Add an optional argument to the socket option for specifying
a SELinux security context for the socket. Normally the socket
security context is automatically computed from the service security
context or set using the seclabel option, but this facility allows
dealing with two scenarios that cannot be addressed using the existing
mechanisms:
1) Use of logwrapper to wrap a service.
In this case, init cannot determine the service security context
as it does not directly execute it and we do not want logwrapper
to run in the same domain as the service.
2) Situations where a service has multiple sockets and we want to
label them distinctly.
Change-Id: I7ae9088c326a2140e56a8044bfb21a91505aea11
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
These properties are typically set at device provisioning time
or in the factory. They contain unit-specific data that isn't
touched by software updates or factory data reset. Only
read-only properties can be read by this mechanism.
Change-Id: Ifff9184f039072c3c0ce99f825c3075afb524514
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
The Linux RNG may have little entropy during boot. As more and more
devices have a Hardware RNG, we mix in 512 bytes from Hardware RNG
(if present) into Linux RNG early during boot (after
wait_for_coldboot_done and before property_service_init actions in
init).
To avoid having to trust the output of Hardware RNG, we do not mix it
into the Linux RNG's primary pool or increase the Linux RNG's entropy
estimates.
Bug: 10362513
Change-Id: I80617f21710400747f5e7533e518d90ea74e2f11
This change adds a "verify" fs_mgr flag specifying that
the device in question should be verified.
Devices marked with this flag are expected to have a
footer immediately after their data containing all
the information needed to set up a verity instance.
Change-Id: I10101f2c3240228ee0932e3767fe35e673d2e720
Restarting ueventd upon policy reloads has reportedly created
stability problems for some users and could cause events to be lost.
Stop restarting ueventd and instead handle policy reloads within ueventd.
Also stops restarting installd upon policy reloads.
Change-Id: Ic7f310d69a7c420e48fbc974000cf4a5b9ab4a3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
We have several partitions with underscores in their names
which would not be properly linked in:
/dev/block/platform/msm_sdcc.1/by-name/
With this change more characters (_-.) are allowed in
partition name links. Also, any other character is
replaced with '_' so the resulting link names have the
same length as the partition name.
Change-Id: I746566c03db98b10326c755692362d2c10e528ae
Create a new "androidboot.selinux" option, to control how userspace
handles SELinux. This kernel command line can have three options:
* disabled
* permissive
* enforcing
"disabled" completely disables userspace support for SELinux. No
policy is ever loaded, nor is the SELinux filesystem /sys/fs/selinux
ever mounted.
"permissive" loads the SELinux policy, but puts SELinux into
permissive mode. SELinux policy violations are logged, but not rejected.
"enforcing", the default, loads the SELinux policy, and places
SELinux into enforcing mode. Policy violations are rejected.
This change addresses post review comments for change
b710ed21de .
Change-Id: I912583db8e6a0e9c63380de32ad8ffc47a8a440f
When init starts up, immediately put SELinux into enforcing mode.
This is currently a no-op. We currently have everything in the
unconfined domain, so this should not break anything.
(if it does, I'll roll it back immediately)
If the kernel doesn't have SELinux support compiled in, then
don't try loading a policy and continue without SELinux protections.
Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
* commit 'b1a9f8cf4b15a861ab998a4c5f0c69068f22c62a':
init: move initial property area allocation into bionic
property_service: make /dev/__properties__ readable
bionic's __system_property_add() now expands the property area as needed
by mapping in more pages. Rather than duplicate the mapping code, move
it inside bionic and have bionic's __system_property_area_init() set up
the first page.
Signed-off-by: Greg Hackmann <ghackmann@google.com>
(cherry picked from commit f14eef0c3c)
Change-Id: Ieb94caab1527c71f2155efe3795490b0ea215a29
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Make the /dev/__properties__ file accessible, so an app can
get properties directly from the file, rather than relying on
environment variables.
Preserve the environment variable for compatibility with pre-existing
apps.
Bug: 8045561
(cherry picked from commit 7ece0a862c)
Change-Id: I762da21ef4075f288745efed0ec7d16c2b71303c
bionic's __system_property_add() now expands the property area as needed
by mapping in more pages. Rather than duplicate the mapping code, move
it inside bionic and have bionic's __system_property_area_init() set up
the first page.
