This reverts commit c7a6fe684c.
Repply the blkio controller migration because it was not responsible
for the test failures that led to the revert. See also the following bugs:
* https://b.corp.google.com/issues/260143932
(v2/android-virtual-infra/test_mapping/presubmit-avd test failure)
* https://b.corp.google.com/issues/264620181
(CtsInitTestCases.RebootTest#StopServicesSIGKILL failure)
The only change compared with the previous version is that the io
controller has been declared optional. This is necessary because some
devices have a kernel that does not support the io controller.
Bug: 213617178
Test: Cuttlefish and various phones
Change-Id: I490740e1c9ee4f7bb5bb7afba721a083f952c8f2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
libbinder_rpc_unstable is in the list of system required libs, but the
library is already located in the system/{LIB}, and this creates link to
the self namespace. Remove libbinder_rpc_unstable from system required
libs as it doesn't make sense to have require and provide same library
in a single image.
Bug: 298333253
Test: Cuttlefish build and boot succeded
Change-Id: Idb40e1dbc1053d4882093c188a36b2cc8d86e918
ALL_ROOTDIR_SYMLINKS and add them to ALL_DEFAULT_INSTALLED_MODULES,
so they can be included in product SBOMs properly.
Bug: 272358980
Test: CIs and build/soong/tests/sbom_test.sh
Change-Id: I73dfb34156d681786c013912e59a0d0c0c48ecc7
If ro.zygote is zygote64, don't bother running 32-bit test.
Otherwise abilist{32,64} decides what tests to run.
Bug: 291874369
Test: make gsi_arm64-user; Check /system/etc/init/hw
Change-Id: Id10b2242606d6400acc29c3174f713581d6cce2e
To start an early_hal service from a bootstrap vendor apex, init now
reads .rc files from bootstrap apexes as well.
In this change, perform_apex_config command is re-purposed to support
bootstrap mode. Now we have some similarity between two apexd calls:
- for bootstrap apexes (in the bootstrap mount namespace):
exec_start apexd-bootstrap
perform_apex_config --bootstrap
- for normal apexes (in the default mount namespace):
restart apexd
...
wait_for_prop apexd.status activated
perform_apex_config
Note that some tasks in perform_apex_config are not needed in the
bootstrap. For example, we don't need to create apexdata directories
for bootstrap apexes.
Bug: 290148081
Test: VendorApexHostTestCases
Change-Id: I8f683a4dcd7cd9a2466a4b1b417d84c025c37761
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.
The directory is shared between two mount namespaces, hence visible
in the default mount namespace.
Bug: 290148078
Test: VendorApexHostTestCases
Change-Id: I841480e41be8def5a4c6a4aa874c4e21465a71d3
This new directory is bind-mounted to /apex in the bootstrap mount
namespace so that apexd-bootstrap mounts bootstrap APEXes there via
/apex.
The directory is detached from /apex in the default mount namespace but
still visible in case bootstrap APEXes are needed.
However, there are (mostly, virtual) devices which don't need two mount
namespaces. Those devices don't need to make /bootstrap-apex directory
at all.
Bug: 290148078
Test: atest VendorApexHostTestCases
Test: atest MicrodroidTests
Change-Id: I541cec71d9970b14971d46e01e4808b23590dbed
This folder is used to host bootanim data files.
Bug: 210757252
Test: /data/misc/bootanim is correctly created.
Change-Id: I9c9949316d073ad7ebac503f097c5fee6c0b2a22
VFIO nodes, both the container (`vfio`) node and group (numbered)
nodes, should be located in `/dev/vfio`. This change prevents
ueventd from flattening that structure.
Test: Bind a device to VFIO driver to create a VFIO group
Change-Id: I635e9febe6bb52718df263e735479f361eacad4c
lpdumpd runs as "system", not "root". Adjust the DAC permissions of
/metadata/ota so it can call SnapshotManager::Dump.
Bug: 291083311
Test: lpdump
Change-Id: I97fd7eb2055cf6d31fd42f1021e2f99edbdb838a
The "update_verifier_nonencrypted" service is being replaced with simply
"update_verifier", so update init.rc accordingly.
