Commit graph

2703 commits

Author SHA1 Message Date
Mark Salyzyn
b833d17de2 init: fixes to README.mk
Corrected a few technical, spelling and grammar errors.

Test: none
Bug: 129780532
Change-Id: Ia05f44c782d94a3bb4224fc6929ac325852e0c41
2019-04-08 10:06:49 -07:00
Nick Kralevich
9ca898fff8 Avoid leaking property values into logs on error
The purpose of having fine grain read/write control over the property
space is to help ensure the confidentiality of data stored in
properties. Leaking property values into the dmesg buffer on errors
exposes the value outside of the access control rules specified by
policy.

(arguably this is also true for the property name, not just the value.
However, property names are exposed in other places now, so the
incentive to fix this is lower. It would also take away a valuable
debugging tool.)

Test: compiles
Change-Id: I4a0634b8b5e4fd2edf718eaf7343940df627366d
2019-04-04 10:15:25 -07:00
Yifan Hong
25d42eeaa6 Merge changes from topic "libprocessgroup_rc"
* changes:
  CgroupSetupCgroups -> CgroupSetup
  Add libcgrouprc to ld.config.*.txt.
  libprocessgroup: use libcgrouprc to read cgroup.rc
  libprocessgroup_setup: use libcgrouprc_format
  libprocessgroup: Move CgroupSetupCgroups() to libprocessgroup_setup
  libprocessgroup: Add libcgrouprc
  libprocessgroup: Add libcgrouprc_format
2019-04-03 19:08:51 +00:00
Yifan Hong
9d7b89abea CgroupSetupCgroups -> CgroupSetup
Test: builds
Bug: 123664216
Change-Id: I47c46ca9ba5c1fbf3f9f7a1b185dc48b058b1e32
Merged-In: I47c46ca9ba5c1fbf3f9f7a1b185dc48b058b1e32
2019-04-02 22:31:57 -07:00
Yifan Hong
d8ce1fb1d1 libprocessgroup_setup: use libcgrouprc_format
Use CgroupController definition from libcgrouprc_format, not
libprocessgroup, because the wire format will be removed
from libprocessgroup later.

Bug: 123664216
Test: builds
Change-Id: If5e2301a1b65c3f6a51a1661cfeeed4e299f634e
Merged-In: If5e2301a1b65c3f6a51a1661cfeeed4e299f634e
2019-04-02 22:31:57 -07:00
Yifan Hong
6f9ce2e548 libprocessgroup: Move CgroupSetupCgroups() to libprocessgroup_setup
Only init uses SetupCgroups. This functionality is
moved from libprocessgroup to its own library, and only
init links to it.

Also, merge CgroupSetupCgroups() with CgroupMap::SetupCgroups()
because the former is just an alias of the latter, and
CgroupMap does not belong to libcgrouprc_setup.

Test: boots
Bug: 123664216
Change-Id: I941dc0c415e2b22ae663d43e30dc7a464687325e
Merged-In: I941dc0c415e2b22ae663d43e30dc7a464687325e
2019-04-02 22:31:57 -07:00
Mark Salyzyn
e419a79329 ueventd: populate /dev/block/mapper link
Since DM_NAME= is not sent (delete bug) or interpreted with ueventd
message, instead probe /sys/devices/virtual/block/dm-X/dm/name when
instantiating.  Cache the value for later delete.

By creating the /dev/block/mapper/<name> nodes, this will give
selabel_lookup_best_match an alias to hang its hat on so that the
associated /dev/block/dm-X nodes will be suitably labelled and
differentiated.

NB: For Android, the deletion of the nodes will only happen in the
    context of fastbootd, update_engine and gsid; otherwise the links
    and properties created can be considered set-once and persistent.

