20:54 +00:00
Bart Van Assche
5400ae2440 Migrate the blkio controller to the v2 cgroup hierarchy
There are multiple use cases in Android for which background writes need
to be controlled via the cgroup mechanism. The cgroup mechanism can only
control background writes if both the blkio and memcg controllers are
mounted in the v2 cgroup hierarchy. Hence this patch that migrates the
blkio controller from the v1 to the v2 cgroup hierarchy.

This patch increases the TOTAL_BOOT_TIME for devices with a 4.19 kernel
(redfin) from 18.9 s to 20 s. This patch does not affect the boot time
for devices with a 5.10 or 5.15 kernel.

This patch increases the time spent in CgroupMap::ActivateControllers()
by 25 microseconds in Cuttlefish on an x86-64 CPU.
CgroupMap::ActivateControllers() is called by Service::Start().

Bug: 213617178
Test: Cuttlefish and various phones
Change-Id: I490740e1c9ee4f7bb5bb7afba721a083f952c8f2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
2023-01-05 13:07:00 -08:00
David Brazdil
bc491e2544 Change permissions of /data/misc/virtualizationservice
The folder is used for temporary files of virtualizationservice, with
a subfolder for each running VM. This wil continue to be the case but
each subfolder will be populated by a different instance of virtmgr,
running under the UID of the client (as opposed to system UID of
virtualizationservice).

To this end, change the permission mask of the root folder from 0770 to
0775. This gives non-system UIDs the permission to search the root
folder. This is necessary for the clients to be able to search their
own subfolder. It does not give them permission to read other
subfolders as those will be owned by different client UIDs.

Bug: 245727626
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Ie6e3be601ccb3b385f70bcf5b31bf8fff3aff8bc
2023-01-05 18:10:20 +00:00
Carlos Galo
1447120f78 Set memlock rlimit to 64KB
Defaulting Android to limit memlock to 64KB. This will help preventing
pages from being swapped until the app is killed it's memory will stay
resident. CTS test is enforced only in U+ devies.

Bug: 201797650
Test: Added new test to verify we are memlock at or under 64KB
Change-Id: I5a9e9da12f6df5a056ee47d0593c13e9c779e054
2023-01-05 16:29:59 +00:00
Nikita Ioffe
b728ecda2c boringssl self tests: explicitly specify empty capabilities
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify that boringssl_self_test doesn't need
any capabilities

The list of capabilities was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s boringssl_self_test -c capability,capability2 /tmp/selinux.policy
```

Bug: 249796710
Test: device boots
Test: presubmit
Change-Id: I866222e2325e59d7e39d00db59df7b83efc657d9
2023-01-03 16:36:30 +00:00
Jooyung Han
56bee1f7d0 Skip system/bin/bootstrap/linkerconfig
Early processes can't rely on APEXes anyway. We don't need to run
linkerconfig.

This helps to reduce the storage usage (no
/system/bin/bootstrap/linkerconfig) and the boottime (not running
linkerconfig).

If we need more complicated linker config even for early processes, then
we could generate it at build-time and use it like recovery version.

Bug: 262330207
Bug: 260982509
Test: MicrodroidAppTest
Test: device boots
Change-Id: Iceca5ffdb1655fd94e90b0091f439bd22130185e
2022-12-13 18:04:52 +09:00
Sanjana Sunil
aeee1c6231 Merge "Create misc_ce and misc_de mirror storage" 2022-12-08 18:09:11 +00:00
Daeho Jeong
2accf5bd79 set iostat_period_ms to 1 sec
Current period of this is 3 sec and it is used when Perfetto profiling is running on Android. Without Perfetto profiling, it doesn't affect the system at all. However, 3 sec doesn't provide enough granularity to understand F2FS I/O behaviors. To make F2FS I/O profiling ftrace effective, set the ftrace period to 1 sec.

