Add init.b2g.rc for b2g.

2022-08-30 19:09:12 +08:00 · 2022-08-30 19:09:12 +08:00 · 74d0d58e14
parent 25d994b1ce
commit 74d0d58e14
5 changed files with 10 additions and 77 deletions
--- a/init/service.cpp
+++ b/init/service.cpp
@ -88,6 +88,9 @@ static Result<std::string> ComputeContextFromExecutable(const std::string& servi
        free(new_con);
    }
    if (rc == 0 && computed_context == mycon.get()) {
+        #if ALLOW_PERMISSIVE_SELINUX
+	    // Allow permissive don't return error
+        #else
        return Error() << "File " << service_path << "(labeled \"" << filecon.get()
                       << "\") has incorrect label or no domain transition from " << mycon.get()
                       << " to another SELinux domain defined. Have you configured your "
@ -95,6 +98,7 @@ static Result<std::string> ComputeContextFromExecutable(const std::string& servi
                          "device-policy#label_new_services_and_address_denials. Note: this "
                          "error shows up even in permissive mode in order to make auditing "
                          "denials possible.";
+        #endif
    }
    if (rc < 0) {
        return Error() << "Could not get process context";
--- a/libcutils/fs_config.cpp
+++ b/libcutils/fs_config.cpp
@ -68,6 +68,7 @@ static const struct fs_path_config android_dirs[] = {
    { 00771, AID_SHELL,        AID_SHELL,        0, "data/local/tmp" },
    { 00771, AID_SHELL,        AID_SHELL,        0, "data/local" },
    { 00770, AID_DHCP,         AID_DHCP,         0, "data/misc/dhcp" },
+    { 00770, AID_DHCP,         AID_DHCP,         0, "data/misc/dhcp-6.8.2" },
    { 00771, AID_SHARED_RELRO, AID_SHARED_RELRO, 0, "data/misc/shared_relro" },
    { 01771, AID_SYSTEM,       AID_MISC,         0, "data/misc" },
    { 00775, AID_MEDIA_RW,     AID_MEDIA_RW,     0, "data/media/Music" },
@ -140,6 +141,9 @@ static const char* conf[][2] = {
 // See https://source.android.com/devices/tech/config/filesystem#using-file-system-capabilities
 static const struct fs_path_config android_files[] = {
        // clang-format off
+    { 00775, AID_ROOT,      AID_ROOT,      0, "system/b2g/b2g" },
+    { 00775, AID_ROOT,      AID_ROOT,      0, "system/b2g/updater" },
+    { 00775, AID_ROOT,      AID_ROOT,      0, "system/b2g/plugin-container" },
    { 00644, AID_SYSTEM,    AID_SYSTEM,    0, "data/app/*" },
    { 00644, AID_SYSTEM,    AID_SYSTEM,    0, "data/app-ephemeral/*" },
    { 00644, AID_SYSTEM,    AID_SYSTEM,    0, "data/app-private/*" },
@ -169,6 +173,7 @@ static const struct fs_path_config android_files[] = {
    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/crash_dump32" },
    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/crash_dump64" },
    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/debuggerd" },
+    { 00550, AID_DHCP,      AID_SHELL,     0, "system/etc/dhcpcd-6.8.2/dhcpcd-run-hooks" },
    { 00550, AID_LOGD,      AID_LOGD,      0, "system/bin/logd" },
    { 00700, AID_ROOT,      AID_ROOT,      0, "system/bin/secilc" },
    { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/uncrypt" },
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@ -4,12 +4,12 @@
 # This is a common source of Android security bugs.
 #

+import /init.b2g.rc
 import /init.environ.rc
 import /system/etc/init/hw/init.usb.rc
 import /init.${ro.hardware}.rc
 import /vendor/etc/init/hw/init.${ro.hardware}.rc
 import /system/etc/init/hw/init.usb.configfs.rc
-import /system/etc/init/hw/init.${ro.zygote}.rc

 # Cgroups are mounted right before early-init using list from /etc/cgroups.json
 on early-init
@ -496,9 +496,6 @@ on late-init
    # Should be before netd, but after apex, properties and logging is available.
    trigger load_bpf_programs