Test: manual inspect /dev/block/mapper/ links
Bug: 124072565
Change-Id: I6d9e467970dfdad7b67754ad61084964251eb05f
2019-04-02 19:28:47 +00:00
Treehugger Robot
0a887aa14c Merge "Disallow operator!() on unique_fd" 2019-03-29 03:52:46 +00:00
Treehugger Robot
a896e2aee5 Merge "init: mount_handler: system-as-root (legacy)" 2019-03-28 18:25:27 +00:00
Suren Baghdasaryan
81cfeb54fc Merge "libprocessgroup: restrict SetupCgroups to one-time usage and only by init" 2019-03-28 17:13:09 +00:00
David Anderson
5aa37dc3dc Merge "init: Support booting off GSIs installed to non-userdata block devices." 2019-03-28 09:46:44 +00:00
Bernie Innocenti
7cb72c96b4 Disallow operator!() on unique_fd
This catches a common mistake where client code checks for errors using
the common idiom that works for std::iostream and other file-like
classes:

  unique_fd fd = open(...);
  if (!fd) {
  }

Test: atest libbase_test
Test: m droid
Change-Id: I9629a7795537ecb3b57be9c741c06f80967e4cc2
2019-03-28 15:56:07 +09:00
Suren Baghdasaryan
5b53573671 libprocessgroup: restrict SetupCgroups to one-time usage and only by init
SetupCgroups is called by init process during early-init stage and is not
supposed to be called again by anyone else. Ensure that the caller is the
init process, make sure cgroup.rc file is written only one time, keep the
file descriptor to cgroup.rc file open by the init process to ensure all
its further mappings stay valid even if the file is deleted.

Bug: 124774415
Test: build, run, verify no errors or warning in the logcat

Change-Id: Ib8822cf0112db7744e28d442182d54dcf06f46f2
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
2019-03-28 01:25:22 +00:00
Mark Salyzyn
793f4b503e init: mount_handler: system-as-root (legacy)
On marlin, dev.mnt.blk.root is empty.  Issue is shared for all
devices that are system-as-root.

/dev/root /proc/mounts entry exists before the associated block device
is instantiated by ueventd.  As a result when the device shows up the
root mount is updated late when the next mount inotify trigger occurs,
delay which we will accept.  But the property entries are added before
removed in the loop which causes the ultimate property entry for root
to report empty. Add /dev/block/dm-0, remove /dev/root, for property
dev.mnt.blk.root.

Fix is to change to Remove before Adding.  Remove /dev/root, then add
/dev/block/dm-0.

On system-as-root as well, can not just use fstab.  Determine if a
dm-verity reference is wrapped around system and use that instead.

Add some additional filtration of loop and APEX mounts to reduce
property noise.

Fix issue with creating the std:string line holder from getline(3).

Test: manual on marlin
Bug: 124072565
Change-Id: Ief2e1a6f559cbcbc87273fc2db35c675bb972f43
2019-03-27 20:50:39 +00:00
Yifan Hong
f959fffc1c Merge changes from topic "lpdumpd"
* changes:
  libbase: realpath is wrapped with TEMP_FAILURE_RETRY
  liblp: Replace open with GetControlFileOrOpen
  init: expand prop in 'file'
  libcutils: android_get_control_file uses realpath.
2019-03-26 20:35:36 +00:00
Yifan Hong
567f1874fd init: expand prop in 'file'
Allow having properties in 'file' option of a service.

Test: boots (sanity)
Test: lpdumpd
Bug: 126233777
Change-Id: I55158b81e3829b393a9725fd8f09200690d0230f
2019-03-21 16:00:00 -07:00
Vic Yang
87215c2530 Fix parse_apex_configs doc in README.md
Test: None
Change-Id: I0871e640cfcab706a5396e3824a1f75239c29840
2019-03-21 11:59:29 -07:00
David Anderson
ee725f610f init: Support booting off GSIs installed to non-userdata block devices.
Bug: 126230649
Bug: 127953521
Test: GSI boots when installed to sdcard on hikey960
      GSI boots when installed to /data/gsi
Change-Id: Id59926ebe363939c8c5745bb1bf5bd13722dae7e
2019-03-20 18:22:00 -07:00
Jeff Vander Stoep
402e4a6615 init: make sepolicy dependency optional
Test: make system/core/init
Change-Id: Ie2e7ba57fe885baf017ef12334aea7f2f9f8f0c1
2019-03-19 17:01:09 -07:00
Jeffrey Vander Stoep
e21d07fbab Merge "selinux: use the policy version defined in sepolicy" 2019-03-19 21:44:59 +00:00
Mark Salyzyn
cdb825e461 Check if we need to Poll for devices after RegenerateUevents
If the required_devices_partition_names is cleared, no need to Poll.