Test: check f2fs iostat_period_ms sysfs node value
Change-Id: I2d418795613dfbd1aea6c4f13c9a39af3deb1c4d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
2022-12-01 22:27:09 +00:00
Sanjana Sunil
5c7ff8841a Create misc_ce and misc_de mirror storage
Create a mirror directory for misc_ce and misc_de storage by bind
mounting the respective directories. This is done for the defaul null
volume only, and other volumes are handled at a later staged.

When an SDK sandbox process is spawned and data isolation needs to
occur, the sdksandbox directories present in the misc directories will
be used to bind mount from, after tmpfs is mounted on the original.

Bug: 214241165
Test: atest SdkSandboxStorageHostTest

Change-Id: Icb1dc7d7fbd53a5c3853acf2f9d4d75b278d7295
Merged-In: Icb1dc7d7fbd53a5c3853acf2f9d4d75b278d7295
2022-11-14 14:57:35 +00:00
Jooyung Han
d9d3a5cb2b Merge "Revert "add apex-ready event after post-fs-data"" 2022-11-14 06:51:14 +00:00
Jooyung Han
8fbd79e689 Revert "add apex-ready event after post-fs-data"
This reverts commit 1eb3394e9c.

Reason for revert: b/244406239, we've migrated to a sysprop(apex.all.ready) instead of an event.

Change-Id: Iae54df241257e3a3dcad4e54fdbf9dd14e9814de
2022-11-09 07:55:58 +00:00
chenyc5
7e357eb731 Make bpf_attach_tracepoint() available as soon as possible
The "sys.init.perf_lsm_hooks" is set on TestPerEventSelinux and it
is before early-init, but it need trigger by queue_property_triggers
and it is after late-init (zygote start on late-init).
The property is ready on load_bpf_programs, make sure
bpf_attach_tracepoint() is available on zygote start.

Bug: 257102190
Test: cat /sys/fs/bpf/map_time_in_state_uid_time_in_state_map
Change-Id: I5aa102df54b82e1584882800e93efd06ccf61c16
2022-11-03 10:21:45 +08:00
Eric Biggers
745111fbec Merge "Remove unneeded 'slave' flag for /data_mirror/data_ce/null" 2022-10-27 19:17:09 +00:00
Eric Biggers
28a1969ebf Remove unneeded 'slave' flag for /data_mirror/data_ce/null
Remove the 'slave' mount flag that was added by commit ef9275223c
(https://r.android.com/2095463) because it doesn't actually do anything
in this context.  MS_SLAVE can only be used to change the propagation
type of an existing mount, and the kernel ignores it if MS_BIND is also
specified, due to the way the various high-level operations that the
mount() system call can do are prioritized.

The reason that the /data/user/0 mount gets propagated into /data_mirror
anyway is because the /data mount has the "shared" propagation type.  In
the above-mentioned commit I had assumed the default Linux mount
semantics, but actually Android applies the "shared" propagation type to
everything (see SetupMountNamespaces() in init/mount_namespace.cpp).

Test: Booted Cuttlefish and verified (via /proc/self/mountinfo) that
      /data/data is still bind-mounted to both /data/user/0 and
      /data_mirror/data_ce/null/0.
Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=commit message mentioning removed code
Change-Id: Idc45d8dcb3a21d4e8e2e72f4d4dda7286f898127
2022-10-26 18:33:11 +00:00
Nathan Huckleberry
8f6fcd19af Fix flaky AVB test from late verity_update_state
CtsNativeVerifiedBootTestCases is currently flaky due to race conditions
between verity_update_state and the test running.

Moving the call to verity_update_state before zygote-start should fix
the test.

Bug: 253033920
Test: Boot Android and check that partitions.system.verified.hash_alg
    has a non-empty value
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Change-Id: I9d252b0b6d74ed784ec2ffe091de2db53c5f45ba
2022-10-25 21:12:43 +00:00
zhanglongxia
40e1666fb9 init.rc: create /data/misc/threadnetwork folder
This folder is used to store Thread network settings data files.

Bug: b/248145048
Test: /data/misc/threadnetwork is created.