Change-Id: If9917d5f775c1a82eb89be55b84635395145ca49
Signed-off-by: Greg Hackmann <ghackmann@google.com>
The previous patch "init: verify size of property buffers passed
to property_get" incorrectly modified one of the callers,
resulting in ro.serialno, ro.bootmode, ro.baseband, and
ro.bootloader always being set to their default values.
Bug: 9469860
(cherry picked from commit 67e3663fc9)
Change-Id: Ia7b337e1fab6e334729f47ee1269e6c736615177
Verify that the buffer passed as the value parameter to property_get
is always big enough.
(cherry picked from commit 88ac54a4e8)
Change-Id: Iacc2b42bfe4069e0bfcbb1c48474f30126a93139
Move the system property writer implementation into bionic to keep
it next to the reader implementation and allow for better testing.
(cherry picked from commit 9f5af63501)
Change-Id: Idf6100d1d0170751acd5163a22597912bff480f0
The previous patch "init: verify size of property buffers passed
to property_get" incorrectly modified one of the callers,
resulting in ro.serialno, ro.bootmode, ro.baseband, and
ro.bootloader always being set to their default values.
Bug: 9469860
Change-Id: Id45bd8dd657e8d61f4cfaf7e6b2559d2bfd05181
Move the system property writer implementation into bionic to keep
it next to the reader implementation and allow for better testing.
Change-Id: I9026e604109e30546b2849b60cab2e7e5ff00ba5
Property triggers may cause an action to be queued twice, resulting
in a loop in the action queue. Keep actions that are not on the queue
in the list_empty state (act->qlist->next == act->qlist), and only
add them to the list if they are in that state.
Bug: 8335133
Change-Id: I3a3ec18176cf19cbaa3a45220a03c7560eacfe79
This helps to ensure that when a new system image is installed,
old userdata policy isn't applied over the top of it.
Bug: 8841348
Change-Id: I135af32250aa62979763e775842ce0af3c8b6f9f
This forces a policy reload + fixcon to deal with dynamically
delivered policy changing labels on device nodes.
It's implemented as a new keyword in init.
Bug: 8702843
Change-Id: I803cf1ecf6ff8318ce25dcc5cda4f292adc9738c
Failing to set properties due to an exhausted pool leads
to difficult to debug problems. This change adds an
error log to make the situation a bit easier to handle.
Change-Id: Icc1d97a80882fb23e74428a0195f1d28dba68fa8
Move the responsibility for rebooting the system from the
reboot command to init. Init is in a better position to take
actions to bring the system down cleanly, including making sure
filesystems are mounted read-only.
The only UIDs which can perform an init triggered reboot are
root, system, and shell.
Modify the reboot command so that it calls into init to perform
the reboot. The reboot command no longer requires CAP_SYS_BOOT.
Remove the -n reboot option and code which supports it. Anyone needing
to do an unclean shutdown can just do a 'echo c > /proc/sysrq-trigger'.
Modify adb so that it calls into init to perform a shutdown.
Bug: 8646621
Change-Id: I84c0513acb549720cb0e8c9fcbda0050f5c396f5
Currently, the output of e2fsck is not saved, and we have no insight
into how many errors e2fsck is finding and fixing. Using the new
abbreviated logging feature in liblogwrap, up to the first 100 lines,
and last 4K bytes of the output of e2fsck is captured by fs_mgr, and
added to the kernel log.
Usually, the filesystem will be clean, and this will only add a few
lines to the kernel log on boot, but when things go wrong, it should
save enough to indicate what the problem is, without potentially
filling the kernel log with only e2fsck output if the filesystem is
really corrupted.
Change-Id: I9c264798e6fe721c8f818b5ce15d0975027ddbdd
This change enables labeling of dynamically created sysfs nodes
with specific SELinux security contexts.
Change-Id: If8b8d66120453123c1371ce063b6f20e8b96b6ef
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
With the old strdup() mechanism, it may return NULL if insufficient memory was
available. So we check the return value or do not use strdup to avoid null
pointer issue.
Change-Id: Id684948d6cb6c2f06327f29a2ba692f9542fce80
Signed-off-by: Hong-Mei Li <a21834@motorola.com>
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
Adding a new location for policy files under
/data, the new location is /data/security. The
new location is used before attempting to use
any other location.
This requires a new directory to be created by
the init script and an update to the location of
the property_contexts file for property service.
Change-Id: I955a722ac3e51fa6c1b97201b8bdef3f601cf09d
When using device tree, platform devices may not have a
/devices/platform/ path prefix, but can be rooted in
/devices/.