-    # Now we can start zygote for devices with file based encryption
-    trigger zygote-start
-
    # Remove a file to wake up anything waiting for firmware.
    trigger firmware_mounts_complete

@ -961,35 +958,6 @@ on post-fs-data
    # Enable FUSE by default
    setprop persist.sys.fuse true

-# It is recommended to put unnecessary data/ initialization from post-fs-data
-# to start-zygote in device's init.rc to unblock zygote start.
-on zygote-start && property:ro.crypto.state=unencrypted
-    wait_for_prop odsign.verification.done 1
-    # A/B update verifier that marks a successful boot.
-    exec_start update_verifier_nonencrypted
-    start statsd
-    start netd
-    start zygote
-    start zygote_secondary
-
-on zygote-start && property:ro.crypto.state=unsupported
-    wait_for_prop odsign.verification.done 1
-    # A/B update verifier that marks a successful boot.
-    exec_start update_verifier_nonencrypted
-    start statsd
-    start netd
-    start zygote
-    start zygote_secondary
-
-on zygote-start && property:ro.crypto.state=encrypted && property:ro.crypto.type=file
-    wait_for_prop odsign.verification.done 1
-    # A/B update verifier that marks a successful boot.
-    exec_start update_verifier_nonencrypted
-    start statsd
-    start netd
-    start zygote
-    start zygote_secondary
-
 on boot && property:ro.config.low_ram=true
    # Tweak background writeout
    write /proc/sys/vm/dirty_expire_centisecs 200
@ -1118,7 +1086,6 @@ on property:vold.decrypt=trigger_load_persist_props

 on property:vold.decrypt=trigger_post_fs_data
    trigger post-fs-data
-    trigger zygote-start

 on property:vold.decrypt=trigger_restart_min_framework
    # A/B update verifier that marks a successful boot.
@ -1263,7 +1230,6 @@ on userspace-reboot-fs-remount
 on userspace-reboot-resume
  trigger userspace-reboot-fs-remount
  trigger post-fs-data
-  trigger zygote-start
  trigger early-boot
  trigger boot

--- a/rootdir/init.zygote64.rc
+++ b/rootdir/init.zygote64.rc
@ -1,16 +0,0 @@
-service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server
-    class main
-    priority -20
-    user root
-    group root readproc reserved_disk
-    socket zygote stream 660 root system
-    socket usap_pool_primary stream 660 root system
-    onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
-    onrestart write /sys/power/state on
-    onrestart restart audioserver
-    onrestart restart cameraserver
-    onrestart restart media
-    onrestart restart netd
-    onrestart restart wificond
-    writepid /dev/cpuset/foreground/tasks
-    critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
--- a/rootdir/init.zygote64_32.rc
+++ b/rootdir/init.zygote64_32.rc
@ -1,26 +0,0 @@
-service zygote /system/bin/app_process64 -Xzygote /system/bin --zygote --start-system-server --socket-name=zygote
-    class main
-    priority -20
-    user root
-    group root readproc reserved_disk
-    socket zygote stream 660 root system
-    socket usap_pool_primary stream 660 root system
-    onrestart exec_background - system system -- /system/bin/vdc volume abort_fuse
-    onrestart write /sys/power/state on
-    onrestart restart audioserver
-    onrestart restart cameraserver
-    onrestart restart media
-    onrestart restart netd
-    onrestart restart wificond
-    task_profiles ProcessCapacityHigh MaxPerformance
-    critical window=${zygote.critical_window.minute:-off} target=zygote-fatal
-
-service zygote_secondary /system/bin/app_process32 -Xzygote /system/bin --zygote --socket-name=zygote_secondary --enable-lazy-preload
-    class main
-    priority -20
-    user root
-    group root readproc reserved_disk
-    socket zygote_secondary stream 660 root system
-    socket usap_pool_secondary stream 660 root system
-    onrestart restart zygote
-    task_profiles ProcessCapacityHigh MaxPerformance