Test: manual check boot time, and adb-remount-test.sh
Bug: 128834849
Change-Id: I044ee2752a7f32b084ff6e88b4b586accdfb78f0
2019-03-18 10:29:48 -07:00
Mark Salyzyn
a73ed22cb7 init: add MountHandler property handler
Set properties dev.mnt.blk.<mount_point>=<device_block_class> for mount
and umount operations by setting up an Epoll handler to catch
EPOLLERR or EPOLLPRI signals when /proc/mounts is changed.  Only
update properties associated with block devices.  For the mount
point of /, use the designation of /root instead.

Can use the properties in init rc expansion like:

on property dev.mnt.blk.root=*
    write /sys/block/${dev.mnt.blk.root}/queue/read_ahead_kb ${boot_read_ahead_kb:-2048}

on property dev.mnt.blk.data=*
    write /sys/block/${dev.mnt.blk.data}/queue/read_ahead_kb ${boot_read_ahead_kb:-2048}

on late-fs
    setprop boot_read_ahead_kb 128
    write /sys/block/${dev.mnt.blk.root}/queue/read_ahead_kb ${boot_read_ahead_kb}
    write /sys/block/${dev.mnt.blk.data}/queue/read_ahead_kb ${boot_read_ahead_kb}

Test: boot and inspect getprop results.
Bug: 124072565
Change-Id: I1b8aff44f922ba372cd926de2919c215c40ee874
2019-03-15 11:54:38 -07:00
Treehugger Robot
4cd0914048 Merge changes from topic "apex_earlymount_no_bionic_bindmount"
* changes:
  /bionic path is gone
  Revert "Handle adb sync with Bionic under /bionic"
  Don't bind-mount bionic files
2019-03-15 09:02:18 +00:00
Bowgo Tsai
1dacd42ae1 Allow overriding ro.debuggable to 1 on USER builds
When init found "/force_debuggable" in the first-stage ramdisk, it will
do the following if the device is unlocked:
  1. load /system/etc/adb_debug.prop (with ro.debuggable=1)
  2 .load userdebug_plat_sepolicy.cil instead of original plat_sepolicy.cil from
    /system/etc/selinux/.

This make it possible to run VTS on a USER build GSI, by using a special
ramdisk containing "/force_debuggable".

Bug: 126493225
Test: unlock a USER build device, check 'adb root' can work
Change-Id: I9b4317bac1ce92f2c0baa67c83d4b12deba62c92
2019-03-15 06:12:00 +08:00
Mark Salyzyn
37bbf800fa init: epoll: add events argument to RegisterHandler
Allow caller to specify events other than EPOLLIN default.

Test: boot
Bug: 124072565
Change-Id: Id4e582a6abc74c5fdb26fea7dcbd3ba2150dadd6
2019-03-13 16:51:31 -07:00
Jiyong Park
7b4801a921 Don't bind-mount bionic files
Bind-mounting of the bionic files on /bionic/* paths no longer required
as there are direct symlinks from bionic files in /system partition to
the corresponding bionic files in the runtime APEX. e.g.,

/system/lib/libc.so -> /apex/com.android.runtime/lib/bionic/libc.so

Bug: 125549215
Test: m; devices boots
Change-Id: I4a43101c3e3e2e14a81001d6d65a8a4b727df385
2019-03-14 07:35:54 +09:00
Elliott Hughes
076305e4fb init: use PLOG rather than strerror.
Test: builds
Change-Id: Ifdba8e7fa4cd5c852946bb0f398382f2d64674cd
2019-03-08 12:34:53 -08:00
Jiyong Park
e5dc674a95 Make /apex on ramdisk
Bug: 127576519
Bug: 127653919
Test: build hikey, check ramdisk has /apex directory
Change-Id: I4e844caa032c0717bd36d323675852ce3681fb01
2019-03-07 11:17:44 +09:00
Jiyong Park
8502ed308d Access apex sysprops via the generated API
Bug: 125549215
Test: m
Change-Id: Ie9b0aa5eec5931da3512d77613b034e5bd760f3e
2019-03-05 16:22:55 +09:00
Jiyong Park
dcbaf9f41b Activate system APEXes early
Summary: Boot sequence around apexd is changed to make it possible for
pre-apexd processes to use libraries from APEXes. They no longer need to
wait for the apexd to finish activating APEXes, which again can be
done only after /data/ is mounted. This improves overall boot
performance.