Change-Id: I58eb3d814723c5f7acfbecef7f852d8e5336c975
2022-09-22 15:25:39 +08:00
Jooyung Han
9561496303 Prepare /data/property before load_persist_props
Without the directory (this happens on the very first boot),
load_persist_props can't create an initial version of
/data/property/persistent_properties (probably empty). This leads to
persisting all in-memory "persist.*" properties later when a persistent
property is set. This is regression from Android S because persistent
props from, for example, build.prop will be persisted even when there's
no process to explicitly setprop.

Bug: 242264580
Test: launch cuttlefish and verify that there's no props from build.prop
Change-Id: I5819a97750e4d5d1ee5a7c308bf944c7aeab2f90
2022-08-18 10:03:02 +09:00
Christopher Ferris
86cc51ae60 Merge "Revert "Add support for only starting 64 bit zygote."" 2022-07-15 00:24:10 +00:00
Christopher Ferris
3fa3f861d4 Revert "Add support for only starting 64 bit zygote."
This reverts commit da94c7f650.

Reason for revert: It appears this change slows down boot on normal devices.

Technically, this change is not necessary, but it prevents starting the secondary and having it throw an error in the only run 64 bit zygote config. But it's easier to throw the error than slow down boot up.

Bug: 238971179

Test: Verified that on a 64 with 32 config, the secondary zygote
Test: starts but exits.
Change-Id: I7ab0496a402db83e70168d52e5d5911b82a3b06a
2022-07-14 22:13:29 +00:00
Elliott Hughes
1012626192 Merge "Add support for only starting 64 bit zygote." 2022-07-13 19:57:47 +00:00
Pete Bentley
c017e2ce0a Move boringssl self tests from early-init to init.
In previous releases, these self tests had a secondary purpose
of writing a flag file to save future processes from running
some slow self checks.  This is no longer true in T.

However running the tests from early-init has caused issues
on some devices as the kernel's entropy pool is not yet
initialised, causing the process to block for a second or more.

Bug: 231946889
Test: m && flashall
Change-Id: I2116f2029ca6a21e4359407dfff4dc79edd39084
2022-07-07 15:34:46 +01:00
Almaz Mingaleev
2f38c39169 Do not create /data/misc/zoneinfo.
APK time zone update mechanism used to store tzdata file there.
The feature is removed, no need to create that folder.

Bug: 148144561
Test: atest CtsBionicTestCases
Test: atest BionicTzdbConsistencyTest

Change-Id: I249f1d1b6c1a3f1a283d1ca43fcc93b10cbd910a
2022-06-23 17:21:39 +01:00
Almaz Mingaleev
7f79ee42ee Merge "Remove TZUvA feature." 2022-06-23 07:47:26 +00:00
zexin.hou
46314853fe charge the permissions for the proc/bootconfig
The current/proc/bootconfig node is the root user group,but some Android modules of our company do not have permission to access the root user group node. We want to add the same permissions to /proc/cmdline for the proc/bootconfig node in init.rc

Change-Id: I98f63a09cf7306be65c40674b1b28f1153c705fb
2022-06-13 12:42:47 +00:00
Almaz Mingaleev
9d3da34bb4 Remove TZUvA feature.
The feature was superseded by tzdata mainline module(s).

Bug: 148144561
Test: see system/timezone

Change-Id: If87e9a71a725f665bfc977d95e52c04668447081
Merged-In: If87e9a71a725f665bfc977d95e52c04668447081
2022-06-13 11:45:38 +00:00
Eric Biggers
dce8ba253e init.rc: restorecon /data/media before chattr
The SELinux type of /data/media has changed from media_rw_data_file to
media_userdir_file, but the recursive restorecon of /data happens too
late when taking an upgrade.  Add a restorecon of /data/media to just
above the chattr command which needs the new label to be allowed.  This
doesn't "really" matter, since the chattr command is only needed just
after the directory was created anyway, but this fixes a SELinux denial.