Bug: 208476087
Test: presubmit
Change-Id: I58f3fb25167ff7d3679c72e5e9c012f02fa5b516
The three actions for "zygote-start" are identical except for their
property triggers. This seems to have been left over from when Android
supported both File Based Encryption (FBE) and Full Disk Encryption
(FDE), causing there to be four possible encryption states:
- ro.crypto.state=unsupported (No encryption configured)
- ro.crypto.state=encrypted && ro.crypto.type=file (FBE enabled)
- ro.crypto.state=unencrypted (FDE supported but disabled)
- ro.crypto.state=encrypted && ro.crypto.type=block (FDE enabled)
It seems that the reason the zygote-start action was duplicated three
times was to exclude the "FDE enabled" case, which could only be done by
explicitly listing the other three cases.
However, now that FDE is no longer supported, only the first two cases
are possible. Therefore, zygote-start can just be the whole trigger.
Bug: 208476087
Test: presubmit
Change-Id: Icd6e4b0d2fb3f9f20595c0af4e2e35350564da8d
Remove the code that "locked" the .fs-verity keyring at a certain point
in the boot. It probably was thought that this achieved some useful
security property, which is a bit questionable. Regardless, Android no
longer uses fsverity builtin signatures. The only code that is still
being kept around is enough to access existing files on old kernels, and
for this "locking" the keyring is definitely not essential.
Bug: 290064770
Test: presubmit and booting Cuttlefish
Change-Id: Ide5729aeac5772658b2a3f0abe835988b8842b02
Based on experiments, we fount out 128 (128 x global readahead window
size = 16mb) is the optimal multiple to boost up read speeds for the
sequentially accessed files with POSIX_FADV_SEQUENTIAL.
Bug: 195311558
Test: check the /sys/fs/f2fs/<userdata partition>/seq_file_ra_mul value
Change-Id: I7563ad6e47b9ab76ae7fe36978d0e5970a7490e8
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Due to the work done for b/156305599 ("Ensure no process except vold can
create directories like /data/system_ce/0"), the SELinux policy now
enforces that vold is the only process that can write to directories
that contain per-user encrypted subdirectories. This is essential to
prevent bugs where directories that are supposed to be encrypted get
created too early so are not actually encrypted as intended.
However, this only works when SELinux is in enforcing mode. When
SELinux is in permissive mode, only DAC is enforced, and the file modes
allow other processes to write to many of these directories. That
allows system_server to break things once again.
Therefore, remove the write bit from the file modes so that write access
is always denied to processes that don't have CAP_DAC_OVERRIDE. This is
not as strong a restriction as the SELinux policy, which still applies
independently, but it does keep out system_server by itself.
Also remove the sticky bit from /data/misc_ce and /data/misc_de, since
there is no reason for it. (It probably was originally copied from
/data/misc, which might need it. But misc_{ce,de} don't need it.)
Bug: 285239971
Test: Booted Cuttlefish
Change-Id: I1213a4d18c5f851acf213d786400d79d73777ed0
It's necessary to have the right dalvik.vm.* flags in place when they
are validated by odrefresh.
Test: See the other CL in the topic.
Bug: 281850017
Ignore-AOSP-First: Will cherry-pick to AOSP later
Change-Id: Ib64790dde97faaa6b62ead2c1c8dd53c97f97f9c
Merging as a separate CL due to a log showing up
related to this on hwasan (is a prebuilt pulling
this in?)
Bug: 276813155
Test: boot cf
Change-Id: I19f7fc51c937d0eb1ee17781fc5d201a0972c4b0
Bionic requires random numbers to init the shadow call stack. Those
numbers are obtained via the syscall getrandom (non-blocking) and will
fallback to /dev/urandom if the former fails.
When loading pKVM modules, we are so early in the boot process that the
only source of entropy for the linux RNG are the architecture random
number generators... which might be available on some platforms. Without
any source of entropy, the only way of generating a random number is to
try to generate some, which is what the bionic fallback expects via
urandom.
As a consequence, add the urandom node to the initramfs.
Bug: 274876849
Merged-In: I111e2db53fabd63d070b8e9ab9c52faebf484ab3
Change-Id: I34a0e3f7c72de7344512366d4a96183b445edc2e
Bionic requires random numbers to init the shadow call stack. Those
numbers are obtained via the syscall getrandom (non-blocking) and will
fallback to /dev/urandom if the former fails.
When loading pKVM modules, we are so early in the boot process that the
only source of entropy for the linux RNG are the architecture random
number generators... which might be available on some platforms. Without
any source of entropy, the only way of generating a random number is to
try to generate some, which is what the bionic fallback expects via
urandom.