Modify the platform device tracking code to store the device
path as well as the name. This way, when we create symlinks, we
can correctly skip the base platform device prefix and get to the
proper device node path.
Change-Id: I939ef8fbcb45c5c803cd9a054e40136a912efc72
Signed-off-by: Dima Zavin <dima@android.com>
This logic has been moved to platform/frameworks/base commit
8a0a929422682ba3eb6a205dc6c0638e68b909de and is no longer needed
here.
This reverts commit 01b1dee0ab.
When using device tree, platform devices may not have a
/devices/platform/ path prefix, but can be rooted in
/devices/.
Modify the platform device tracking code to store the device
path as well as the name. This way, when we create symlinks, we
can correctly skip the base platform device prefix and get to the
proper device node path.
Change-Id: I939ef8fbcb45c5c803cd9a054e40136a912efc72
Signed-off-by: Dima Zavin <dima@android.com>
Property triggers may cause an action to be queued twice, resulting
in a loop in the action queue. Keep actions that are not on the queue
in the list_empty state (act->qlist->next == act->qlist), and only
add them to the list if they are in that state.
Bug: 8335133
Change-Id: I3a3ec18176cf19cbaa3a45220a03c7560eacfe79
This reverts commit 87980b5c9f
Getting more reports of app crashes (e.g. 7990090), so given timeline for MR2, want to revert.
Change-Id: Ic2d101d2d1156b3864d5c9b88aa8c94cd5aa345f
# By Stephen Smalley
# Via Android Git Automerger (1) and others
* commit '7480c0079d8c7fcfd5b3d9decfdabfebde162781':
Label sockets consistently with the seclabel value if specified.
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Make the /dev/__properties__ file accessible, so an app can
get properties directly from the file, rather than relying on
environment variables.
Preserve the environment variable for compatibility with pre-existing
apps.
Bug: 8045561
Change-Id: If81e2b705eca43ddd8b491871aceff59c0e00387
Currently, system properties are passed via the environment
variable ANDROID_PROPERTY_WORKSPACE and a file descriptor passed
from parent to child. This is insecure for setuid executables,
as the environment variable can be changed by the caller.
Modify system property handling so that we get the properties
from a root owned properties file, rather than using an
environment variable.
Related to bug: 8029617
Change-Id: I18610128e11c4037ed6f4dec6eba20f69fa647eb
As it turns out, no, 64K is not enough. A device provisioning
tool was generating many uevents as it manipulated the GPT,
causing events near the end of the process (including events
as a result of the final BLKRRPART ioctl()) to get lost.
It's not clear what the best value for this should be, but
increasing to 256K fixed the problem in this case.
Change-Id: I4883b34e96c89e8a6fa581bc9cd121bb021b5694
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
Change setsebool syntax from name=value to name value.
This is to make it consistent with setprop and similar commands.
Update both the init built-in command and the toolbox command
for consistency.
Change-Id: I2c8e016ba26731c4a2ad4a49ae3b89362bf8f8a8
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
get_hardware_name() uses a fixed size buffer to slurp the contents of
/proc/cpuinfo into and with newer multicore systems this is not big
enough, leading to the inability to pick up the hardware name.
Fix this by using a dynamically allocated, exponentially growing buffer.
Change-Id: I51c6c276b6e110f462839e205a4428adc6656e75
Signed-off-by: Jon Medhurst <tixy@linaro.org>
This is necessary to ensure that the adbd socket is created in the
adbd domain rather than the init domain.
Change-Id: Id4997d7f074aeefea62b41c87b46a6609e03f527
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
In "init: harden property service" patch, dirfd() is invoked
without checking whether opendir() return successfully. It may
fail if load_persistent_properties() is invoked before userdata
partition is mounted; then dirfd(NULL) will make init crash.
This may happen if "is_charger" is true.
Change-Id: I216fb743a3c9fa050f92fcb31b62e766346d84bb
Signed-off-by: Yi-wei Zhao <gbjc64@motorola.com>
Some Android programs have problems with memory which grows
from the top down. Temporarily set ADDR_COMPAT_LAYOUT to
avoid breaking those programs.
Bug: 7188322
Change-Id: I61760500e670b4563838c63b82d4a0b6e354a86e
* commit 'e3bdaeb603ab7ac941b35b41856c6b8ebf47c6bb':
Use sigemptyset to initialise signal mask as it is more portable. Referencing sa_restorer fails on MIPS
On first boot, the directory is created with root:root ownership and
then chowned. chown clears the ISUID and ISGID bits, so we need to chmod
the directory again after chown.
