platform_system_core/shell_and_utilities
Nick Kralevich be5e446791 introduce auditctl and use it to configure SELinux throttling
In an effort to ensure that our development community does not
introduce new code without corresponding SELinux changes, Android
closely monitors the number of SELinux denials which occur during
boot. This monitoring occurs both in treehugger, as well as various
dashboards. If SELinux denials are dropped during early boot, this
could result in non-determinism for the various SELinux treehugger
tests.

Introduce /system/bin/auditctl. This tool, model after
https://linux.die.net/man/8/auditctl , allows for configuring the
throttling rate for the kernel auditing system.

Remove any throttling from early boot. This will hopefully reduce
treehugger flakiness by making denial generation more predictible
during early boot.

Reapply the throttling at boot complete, to avoid denial of service
attacks against the auditing subsystem.

Delete pre-existing unittests for logd / SELinux integration. It's
intended that all throttling decisions be made in the kernel, and
shouldn't be a concern of logd.

Bug: 118815957
Test: Perform an operation which generates lots of SELinux denials,
      and count how many occur before and after the time period.
Change-Id: I6c787dbdd4a28208dc854b543e1727ae92e5eeed
2019-04-09 13:19:08 -07:00
..
Android.bp introduce auditctl and use it to configure SELinux throttling 2019-04-09 13:19:08 -07:00
OWNERS Add OWNERS. 2017-12-07 13:30:03 -08:00
README.md Update shell documentation for the current state of master. 2018-12-05 13:08:32 -08:00

Android's shell and utilities

Since IceCreamSandwich Android has used mksh as its shell. Before then it used ash (which actually remained unused in the tree up to and including KitKat).

Initially Android had a very limited command-line provided by its own "toolbox" binary. Since Marshmallow almost everything is supplied by toybox instead.

We started moving a few of the more important tools to full BSD implementations in JellyBean, and continued this work in Lollipop. Lollipop was a major break with the past in many ways (LP64 support and the switch to ART both having lots of knock-on effects around the system), so although this was the beginning of the end of toolbox it (a) didn't stand out given all the other systems-level changes and (b) in Marshmallow we changed direction and started the move to toybox.

Not everything is provided by toybox, though. For the bzip2 command-line tools we use the ones that are part of the bzip2 distribution. The awk added in Android P is Brian Kernighan's "one true" awk.

The lists below show what tools were provided and where they came from in each release starting with Gingerbread. This doesn't tell the full story, because the toolbox implementations did have bugs fixed and options added over the years. Gingerbread's rm, for example, supported -r/-R but not -f. But this gives you an idea of what was available in any given release, and how usable it was likely to be.

Also note that in any given release toybox probably contains more commands than there are symlinks for in /system/bin. You can get the full list for a release by running toybox directly.

Android 2.3 (Gingerbread)

BSD: cat dd newfs_msdos

toolbox: chmod chown cmp date df dmesg getevent getprop hd id ifconfig iftop insmod ioctl ionice kill ln log ls lsmod lsof mkdir mount mv nandread netstat notify printenv ps reboot renice rm rmdir rmmod route schedtop sendevent setconsole setprop sleep smd start stop sync top umount uptime vmstat watchprops wipe

Android 4.0 (IceCreamSandwich)

BSD: cat dd newfs_msdos

toolbox: chmod chown cmp date df dmesg getevent getprop hd id ifconfig iftop insmod ioctl ionice kill ln log ls lsmod lsof mkdir mount mv nandread netstat notify printenv ps reboot renice rm rmdir rmmod route schedtop sendevent setconsole setprop sleep smd start stop sync top touch umount uptime vmstat watchprops wipe

Android 4.1-4.3 (JellyBean)

BSD: cat cp dd du grep newfs_msdos

toolbox: chcon chmod chown clear cmp date df dmesg getenforce getevent getprop getsebool hd id ifconfig iftop insmod ioctl ionice kill ln load_policy log ls lsmod lsof md5 mkdir mount mv nandread netstat notify printenv ps reboot renice restorecon rm rmdir rmmod route runcon schedtop sendevent setconsole setenforce setprop setsebool sleep smd start stop sync top touch umount uptime vmstat watchprops wipe

Android 4.4 (KitKat)

BSD: cat cp dd du grep newfs_msdos

toolbox: chcon chmod chown clear cmp date df dmesg getenforce getevent getprop getsebool hd id ifconfig iftop insmod ioctl ionice kill ln load_policy log ls lsmod lsof md5 mkdir mkswap mount mv nandread netstat notify printenv ps readlink renice restorecon rm rmdir rmmod route runcon schedtop sendevent setconsole setenforce setprop setsebool sleep smd start stop swapoff swapon sync top touch umount uptime vmstat watchprops wipe

Android 5.0 (Lollipop)

BSD: cat chown cp dd du grep kill ln mv printenv rm rmdir sleep sync

toolbox: chcon chmod clear cmp date df dmesg getenforce getevent getprop getsebool hd id ifconfig iftop insmod ioctl ionice load_policy log ls lsmod lsof md5 mkdir mknod mkswap mount nandread netstat newfs_msdos nohup notify ps readlink renice restorecon rmmod route runcon schedtop sendevent setenforce setprop setsebool smd start stop swapoff swapon top touch umount uptime vmstat watchprops wipe

Android 6.0 (Marshmallow)