Bug: 156305599
Bug: 232824121
Change-Id: I897be19ceb4686511469bdf7efda2483f298eee4
2022-05-17 02:40:22 +00:00
Treehugger Robot
e4200bac8d Merge "Change the encryption rule of /data/bootanim to DeleteIfNecessary" 2022-05-13 21:27:36 +00:00
Eric Biggers
72c781df26 Annotate and consolidate use of encryption=None
Although metadata encryption makes the device encryption policy
redundant, for now it is still being used, and the rule is still that
every top-level directory in /data is encrypted by the device policy
unless there is a specific reason why the directory can't be encrypted.
There are various cases where encryption=None is legimately needed and
is used, but they aren't explained in the code, and the option is prone
to be copy-and-pasted (as was done in https://r.android.com/1932960).

Fix this by explicitly commenting every case where encryption=None is
used, and consolidating the creation of all the user parent directories
into one place.  (I left /data/bootanim as-is since it will be changed
to encrypted; see b/232299581.)

Change-Id: I6db5f4be7774e3d250c370638e8e7e33e226f3e7
2022-05-13 17:48:51 +00:00
Josh Yang
a1039f9a4b Change the encryption rule of /data/bootanim to DeleteIfNecessary
Directories should always be encrypted unless there is a specific reason
they can't be.  /data/bootanim is unencrypted without a specific reason,
so fix it to be encrypted.  It is too late to use encryption=Require.
However, the contents of this directory doesn't need to be preserved on
updates, so we can use encryption=DeleteIfNecessary instead of
encryption=Attempt.

Bug: 232299581
Test: build success
Change-Id: I17bcb901ad533cada4e0aa061196fc94d7b213ec
2022-05-13 17:02:48 +00:00
Jooyung Han
ec76b5cb4e Merge changes from topics "action-in-apex-config", "apex-ready-event", "subcontext-for-vendor-apex"
* changes:
  Use subcontext for APEX configs from /{vendor, odm}
  add apex-ready event after post-fs-data
  APEX configs support 'on' as well
2022-05-13 01:47:40 +00:00
Eric Biggers
93a8fc215e Merge "Move creation of /data/user/0 and /data/media/obb to vold" 2022-05-12 18:41:21 +00:00
Pete Bentley
ba830eb81b Remove setenvs when running boringssl_self_test.
No longer needed as the code to generate flag files based on
this environment variable is removed in Android 13.

Bug: 231946889
Test: Build and boot,
Change-Id: I8ce57619aa4d1e6457f3f864bf5e403f727c040c
2022-05-12 13:50:37 +01:00
Jooyung Han
1eb3394e9c add apex-ready event after post-fs-data
Since apexd.status=ready is system-only property, we need a similar or
equivalent event or property which non-system APEXes can use to define
'on' trigger actions.

Note that services can be started without its own trigger actions by
setting 'class'. For example, 'hal'-class services are started 'on boot'
automatically.

Bug: 202731768
Test: atest CtsInitTestCases
Test: atest CtsBluetoothTestCases (cuttlefish's bt apex defines
   'on' actions in the APEX config)
Change-Id: I6eb62ba8d6e350add2ebafe7da06fcaa57d825ff
2022-05-12 13:37:19 +09:00
Eric Biggers
ef9275223c Move creation of /data/user/0 and /data/media/obb to vold
To prevent bugs, directory creation and encryption should happen
together.  /data/user/0 (and its "alias" /data/data) is a per-user
encrypted directory; such directories can only be encrypted by vold.
Therefore, move its creation to vold as well.

Besides closing the uncomfortably-large gap between the creation and
encryption of /data/user/0, this allows removing init's write access to
/data/user and similar directories (SELinux type system_userdir_file) to
prevent any such issues from being reintroduced in the future.

To also allow removing init's write access to /data/media (SELinux type
media_userdir_file), which also contains per-user encrypted directories,
also move the creation and encryption of /data/media/obb to vold.

Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=Linux API ("slave" mount flag)
Change-Id: I7245251eeb56b345b6c7711482c0aa5848648edb
2022-05-11 21:50:35 +00:00
Richard Chang
6f554d1a2a Remove redundant settings in init.rc for cpu scaling_max_freq
The uevent.rc will setup owner/group/permissions in all the conditions
including device boot, cpu hotplugs, and cpu online/offline.