Change-Id: I02dfe7a19a637678256b4e7cc09e6b5431e6f11e
This is a set of changes to the init property service
implementation to apply a SELinux check over who can
change what properties. Also included control hooks
for the 'ctl' keys.
Change-Id: I5a18809bf5536f6459a36b6bf0d622b9f5061aa0
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
To support runtime policy management, add support for reloading
policy from /data/system. This can be triggered by setting the
selinux.loadpolicy property to 1, whether from init.rc after
mounting /data or from the system_server (e.g. upon invocation of
a new device admin API for provisioning policy). ueventd and
installd are restarted upon policy reloads to pick up the new
policy configurations relevant to their operation.
Change-Id: I97479aecef8cec23b32f60e09cc778cc5520b691
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When devices are provisioned, bd address path is set in ro.bt.bdaddr_path.
On devices where this property is not present, a random bd address is
generated and saved to the property: persist.service.bdroid.bdaddr
This change allows bluetooth process to update this property
bug 6885309
Change-Id: I2e8a2471a0e890da82e6bbec6a2ef67ec8e1f8f4
Now get_android_id function returns -EINVAL if the uid/gid is not in the list
of android ids. This will allow ueventd to catch invalid ids and report the
error.
Change-Id: I943b04dd64d518891623e1ee2d561b8061af4863
Signed-off-by: Veeren Mandalia <v.mandalia@sta.samsung.com>
Automatically set the SELinux security label on directories created
by init.rc. This avoids the need to separately call restorecon on
each such directory from the init.rc file. Also restorecon /dev
and /dev/socket after initial policy load so that they are labeled
correctly before any other dev nodes or sockets are created.
Change-Id: If6af6c4887cdead949737cebdd673957e9273ead
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Change uevents may be triggered after new files are created on a device
in /sys, run the sys permissions fixup when they occur.
Change-Id: Iec2725c9f8a032e5124190444edaf189a766b0b2
The wait command was currently implemented but
undocumented and only used internally. This change
adds a second option toi (optionally) override the default
timeout of 5 seconds.
The wait command can be used to wait for a file to appear
during the boot process, for example a disk or other device,
and is a better alternative than an unconditional sleep.
Change-Id: Ia11d8419c0ea84deec0e1bf5adfca5bc76ff38b7
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
This device is required by libdrm for GPUs like IvyBridge.
Change-Id: I0ac47056a9cec2100f3e6eaa5591571fe6bbc145
Signed-off-by: Lukasz Anaczkowski <lukasz.anaczkowski@intel.com>
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
"/sbin/watchdogd <interval> <margin>" will open /dev/watchdog, try
to set the timeout to <interval>+<margin> then write to it every
<interval> seconds to reset the watchdog.
Change-Id: I15571980cdb868ec19f20e80bf8274b32107d36d
This change brings init's do_chmod, mkdir, and do_chown into line
with open's O_NOFOLLOW semantics, causing them to fail when the
last element of their target path is a symlink.
Change-Id: If00e1a25cfe17ef6f738af4bf0541abd0c1b084b
The new fs_mgr library moves much of the knowledge of what filesystems
to mount into a new fstab.<device> file, and just calls one function to
mount all the filesystems.
Change-Id: If3db37530a0676000cba3e679db27aca734227e5
The new fs_mgr library moves much of the knowledge of what filesystems
to mount into a new fstab.<device> file, and just calls one function to
mount all the filesystems.
Change-Id: If3db37530a0676000cba3e679db27aca734227e5
Modify init to set the umask to 077 when forking processes.
This helps protect against inadvertant information disclosure
in init's child processes.
ueventd: Keep umask at 000. uevent needs to be able to
create device nodes with exactly the permissions it
indicates.
Testing:
1) Do an "ls -lR /data /dev" on the device before and after
the umask change and diff the output. Verified by hand
that the permission change wouldn't cause any problems.
2) Verify that package installation works, and the permissions
are as expected, when installing a program from market and
"adb install".
Bug: 3272072
Change-Id: Ie4f7f06c0ee9da8d9b6fce25d71d8991a9bce406
Adds an SVC_RESTART state that's used for an explicit "restart" of a
running service. This retains the traditional restart behavior for
critical and oneshot services (previously altered by 7e36edd8), whereby
these services are "simply restarted" instead of counting as a crash (for a
critical serivce) or going into the disabled state (for a oneshot service).