As a consequence, add the urandom node to the initramfs.
Bug: 274876849
Change-Id: I164b08f026a238dad9f27a345bdef96717f2aa74
Set the user explicitly.
For boringssl self-test, changed to 'nobody' since
this test doesn't require permissions.
Bug: 276813155
Test: boot, check can 'nobody' can still write to kmesg.
Change-Id: I32f7134e83183bd054bffbb22d412d7a2dc0ad09
There are multiple use cases in Android for which background writes need
to be controlled via the cgroup mechanism. The cgroup mechanism can only
control background writes if both the blkio and memcg controllers are
mounted in the v2 cgroup hierarchy. Hence this patch that migrates the
blkio controller from the v1 to the v2 cgroup hierarchy.
The blkio controller has been marked as optional since not all Android
kernels enable this controller (CONFIG_BLK_CGROUP).
This patch increases the TOTAL_BOOT_TIME for devices with a 4.19 kernel
(redfin) from 18.9 s to 20 s. This patch does not affect the boot time
for devices with a 5.10 or 5.15 kernel.
This patch increases the time spent in CgroupMap::ActivateControllers()
by 25 microseconds in Cuttlefish on an x86-64 CPU.
CgroupMap::ActivateControllers() is called by Service::Start().
Bug: 213617178
Test: Cuttlefish and various phones
Change-Id: I3c07c1be84c3feb277b7d7003652d5d3b57c6541
Signed-off-by: Bart Van Assche <bvanassche@google.com>
Bug: 260366497
Bug: 264600011
Test: The correct label is assigned to dir after taking reboot
Test: Both system_server and dumpstate can access it
Change-Id: Icecbb59ddf936088aa3873bf1b143a08f035fefe
Added SPDX-license-identifier-Apache-2.0 to:
rootdir/Android.mk
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I19aaea76a932cc928bbc178c01a33fdc98b0cf16
Grant read/write access to anyone for /data/misc/wmtrace folder on
debuggable builds, it's further protected by the selinux policy.
This is to allow systemui process to write proto logs to the same folder
on device as WindowManager, both can contribute to the transitions like
PiP, Split-Screen and etc.
Bug: 251513116
Test: adb shell dumpsys activity service SystemUIService \
WMShell protolog [start | stop]
Change-Id: Ice57efa17c61d132b02c0a11a762c24d772bd90a
This file contains a description of dev nodes added to the CPIO archive
for the Android ramdisks. /dev/null is a security requirement for
bionic, /dev/console is needed so the kernel can set-up stdout stderr
and stdin before running /init.
Bug: 254835242
Change-Id: I111e2db53fabd63d070b8e9ab9c52faebf484ab3
A critical shutdown service is one that stays on right until the system
is rebooted. In order to be able to capture kernel messages right until
reboot this is required, otherwise after the console service is
terminated some messages can be lost.
Test: Reboot and verify messages show up on serial further down the reboot process
Change-Id: Iea58b5a76afe45b3346803021e3be81742b02ea0
There are multiple use cases in Android for which background writes need
to be controlled via the cgroup mechanism. The cgroup mechanism can only
control background writes if both the blkio and memcg controllers are
mounted in the v2 cgroup hierarchy. Hence this patch that migrates the
blkio controller from the v1 to the v2 cgroup hierarchy.
This patch increases the TOTAL_BOOT_TIME for devices with a 4.19 kernel
(redfin) from 18.9 s to 20 s. This patch does not affect the boot time
for devices with a 5.10 or 5.15 kernel.
This patch increases the time spent in CgroupMap::ActivateControllers()
by 25 microseconds in Cuttlefish on an x86-64 CPU.
CgroupMap::ActivateControllers() is called by Service::Start().
Bug: 213617178
Test: Cuttlefish and various phones
Change-Id: I490740e1c9ee4f7bb5bb7afba721a083f952c8f2
Signed-off-by: Bart Van Assche <bvanassche@google.com>
The folder is used for temporary files of virtualizationservice, with
a subfolder for each running VM. This wil continue to be the case but
each subfolder will be populated by a different instance of virtmgr,
running under the UID of the client (as opposed to system UID of
virtualizationservice).
To this end, change the permission mask of the root folder from 0770 to
0775. This gives non-system UIDs the permission to search the root
folder. This is necessary for the clients to be able to search their
own subfolder. It does not give them permission to read other
subfolders as those will be owned by different client UIDs.