Detail: This change fixes the problem that processes that are started
before apexd (so called pre-apexd processes) can't access libraries
that are provided only by the APEXes but are not found in the system
partition (e.g. libdexfile_external.so, etc.). Main idea is to activate
system APEXes (/system/apex/*.apex) before /data is mounted and then
activate the updated APEXes (/data/apex/*.apex) after the /data mount.

Detailed boot sequence is as follows.

1) init prepares the bootstrap and default mount namespaces. A tmpfs is
mounted on /apex and the propagation type of the mountpoint is set to
private.

2) before any other process is started, apexd is started in bootstrap
mode. When executed in the mode, apexd only activates APEXes under
/system/apex. Note that APEXes activated in this phase are mounted in
the bootstrap mount namespace only.

3) other pre-apexd processes are started. They are in the bootstrap
mount namespace and thus are provided with the libraries from the system
APEXes.

4) /data is mounted. init switches into the default mount namespace and
starts apexd as a daemon as usual.

5) apexd scans both /data/apex and /system/apex, and activate latest
APEXes from the directories. Note that APEXes activated in this phase
are mounted in the default namespaces only and thus are not visible to
the pre-apexd processes.

Bug: 125549215
Test: m; device boots
Change-Id: I21c60d0ebe188fa4f24d6e6861f85ca204843069
2019-03-05 09:47:49 +09:00
Jiyong Park
4ba548d845 mount /apex during first_stage init
/apex is not mounted via init.rc but directly by the first_stage init
before the mount namespaces are configured.

This allows us to change the propagation type for /apex mount point to
private to isolate APEX activatesions across post- and pre-apexd
processes.

Bug: 125549215
Test: m; device boots to the UI

Change-Id: I10e056cd30d64cb702b6c237acd8dab326162884
2019-03-04 16:22:41 +09:00
Bowgo Tsai
f3e28e1682 libfs_avb: support key rotation for standalone partitions
The FstabEntry.avb_key is renamed to FstabEntry.avb_keys, to
allow specifying multiple avb keys, separated by ':'
(because ',' is already used by fstab parsing).

Bug: 124013032
Test: boot live GSI with multiple allowed AVB keys
Change-Id: Iacd3472a1d5a659dfecf09ea6074d622658f4d0b
2019-02-27 04:13:21 +00:00
Jeff Vander Stoep
724eda5503 selinux: use the policy version defined in sepolicy
In the current setup, init uses the highest policy version supported
by the kernel, instead of the policy version defined in policy. This
results in inconsistency between precompiled (version 30) and
on-device compiled policy (version 30 or 31). Make these consistent.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: I0ce181916f43db17244c4d80f5cf5a91bbb58d3a
2019-02-25 10:47:29 -08:00
Treehugger Robot
084d3b9124 Merge "libfs_avb: support rollback protection for Live GSI" 2019-02-22 16:28:23 +00:00
David Anderson
1cdd96cb10 Merge "init: Set a property indicating that we're booting into a GSI." 2019-02-21 14:40:48 +00:00
Bowgo Tsai
918668a2cd libfs_avb: support rollback protection for Live GSI
This commit extracts the security patch level (SPL), e.g.,
com.android.build.system.security_patch = 2019-04-05 from AVB property
descriptors when attempting to mount a standalone image (e.g., live
GSI). Then compares the SPL between the old system.img and the new live
system.img for rollback protection.

Bug: 122705329
Test: boot an old Live GSI, checks rollback is detected
Change-Id: I7aae58c0b2062a3ff57ed932ad58e7b604453fed
2019-02-21 10:32:18 +08:00
Tom Cherry
86f38d56b8 Merge "init: Ignore "ro." restrictions when reading prop files" 2019-02-20 16:59:39 +00:00
Tom Cherry
be0489281f init: Ignore "ro." restrictions when reading prop files
"ro." properties do not make sense for prop files, especially with the
way that the system/product and vendor/odm partitions are meant to
override each other.  To fix this, we ignore the fact that "ro."
properties are "write once" when first loading in property files.

We then adjust the order of property file loading, such that we read
partitions from least to most specific, reading in order: system,
vendor, odm, product, product_services.