Previously, service restarts (either an explicit "restart", or a "stop,
start" pair) exhibited a race condition whereby the new (restarting)
service process was often spawned before the old (stopping) process had
terminated. This may have resulted in the new service process failing to
acquire a limited resource (file lock, socket bind, etc.) that the old
process had not yet released.
Now, a stopping service remains in the SVC_RUNNING state until its exiting
process has been reaped by waitpid. This prevents a "stop, start" sequence
from spawning a second service process before resources held by the first
are released. This enables safe service restarts by stopping the service,
waiting for the old service process to terminate, and (only then) starting
the new service process. In the event of "restarting" an already stopped
service, the previous behavior is maintained whereby the service is simply
started.
This scenario could be special-cased by the restart command, however, we
have observed instances where services are, unintentionally, stopped and
started "too quickly," and so simultaneous processes for the same service
should never be allowed.
Note that this commit alters the behaviors for explicit restarts of
critical and oneshot services. Previously these serivces would simply be
restarted, whereas now, an explicit restart of a critical service counts as
a crash (which may result in a recovery reboot) and oneshot services go
into the disabled state.
This change brings init's do_chmod, mkdir, and do_chown into line
with open's O_NOFOLLOW semantics, causing them to fail when the
last element of their target path is a symlink.
Change-Id: If00e1a25cfe17ef6f738af4bf0541abd0c1b084b
Normally, calling open on a tty will set that tty as the process
group controlling tty if none already exists. However, if the tty
is /dev/console, the kernel will never automatically set it as the
controlling tty. Call the TIOCSCTTY manually on the fd, which will
always attempt to set it as the controlling tty.
Fixes ctrl-c on the console shell when androidboot.console is not
passed on the kernel command line and the default /dev/console is
used.
Change-Id: I449cc41b47e93ac38ad6987413bb54131e1ec0cd
Add SE Android support for init and ueventd.
init:
- Load policy at boot.
- Set the security context for service daemons and their sockets.
- New built-in commands: setcon, setenforce, restorecon, setsebool.
- New option for services: seclabel.
ueventd:
- Set the security context for device directories and nodes.
Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac
Creating a root owned /data/local.prop is one of the most common
ways to root an Android device. /data/local.prop is only intended
to assist developers on debuggable devices, and is never
intended to be used on production devices.
Change-Id: Ifcfa21c2ee9914b0b54445218b4cf0fea0a98e9c
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
The class_reset command used to reset services that had been set to
"disabled" in the init.rc file to a non-disabled state. Now, if the
service was originally set to "disabled", have the reset command set
it back to disabled. Otherwise, set it to the "reset" state as it
currently does.
Change-Id: I0c10582e46a8e443d4748d9d893ae762b19b653a
x86 emulator passes hardware name through the androidboot.hardware kernel cmd option, and
ueventd must pick up on it to locate proper ueventd.rc file for that hardware.
Change-Id: Id61c5b67fe6275a15c7aa62556e0b89eda7968f8
Introduces a 'charger' section that is processed when androidboot.mode
supplied on the kernel commandline is "charger".
In this mode, sections such as fs, post-fs, etc are skipped. Only the
'early-init' and 'init' sections of the init rc files are processed before
processing the 'charger' section.
Change-Id: If9eb6334de18f04cbcf2aab784578e2993615242
Signed-off-by: Dima Zavin <dima@android.com>
VPN no longer uses system properties to keep network parameters.
Besides, profiles are now stored and encrypted by keystore.
Change-Id: I7575f04f350b7d8d5ba7008eb874a72180d057e8
This allows us to change permissions and ownerships of directories
in init scripts without adding additional commands.
Change-Id: I1815d6015953035251b98f28c0f3efd3c7f25f80
For example, the following trigger will fire when the sys.foo property
is set to any value:
on property:sys.foo=*
write /data/foo hello
It is also possible to refer to the property within the trigger actions:
on property:sys.foo=*
write /data/foo $sys.foo
Change-Id: If78d20a532f77e17aa5703d53be581ad6736cbcf
Signed-off-by: Mike Lockwood <lockwood@android.com>
The write command will write a property value if the value starts with a "$'
For example:
write /sys/class/android_usb/iSerial $ro.serialno
Use double leading '$' if you need to write a string that starts with '$':
write /data/foo $$hello
to write "$hello" to /data/foo
Change-Id: I55431ac7715a5347bb95c3a15aee97c575444dde
There was a build error in init.c if you enabled bootchart, this
should probably be shipped upstream if not fixed already.