BSD: dd du grep

toolbox: df getevent iftop ioctl ionice log ls lsof mount nandread newfs_msdos ps prlimit renice sendevent start stop top uptime watchprops

toybox: acpi basename blockdev bzcat cal cat chcon chgrp chmod chown chroot cksum clear comm cmp cp cpio cut date dirname dmesg dos2unix echo env expand expr fallocate false find free getenforce getprop groups head hostname hwclock id ifconfig inotifyd insmod kill load_policy ln logname losetup lsmod lsusb md5sum mkdir mknod mkswap mktemp modinfo more mountpoint mv netstat nice nl nohup od paste patch pgrep pidof pkill pmap printenv printf pwd readlink realpath restorecon rm rmdir rmmod route runcon sed seq setenforce setprop setsid sha1sum sleep sort split stat strings swapoff swapon sync sysctl tac tail tar taskset tee time timeout touch tr true truncate umount uname uniq unix2dos usleep vmstat wc which whoami xargs yes

Android 7.0 (Nougat)

BSD: dd grep

toolbox: getevent iftop ioctl log nandread newfs_msdos ps prlimit sendevent start stop top

toybox: acpi base64 basename blockdev bzcat cal cat chcon chgrp chmod chown chroot cksum clear comm cmp cp cpio cut date df dirname dmesg dos2unix du echo env expand expr fallocate false find flock free getenforce getprop groups head hostname hwclock id ifconfig inotifyd insmod ionice iorenice kill killall load_policy ln logname losetup ls lsmod lsof lsusb md5sum mkdir mknod mkswap mktemp modinfo more mount mountpoint mv netstat nice nl nohup od paste patch pgrep pidof pkill pmap printenv printf pwd readlink realpath renice restorecon rm rmdir rmmod route runcon sed seq setenforce setprop setsid sha1sum sleep sort split stat strings swapoff swapon sync sysctl tac tail tar taskset tee time timeout touch tr true truncate tty ulimit umount uname uniq unix2dos uptime usleep vmstat wc which whoami xargs xxd yes

Android 8.0 (Oreo)

BSD: dd grep

bzip2: bzcat bzip2 bunzip2

toolbox: getevent newfs_msdos

toybox: acpi base64 basename blockdev cal cat chcon chgrp chmod chown chroot chrt cksum clear cmp comm cp cpio cut date df diff dirname dmesg dos2unix du echo env expand expr fallocate false file find flock free getenforce getprop groups gunzip gzip head hostname hwclock id ifconfig inotifyd insmod ionice iorenice kill killall ln load_policy log logname losetup ls lsmod lsof lspci lsusb md5sum microcom mkdir mkfifo mknod mkswap mktemp modinfo modprobe more mount mountpoint mv netstat nice nl nohup od paste patch pgrep pidof pkill pmap printenv printf ps pwd readlink realpath renice restorecon rm rmdir rmmod runcon sed sendevent seq setenforce setprop setsid sha1sum sha224sum sha256sum sha384sum sha512sum sleep sort split start stat stop strings swapoff swapon sync sysctl tac tail tar taskset tee time timeout top touch tr true truncate tty ulimit umount uname uniq unix2dos uptime usleep uudecode uuencode vmstat wc which whoami xargs xxd yes zcat

Android 9.0 (Pie)

BSD: dd grep

bzip2: bzcat bzip2 bunzip2

one-true-awk: awk

toolbox: getevent getprop newfs_msdos

toybox: acpi base64 basename blockdev cal cat chcon chgrp chmod chown chroot chrt cksum clear cmp comm cp cpio cut date df diff dirname dmesg dos2unix du echo env expand expr fallocate false file find flock fmt free getenforce groups gunzip gzip head hostname hwclock id ifconfig inotifyd insmod ionice iorenice kill killall ln load_policy log logname losetup ls lsmod lsof lspci lsusb md5sum microcom mkdir mkfifo mknod mkswap mktemp modinfo modprobe more mount mountpoint mv netstat nice nl nohup od paste patch pgrep pidof pkill pmap printenv printf ps pwd readlink realpath renice restorecon rm rmdir rmmod runcon sed sendevent seq setenforce setprop setsid sha1sum sha224sum sha256sum sha384sum sha512sum sleep sort split start stat stop strings stty swapoff swapon sync sysctl tac tail tar taskset tee time timeout top touch tr true truncate tty ulimit umount uname uniq unix2dos uptime usleep uudecode uuencode vmstat wc which whoami xargs xxd yes zcat

Android Q

BSD: grep fsck_msdos newfs_msdos

bzip2: bzcat bzip2 bunzip2

one-true-awk: awk

toolbox: getevent getprop

toybox: acpi base64 basename bc blkid blockdev cal cat chattr chcon chgrp chmod chown chroot chrt cksum clear cmp comm cp cpio cut date dd df diff dirname dmesg dos2unix du echo egrep env expand expr fallocate false fgrep file find flock fmt free freeramdisk fsfreeze getconf getenforce getfattr grep groups gunzip gzip head help hostname hwclock i2cdetect i2cdump i2cget i2cset iconv id ifconfig inotifyd insmod install ionice iorenice iotop kill killall ln load_policy log logname losetup ls lsattr lsmod lsof lspci lsusb makedevs md5sum microcom mkdir mkfifo mknod mkswap mktemp modinfo modprobe more mount mountpoint mv nbd-client nc netcat netstat nice nl nohup nproc nsenter od partprobe paste patch pgrep pidof ping ping6 pivot_root pkill pmap printenv printf prlimit ps pwd pwdx readlink realpath renice restorecon rev rfkill rm rmdir rmmod runcon sed sendevent seq setenforce setfattr setprop setsid sha1sum sha224sum sha256sum sha384sum sha512sum sleep sort split start stat stop strings stty swapoff swapon sync sysctl tac tail tar taskset tee time timeout top touch tr traceroute traceroute6 true truncate tty tunctl ulimit umount uname uniq unix2dos unlink unshare uptime usleep uudecode uuencode uuidgen vconfig vmstat watch wc which whoami xargs xxd yes zcat