Bug: 122864654
Test: ro. properties can override when reading build props with
      appropriate permissions
Test: ro. properties do not override when lacking permissions to
      be set by a given partition
Change-Id: Ib9a5f77e95d9df647cdde7a5c937bb3425c066fa
2019-02-19 13:02:58 -08:00
Jinguang Dong
f42e08d878 load selinux property_contexts in /odm and /product
Commit I27dd391fc06a3c78e88a65c7931c84de1699f157  make property_service no longer
load selinux property_contexts by function selinux_android_prop_context_handle,
So we should config /odm and /product property_contexts loading path in
property_service.cpp but not in libselinux.

Test: property_service can load property_contexts in /odm and /product
Change-Id: Ifa94b87180c4867ecbe8dea347ad02bb37958043
2019-02-15 17:56:45 +08:00
David Anderson
372278c86d init: Set a property indicating that we're booting into a GSI.
Bug: 123777418
Test: gsid.image_running is set after booting into GSI
Change-Id: I8ec79fa58b41b04676de0c8909fcd520c28c05ab
2019-02-14 13:23:28 -08:00
Bowgo Tsai
fffe43974d Skip enabling dm-verity for live GSI when needed
Currently the dm-verity for live GSI is always enabled, even if the
disable bit in the top-level /vbmeta is set. We should skip setting up
dm-verity on live system.img when adb disable-verity is ever set.

Bug: 124291583
Test: adb disable-verity, then boot live GSI
Test: fastboot flash --disable-verification vbmeta vbmeta.img,
      then boot live GSI

Change-Id: Id52d20d0b2e56dfa7de8f866dcc989b82a96c879
2019-02-13 22:12:09 +08:00
Tom Cherry
5272f9b017 Merge "Refactor fs_mgr_update_verity_state()" 2019-02-12 17:22:09 +00:00
Steven Laver
944e6f1d17 Merge "Allow properties to be derived from partition-specific properties during init" 2019-02-12 16:44:57 +00:00
Tom Cherry
cf80b6d6e5 Refactor fs_mgr_update_verity_state()
fs_mgr_update_verity_state() has two callers with generally different
intentions.  One caller loops through all entries in the default fstab
to set partition.<mount_point>.verified properties.  The other caller
is only interested in whether or a specific mount point has verity
enabled.

Given this, we refactor fs_mgr_update_verity_state() to
fs_mgr_get_verity_mount_point() which takes a single FstabEntry and
returns the mount point used for the dm-verity device or an empty
option if verity is not enabled on that mount point.

Test: adb-remount-test.sh test on blueline
Change-Id: Ic7dd8390509e95b2931b21e544c919a544138864
2019-02-11 12:50:22 -08:00
Tom Cherry
6576e13995 Remove logic to fake /system in overlayfs
It is better to guarantee that a /system or / entry will be present in
first stage mount than it is to maintain the code to fake an entry if
its not present in the input fstab.

Test: adb-remount-test.sh on blueline
Change-Id: I8aa3e704903b8abf06b1c63be071913a9de58eb3
2019-02-08 16:25:24 -08:00
Steven Laver
57a740eca2 Allow properties to be derived from partition-specific properties during init
If not present, ro.product.[brand|device|manufacturer|model|name] and
ro.build.fingerprint will be resolved during init from
partition-specific properties.

Test: booted system image, verified properties
Test: booted recovery image, verified properties
Bug: 120123525
Change-Id: I7fe2793a7d9eb65645d92ceb408f1f050acf9a81
2019-02-07 16:15:55 -08:00
Tom Cherry
500b6c0e86 Merge "init: allow services to have no capabilities set" 2019-02-06 23:48:36 +00:00
Tom Cherry
1cd082d421 init: allow services to have no capabilities set
In particular, this allows services running as the root user to have
capabilities removed instead of always having full capabilities.

Test: boot device with a root service with an empty capabilities
      option in init showing no capabilities in /proc/<pid>/status
Change-Id: I569a5573ed4bc5fab0eb37ce9224ab708e980451
2019-02-06 11:25:18 -08:00
Treehugger Robot
54f7e57bac Merge "init: print property/value for wait_for_property" 2019-02-06 07:28:00 +00:00
Wei Wang
c9352bb383 init: print property/value for wait_for_property
Bug: 123772265
Bug: 123788098
Test: Build
Change-Id: Ice130d7efab1f227a2f9021136621ad08f84fd23
2019-02-06 01:03:53 +00:00