Change-Id: Iea3451c3e15d5cac00c5420d99bfce9a950aaaac
The mmc block devices on panda boards use a platform device called
omap/omap_hsmmc.0. The number of path entries in the uevent after
the platform device is unknown, and the number of path entries in
the platform device is unknown, so the only way to determine how
many entries make up the platform device is to compare against
a list of platform devices.
Add a list of platform devices that have been registered, and
iterate through it to determine the platform device portion of
a block device uevent.
Change-Id: I1480bc6429172ca6997d548787be3863ce062472
In some situations a driver could try to request firmware before
/system is mounted. Previously we'd fail the request. Now we
will retry the read-from-filesystem every 100ms until we find the
firmware or we've finished the "fs" and "post-fs" stages of init.
Change-Id: Ie32402f7d41c818bf20f3297286ed5f99705b72c
Fix for bug 3415286. The persistent properties are normally read early
in the boot process after /data is mounted. However, for an encrypted
system, at that point /data is a tmpfs ramdisk. This change adds a new
command to init (load_persist_props) to read the persistent properties,
and adds an action to init.rc to load the persistent properties. This
action is triggered by setting a property in vold, but that's in a
different CL.
Change-Id: I74b3057974ee6029c29d956b76fef5566700d471
Ext4 filesystems like to be unmounted before rebooting. The Android system
doesn't have a traditional Linux init setup, and shutting down the system
was not much more than calling sync(2) and reboot(2). This adds a new
function to libcutils called android_reboot(). By default, it calls sync()
and then remounts all writable filesystems as read-only and marks them clean.
There is a flag parameter in which the caller can ask for sync() not to be
called, or to not remount the filesystems as read-only. Then it will call
reboot(2) as directed by the other parameters. This change also updates
adb, init and toolbox to call the new android_reboot() function.
Fixes bugs 3350709 and 3495575.
Change-Id: I16d71ffce3134310d7a260f61ec6f4dd204124a7
rm only removes a single non-directory directory entry (no -r support)
rmdir removes a single empty directory
Change-Id: I49702b02ba98a177027b126268c2c2846f968195
The UI needs to know if the device is running with an encrypted
filesystem or now. So set a read-only property at boot to let it know.
Change-Id: I753de2d606c975bcbe9946d10fd47558cf357dac
If a keychord is pressed when debugging is turned off, the main
event poll in init will return an event on the keychord fd,
but handle_keychord never reads the data. Once this happens,
the poll will always return immediately, and init enters an
infinite loop. Fix it by always reading from the keychord fd,
but only handling the returned keychord if debugging is
enabled.
Change-Id: Ie4efa98247d3cc978d275dc8a4516b32aa710278
These are the changes to init and init.rc necessary to
support booting with and encrypted /data filesystem.
A corresponding change to init.<device>.rc goes along
with this change.
Change-Id: I0c7e2cc39568358014a82e317735c0eae14dd683
This keyword will cause init to wait a few seconds before exec'ing
the target binary. Maybe only useful for hacks and debugging.
Change-Id: I85caa0bcbc0be7e48bd21eb9e31e039c0740c8d5
Under some circumstances, setuid() and family can fail,
returning a non-zero value. (see "man setuid" for details).
If this happens, we want to ensure that init doesn't spawn a
process which has root privileges when it's not suppose to.
Change-Id: Idd03f2c8f82a7eaf6e696b5bcfe308e51ea58b52
If firmware is not found, write -1 /sys/$DEVPATH/loading to cancel the
firmware load. Otherwise the driver has to wait for the 60s timeout.
Change-Id: Id2787cda9b2be45b9adea41f6f161cd54cda212e
Signed-off-by: Benoit Goby <benoit@android.com>
This should be much nicer than peppering init.rc with chown/chmod
directives.
Also, remove some dead code and obsolete comments.
Change-Id: I10895f10a9cf2f1226c8d12976cd3db3743da9ec
This enhances robustness by allowing the Telephony Framework to restart
ril-daemon if it notices some catastrophic failure.
Added setprop ctl.restart.
Added ril-daemon to setprop control_perms and allow users/groups
with the AID_RADIO ID to control it.