Bug: 245727626
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Ie6e3be601ccb3b385f70bcf5b31bf8fff3aff8bc
Defaulting Android to limit memlock to 64KB. This will help preventing
pages from being swapped until the app is killed it's memory will stay
resident. CTS test is enforced only in U+ devies.
Bug: 201797650
Test: Added new test to verify we are memlock at or under 64KB
Change-Id: I5a9e9da12f6df5a056ee47d0593c13e9c779e054
If a service doesn't specify any capabilities in it's definition in the
.rc file, then it will inherit all the capabilities from the init.
Although whether a process can use capabilities is actually controlled
by selinux (so inheriting all the init capabilities is not actually a
security vulnerability), it's better for defense-in-depth and just
bookkeeping to explicitly specify that boringssl_self_test doesn't need
any capabilities
The list of capabilities was obtained via:
```
$ adb pull /sys/fs/selinux/policy /tmp/selinux.policy
$ sesearch --allow -s boringssl_self_test -c capability,capability2 /tmp/selinux.policy
```
Bug: 249796710
Test: device boots
Test: presubmit
Change-Id: I866222e2325e59d7e39d00db59df7b83efc657d9
We will continue to restrict access to /dev/kvm and /dev/vhost-vsock with SELinux.
Bug: 245727626
Test: atest -p packages/modules/Virtualization:avf-presubmit
Change-Id: Id4f3e19c18a51bc51e6363d6ffde31c1032cf967
If the framework is restarting (and cannot yet aquire
wakelocks to block suspend). Take a kernel wakelock
to allow the system to make sufficient progress before
autosuspend can be triggered.
The wakelock is later disable when the framework has
and invokeds enableAutosuspend() on the suspend service.
Bug: 255898234
Test: adb shell "echo mem > /sys/power/state && killall system_server"
Change-Id: Id8cff6564ef05d8c22a8264c51dd313263cb6a9d
Early processes can't rely on APEXes anyway. We don't need to run
linkerconfig.
This helps to reduce the storage usage (no
/system/bin/bootstrap/linkerconfig) and the boottime (not running
linkerconfig).
If we need more complicated linker config even for early processes, then
we could generate it at build-time and use it like recovery version.
Bug: 262330207
Bug: 260982509
Test: MicrodroidAppTest
Test: device boots
Change-Id: Iceca5ffdb1655fd94e90b0091f439bd22130185e
Current period of this is 3 sec and it is used when Perfetto profiling is running on Android. Without Perfetto profiling, it doesn't affect the system at all. However, 3 sec doesn't provide enough granularity to understand F2FS I/O behaviors. To make F2FS I/O profiling ftrace effective, set the ftrace period to 1 sec.
Test: check f2fs iostat_period_ms sysfs node value
Change-Id: I2d418795613dfbd1aea6c4f13c9a39af3deb1c4d
Signed-off-by: Daeho Jeong <daehojeong@google.com>
Remove LLNDK libraries from system required libs as those libraries will
be appended to the configuration from the build.
Bug: 251782700
Test: Cuttlefish build and boot succeeded
Change-Id: I81d508a5e15a9dd1919935f07569271609738710
Create a mirror directory for misc_ce and misc_de storage by bind
mounting the respective directories. This is done for the defaul null
volume only, and other volumes are handled at a later staged.
When an SDK sandbox process is spawned and data isolation needs to
occur, the sdksandbox directories present in the misc directories will
be used to bind mount from, after tmpfs is mounted on the original.
Bug: 214241165
Test: atest SdkSandboxStorageHostTest
Change-Id: Icb1dc7d7fbd53a5c3853acf2f9d4d75b278d7295
Merged-In: Icb1dc7d7fbd53a5c3853acf2f9d4d75b278d7295
Revert submission 2291455-localhost_v6
Reason for revert: b/258627476
Reverted Changes:
Icd11fab47:[Test] Update test to comply with etc/hosts change...
Ibcee52a14:Add ::1 to localhost in etc/hosts
Bug: 258627476
Change-Id: I42c8b0aebdbd8b73a90606c0a999f25d8d071cd1
This reverts commit 1eb3394e9c.
Reason for revert: b/244406239, we've migrated to a sysprop(apex.all.ready) instead of an event.