Since ueventd always regenerates uevents at boot, we could remove the
redundant settings in init.rc.

Bug: 230291215
Test: Build and check scaling_max_freq on Cuttlefish and B3 device
Change-Id: I4fcc440f2a950967667f88da574faa501b3e227c
2022-05-11 08:55:27 +00:00
Richard Chang
cbd75b85a2 Align file permissions for cpufreq scaling_max_freq node
The ueventd.rc sets permissions to 0664 but init.rc sets cpu0 to
0660. Since lots of processes already had read access for cpufreq nodes
(refer to system/sepolicy/public/domain.te), align all cpus to 0644
permissions.

Bug: 230291215
Test: Build
Change-Id: I3c72d69590998f8da894fb02097212f834edd48c
2022-05-09 09:12:58 +00:00
Jaegeuk Kim
45aafa58d4 Merge "Support /dev/fscklogs/log in f2fs back" 2022-05-04 07:35:09 +00:00
Treehugger Robot
04afe0c3dc Merge "Delete stale Virtualization image files" 2022-05-03 09:28:57 +00:00
Jaegeuk Kim
3aca50cb9e Support /dev/fscklogs/log in f2fs back
We need to fix the below error happening in early stage.

[   24.835617][    T1] init: [libfs_mgr]Running /system/bin/fsck.f2fs -a -c 10000 --debug-cache /dev/block/sda1
[   24.843693][    T1] logwrapper: Cannot log to file /dev/fscklogs/log

Bug: 230637147
Bug: 230879192
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Change-Id: I19bc5f7154577e29414f855de6ce72172b281975
2022-05-02 15:06:43 -07:00
Daeho Jeong
431e35ef7c init.rc: increase readahead window multiplier for POSIX_FADV_SEQUENTIAL files
Set readahead window multiplier for POSIX_FADV_SEQUENTIAL files as 16 to
enhance file read performance like a language package loading.

Bug: 192011293
Test: adb shell cat /dev/sys/fs/by-name/userdata/seq_file_ra_mul
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Change-Id: I7f7e4339651be2d6aa99b07bcb12ab62136a940e
2022-04-29 11:52:03 -07:00
Alan Stokes
df84dd93e5 Delete stale Virtualization image files
Delete all files and directories under
/data/misc/virtualizationservice at boot. Originally they were owned
by the virtualizationservice user; we now run as system, and don't
have permission to remove them after boot.

Bug: 230056726
Test: Create fake stale dir+file, see them deleted
Change-Id: I5ff7d055aeeb25ba7693e50876d6b8a830c4bf51
(cherry picked from commit 34ee0c931c)
2022-04-29 10:56:19 +00:00
Jiyong Park
97cc69ee5d Remove stale files in /data/misc/virtualizationservice
[1] changed the UID of the virtualizationservice daemon and
/data/misc/virtualizationservice directory to `system`. However, this
can cause a permission denial issue when the directory has stale files
when the device was running a build before [1] and an OTA to [1] (or
above) is attempted. The daemon tries to delete the stale files - which
must have been still labeled as old UID and thus the daemon has no
privileged to delete them.

Fixing this issue by ensuring that the directory is always empty by
init.

[1] https://android-review.googlesource.com/c/platform/packages/modules/Virtualization/+/2059527

Bug: 230056726
Test: watch TH
Change-Id: I61c0297503347932b14b83859bec9ff82628336f
2022-04-25 09:47:03 +09:00
Jiyong Park
93c66bbd89 Virtualizationservice is owned by the system UID
Previously, virtualizationservice had its own UID
`virtualizationservice`. As a result, crosvm, which is spawed by
virtualizationservice`, also run as the UID. However, that prevented us
from applying task profiles to the crosvm process because joining a
process to a cgroup requires system UID.

To fix that, virtualizationservice now runs as system UID. As a result,
this directory that virtualizationservice accesses has to change its
owner and group to system.

Bug: 223790172
Bug: 216788146
Test: watch TH

Change-Id: I2bdf49e99f1841bf77ff046b0c2455064b174e0a
2022-04-15 00:05:38 +09:00