Change-Id: I195abdd754a731ce0b77e8f71ab47fde8c3e7977
Merge commit '78ea2374c5c87d7bb58747b1a6173c598f386600'
* commit '78ea2374c5c87d7bb58747b1a6173c598f386600':
init: Add support for SOCK_SEQPACKET socket type
Merge commit '912ff85b035e0e6bc109812c1ea5661ea4df5967' into gingerbread-plus-aosp
* commit '912ff85b035e0e6bc109812c1ea5661ea4df5967':
init: Add support for SOCK_SEQPACKET socket type
- look in /vendor/firmware/... in addition to /system/etc/firmware/... for firmware loading
- add /vendor/bin to path before /system/bin
- add /vendor/lib to ldpath before /system/lib
- configure appropriate permissions for /system/vendor/bin
- symlink /vendor -> /system/vendor
Change-Id: I0c06ca1e38a44f0c7024cee6cea8907aa93a4532
Merge commit '49b8124a1759cb8b27e0c21a1a5a54b8a81bdb19'
* commit '49b8124a1759cb8b27e0c21a1a5a54b8a81bdb19':
Use makedev helper for device major and minor numbers
Merge commit '17dcc5c57dcffb919f3de65ff7a0134ffa3bd874' into gingerbread-plus-aosp
* commit '17dcc5c57dcffb919f3de65ff7a0134ffa3bd874':
Use makedev helper for device major and minor numbers
Major and minor numbers can be greater than 255. Major numbers
are 12 bits, and minor numbers are 20 bits. Supporting major
and minor numbers > 255 allows the use of the extended block
device for extra mmc partitions.
Change-Id: I4c42bfe0781069e8e4cb13ebe26e860cdc03f866
Since we now support USB host mode, devices might get a different device
file depending if other devices are connected on the host port. This
patch creates symlinks to USB character devices that depend on the port
devices are connected to, but not on the order they have been probed.
(e.g. /dev/usb/tty2-1:1.0 -> /dev/ttyUSB0)
Change-Id: I285bcc2d59446fbff8a7abbe39c21781f3bb4bd3
Merge commit 'fad7204e9eac20a87afacd7547ed8202a39319f8' into gingerbread-plus-aosp
* commit 'fad7204e9eac20a87afacd7547ed8202a39319f8':
validate the source of uevent messages
Merge commit '742150c031756da1393bf4223b2468b17cb79326'
* commit '742150c031756da1393bf4223b2468b17cb79326':
Use complete hardware name without spaces.
Merge commit '62a54f3b1343043528b7e93c1a4311a5e9d5f358'
* commit '62a54f3b1343043528b7e93c1a4311a5e9d5f358':
init: use tmpfs/ftruncate for properties backing store instead of ashmem
This removes the need for ashmem for early bringup and avoids an issue
with permissions enforcement.
Change-Id: I405b080660934d73048c79d614b6b2ebc43ab182
Signed-off-by: Brian Swetland <swetland@google.com>
init now creates files in /dev/bus/usb/ for user access to USB devices.
Files are chmod 660 with group AID_USB.
Signed-off-by: Mike Lockwood <lockwood@android.com>
init now creates files in /dev/bus/usb/ for user access to USB devices.
Files are chmod 660 with group AID_USB.
Signed-off-by: Mike Lockwood <lockwood@android.com>
make doesn't seem to handle the absolute symlink from
$OUT/root/sbin/ueventd to /init well - it follows the link during
dependency resolution, decides $OUT/root/sbin/ueventd doesn't exist
because /init doesn't exist, and relinks it every time.
Change-Id: I9ca1c14fe5fa80634f51ffc51a7c73146d29d42e
When the init process ran out of actions to execute, cur_action was
NULL and action_queue_empty() was true, but cur_command was still
set. This patch clears cur_command when a new action is retreived,
and only depends on cur_action and action_queue_empty() to determine
the poll timeout.
Change-Id: Iaa95063c8c267a5b1ada9f20363b99c433e61ac4
If any child processes exit before signal_init, they won't get reaped
unless another child process exits after signal_init. Calling
handle_signal from signal_init forces them to be reaped immediately.
Change-Id: I459cfbfe6cf00f29454c62a8c840baf21cb1fb03
eMMC block device names may change based on the detection order of
the eMMC device and any other SD bus devices, such as a removable SD
card.