Change-Id: Iae54df241257e3a3dcad4e54fdbf9dd14e9814de
The "sys.init.perf_lsm_hooks" is set on TestPerEventSelinux and it
is before early-init, but it need trigger by queue_property_triggers
and it is after late-init (zygote start on late-init).
The property is ready on load_bpf_programs, make sure
bpf_attach_tracepoint() is available on zygote start.
Bug: 257102190
Test: cat /sys/fs/bpf/map_time_in_state_uid_time_in_state_map
Change-Id: I5aa102df54b82e1584882800e93efd06ccf61c16
Remove the 'slave' mount flag that was added by commit ef9275223c
(https://r.android.com/2095463) because it doesn't actually do anything
in this context. MS_SLAVE can only be used to change the propagation
type of an existing mount, and the kernel ignores it if MS_BIND is also
specified, due to the way the various high-level operations that the
mount() system call can do are prioritized.
The reason that the /data/user/0 mount gets propagated into /data_mirror
anyway is because the /data mount has the "shared" propagation type. In
the above-mentioned commit I had assumed the default Linux mount
semantics, but actually Android applies the "shared" propagation type to
everything (see SetupMountNamespaces() in init/mount_namespace.cpp).
Test: Booted Cuttlefish and verified (via /proc/self/mountinfo) that
/data/data is still bind-mounted to both /data/user/0 and
/data_mirror/data_ce/null/0.
Bug: 156305599
BYPASS_INCLUSIVE_LANGUAGE_REASON=commit message mentioning removed code
Change-Id: Idc45d8dcb3a21d4e8e2e72f4d4dda7286f898127
CtsNativeVerifiedBootTestCases is currently flaky due to race conditions
between verity_update_state and the test running.
Moving the call to verity_update_state before zygote-start should fix
the test.
Bug: 253033920
Test: Boot Android and check that partitions.system.verified.hash_alg
has a non-empty value
Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Change-Id: I9d252b0b6d74ed784ec2ffe091de2db53c5f45ba
The library provides an interface to interface with the
ConnectivityNative service, and implement port blocking APIs.
Bug: 179733303
Test: atest connectivity_native_test
Change-Id: I86018bfeb60d031faee818e5df469f02ebe32707
I noticed that the zygote64 and zygote64_32 files
had gotten slightly out of sync as a result of change
I3aad4b4b1d2f54db9e7ba86db8a655d8552bad0a. Merge the zygote64_32 changes
into zygote64, and to prevent this from happening again, replace the
64-bit zygote declaration in zygote64_32 with an import from zygote64.
Change-Id: I7fcceeb22b722c2164b9acf0b517a32ce34731fd
Also adjust permissions on /dev/hw_random to allow prng_seeder group
read access.
Manual testing protocol:
* Verify prng_seeder daemon is running and has the
correct label and uid/gid.
* Verify prng_seeder socket present and has correct
label and permissions
* Verify no SELinux denials
* strace a libcrypto process and verify it reads seeding
data from prng_seeder (e.g. strace bssl rand -hex 1024)
* strace seeder daemon to observe incoming connections
(e.g. strace -f -p `pgrep prng_seeder`)
* Kill daemon, observe that init restarts it
* strace again and observe clients now seed from new instance
Bug: 243933553
Test: Manual - see above
Change-Id: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96
This folder is used to store Thread network settings data files.
Bug: b/248145048
Test: /data/misc/threadnetwork is created.
Change-Id: I58eb3d814723c5f7acfbecef7f852d8e5336c975
Without the directory (this happens on the very first boot),
load_persist_props can't create an initial version of
/data/property/persistent_properties (probably empty). This leads to
persisting all in-memory "persist.*" properties later when a persistent
property is set. This is regression from Android S because persistent
props from, for example, build.prop will be persisted even when there's
no process to explicitly setprop.
Bug: 242264580
Test: launch cuttlefish and verify that there's no props from build.prop
Change-Id: I5819a97750e4d5d1ee5a7c308bf944c7aeab2f90
This reverts commit da94c7f650.
Reason for revert: It appears this change slows down boot on normal devices.
Technically, this change is not necessary, but it prevents starting the secondary and having it throw an error in the only run 64 bit zygote config. But it's easier to throw the error than slow down boot up.
Bug: 238971179
Test: Verified that on a 64 with 32 config, the secondary zygote
Test: starts but exits.
Change-Id: I7ab0496a402db83e70168d52e5d5911b82a3b06a