This patch adds support to init for:
* Symlinks to block devices. When a block device uevent is
processed, if it starts with "/devices/platform", the platform
driver name is parsed out, and symlinks to the block device are
created in /dev/block/platform/<platform driver>/
* Symlinks based on partition name and number. If the uevent for
a block device contains information on the partition name or
number, symlinks are created under
/dev/block/platform/<platform driver>/by-num/p<partition>
and
/dev/block/platform/<platform driver>/by-name/<partition name>
init.rc can then use a device path like the following to mount an
eMMC device:
/dev/block/platform/<platform>/by-name/system /system ro
Change-Id: Id11bb7cdf1e2ada7752a5bd671cbf87237b34ae2
Devices with non-MTD storage need to override the filesystem mounting
commands in init.rc. Moving them to a new "fs" init level allows a
custom init.<device>.rc to handle the mounting.
Change-Id: If0e655139b9734650fb798b6eb0a90e2241fc29b
Merge commit '1404c27bff1499dae9b640870ce2251d78cdc5ef' into eclair-plus-aosp
* commit '1404c27bff1499dae9b640870ce2251d78cdc5ef':
system/core/init: set proper permissions for tpa2018d1 (CDMA)
Drop init's egid to AID_INPUT while creating the device node, so that it is
created with the correct gid. This eliminates the
possibility of system_server opening the device node before its permissions
are set correctly.
Using setegid() allows us to swap back to AID_ROOT immediately after mknod().
Bug: 2375632
The rationale being that we do not want this enabled by default, but
tying it to adb being enabled allows convenient bugreport collection
for savvy users and developers using production devices.
Change-Id: I71535b33f0774faf1975c98d106080f2ff12e349
Signed-off-by: Mike Lockwood <lockwood@android.com>
This change enables persist.security.* flags in the device, allowing oly the system to modify them.
Change is necessary to allow for further progress in the project, as this is an ideal location for access both from the
framework as well as from the recovery mode / transition.
Merge commit '7789f4cc4b712f15e0e5306a874ad6f47dc8c5c0' into eclair-mr2-plus-aosp
* commit '7789f4cc4b712f15e0e5306a874ad6f47dc8c5c0':
init: devices: Remove pmem_gpu regions as they are not needed since we have an mmu
Merge commit '065694b32e481a50e57a793d61181494fbf6ef04' into eclair-plus-aosp
* commit '065694b32e481a50e57a793d61181494fbf6ef04':
init: devices: Remove pmem_gpu regions as they are not needed since we have an mmu
add O_TRUNC flag in open(), which will truncate the target file,
otherwise, copy will keep the old content of the target file.
Signed-off-by: Tom Zhu <ling.zhu@motorola.com>
Signed-off-by: San Mehat <san@google.com>
Merge commit 'e67eff1c615c98bf9ad51be9e474ef9ee82b6565' into eclair-plus-aosp
* commit 'e67eff1c615c98bf9ad51be9e474ef9ee82b6565':
init: Make /dev/pmem_gpu* be writable by all
STOPSHIP: The actual device entry needs to be removed once the products
that use this switch on the mmu.
Change-Id: I10afea36c8731d845382665ed3db7647f68d1276
Signed-off-by: Dima Zavin <dima@android.com>
Merge commit 'e991decf340e24203ed63f87d9313598cd09a46c' into eclair-plus-aosp
* commit 'e991decf340e24203ed63f87d9313598cd09a46c':
init.rc: Add dumpstate service
init: Add support for enforcing setprop by caller's group.
adb: "adb bugreport" now runs dumpstate via init rather than execing it in the shell.
* changes:
init.rc: Add dumpstate service
init: Add support for enforcing setprop by caller's group.
adb: "adb bugreport" now runs dumpstate via init rather than execing it in the shell.
Merge commit '69551d85e95d2ba712f083b39f3ff0b32f865e34' into eclair-plus-aosp
* commit '69551d85e95d2ba712f083b39f3ff0b32f865e34':
init: add some more audio devices
For example,
service recovery /sbin/recovery
onrestart start loadkeys
onrestart class_start con
onrestart stop recovery
Previously, if you had a service like the above, the "onrestart stop
recovery" clause would not have any effect, because the restart flag
would be re-set after the stop command had executed.
This is similar to a service with the "oneshot" keyword, with the critical
difference being that it executes the other onrestart commands when the
service dies.
LOG_UEVENTS is a boolean value as defined in system/core/init/init.h.
Therefore, code should use an #if check and not an #ifdef check as the
macro will always be defined.
The radio bringup script was changed from operating as root to operating as radio. This is
preventing it from adding the "net.ppp0.dns0" and "net.ppp0.dns1" properties that
ConnectivityService needs to correctly set dns.
bug: 2077628