All kernel services will now be in the same cgroup as
foreground applications. This will now make kernel threads
not implicitly higher priority than android foreground
services.
Bug 17681097
Change-Id: I28e81c7aade50428d5395df86f00ce01c1e7af02
The systrace permissions from init.trace.rc and the "class_start core"
which launches surfaceflinger are both in an "on boot" section. However,
the init.trace.rc commands are parsed after all commands in init.rc.
This means that "class_start core" is executed before the chmod command
which allows processes to write to trace_marker. If any services
execute their first trace command before the chmod occurs, then that
service won't be able to write traces until the service is restarted.
To fix this, run all of the init.trace.rc commands in the "early-boot"
section to ensure they are completed first.
Bug: 17612265
Change-Id: Ibf544762173d5ba98272c66ef485d8eab7d70bf3
They have no dependencies on /data so can be started early.
This permits us to unmount /data while bootanimation is running,
allowing an uninterrupted first boot encryption sequence.
Bug: 17260550
Change-Id: I323fe23e8cf488d8bc136387efdd9fcea96625eb
Need to not set this property) during mount, since it can't
be changed later (ro property)
Also no reason to start class main on encryption cycle - we'll
show surfaceflinger, which is enough UI for this short cycle.
Bug: 17041092
Change-Id: Ica5339c54e45716d0fe20e23c0ab857f388d23ed
On mako only, there is a race condition such that
core + main services must be started after releasing
ueventd (by removing /dev/.booting).
bug 16304711
bug 16333352
On mako only, there is a race condition such that
core + main services must be started after releasing
ueventd (by removing /dev/.booting).
bug 16304711
bug 16333352
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: Ifdd5dd1e95d7e064dde5c80b70198882d949a710
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: I7442df2042cc2788d0301f00e3c2fba7d6e0e1c7
Make sure all files / directories within /cache are properly
labeled, not just the directory itself.
Addresses the following denial:
type=1400 audit(0.0:26): avc: denied { getattr } for comm="Thread-85" path="/cache/lost+found" dev="mmcblk0p27" ino=11 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
Change-Id: I5937b30043efeb696ffaa77258b7294d20d1494e
This may require changes to other code, such as fastbootd, which relies on this
service. sshd is not currently, used, however, so this change will force any
such code to be changed.
Bug: 11594902
Change-Id: I07e52008290dab5825be2ad062cbe730fa7dff71
Moving the vendor symlink down was causing issues with some devices.
Moved it back up, and adjusted mount to remove symlinks if necessary.
Change-Id: I77126d77cfbef32250012bea3960c99b55db4cbb
Signed-off-by: Daniel Rosenberg <drosen@google.com>
+ Add a new property, sys.init_log_level, which can be set after init
bootstrap. This will control the level at which init does prints to klog.
Change-Id: Ia15b2110157b5e6b713785ece9b0fb94889be6c8
Modified fastboot to flash vendor.img as well. Moved symlink
for /vendor to occur after mounting partitions. Changed mount
to also create the mount point.
Change-Id: I78e1ba24e6bb8b4af96a67ee0569af579439e682
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Add the ability to boot up directly from charger mode, instead of forcing
charger mode to initiate a full restart to launch 'full' android. This
should shave a few seconds off of boot time on supported devices (just
manta for now).
Change-Id: Ieec4494d929e92806e039f834d78b9002afd15c4
Make sure /data/dalvik-cache/profiles gets the correct
permissions and SELinux context, and ownership is properly
assigned to the system UID.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
dmesg_restrict is too coarse of a control. In Android's case,
we want to allow the shell user to see dmesg output, but disallow
others from seeing it.
Rather than rely on dmesg_restrict, use SELinux to control access
to dmesg instead. See corresponding change in external/sepolicy .
Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
Define a UID to be used by the process responsible for creating shared
RELRO files for the WebView native library, and create a directory owned
by that UID to use to store the files.
Bug: 13005501
Change-Id: I5bbb1e1035405e5534b2681f554fe16f74e3da1a
To remove the need to modify the bionic dynamic linker, add the
signal chaining library as a preload in the environment. This
will be picked up by the dynamic linker and will override
sigaction and sigprocmask to allow for signal chaining.
Change-Id: I6e2d0628b009bd01e0ed9aed0b311871b9c8363a
cpufreq
The owner and permissions for the sysfs file
/sys/devices/system/cpu*/cpufreq/scaling_max/min_freq is changed.
This would allow the PowerHAL to change the max/min cpufreq even after
the associated CPU's are hotplugged out and back in.
Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Volantis SurfaceFlinger holds open a file on data partition.
SurfaceFlinger is not running when we trigger_default_encryption
but if we start it before starting defaultcrypto it locks open
data, so we can't unmount it.
It will start anyway when main starts, so not starting it here
is safe - it will just cause a 1-2 second delay in the graphics
appearing.
Change-Id: Idd546a578e62a24f999367b1407b37ad0f00f3a2
Note that init.zygote64.rc, which supports a "pure"
64 bit zygote is around only for testing.
The life cycles of both zygotes are controlled by init,
and the assumption here is that they will be available
always. We start the system_server in 32 bit mode.
Note that the distinction between "primary" and "secondary"
simply defines the order in which ABI support is queried,
there's no real requirement that the primary zygote supports
the primary ABI of the device.
bug: 13647418
Change-Id: Id0be001ea6f934c3c2022d89a63aae9fae66cc38
This allows us to choose different configs depending on
whether or not the target is 64 capable, and what its preferred
default is.
bug: 13647418
Change-Id: Ie1ce4245a3add7544c87d27c635ee390f4062523
Remove world-readable, reduce group permissions to readable by system
daemons
Change-Id: I6c7d7d78b8d8281960659bb8490a01cf7fde28b4
Signed-off-by: Greg Hackmann <ghackmann@google.com>
Modify fs_mgr to unmount encryptable drives after test mounting them and
then trigger an auto-encrypt via the init script
Needs matching vold changes from
https://googleplex-android-review.googlesource.com/#/c/414200/
Feature is limited to list of serial numbers with this change
Bug: 11985952
Change-Id: I84f85a258b6a7e9809467c9149249302e203c41b
The kernel's default is between 4~20.
Prepare for javaland to modify the value at runtime.
It can be done via
setprop sys.sysctl.tcp_def_init_rwnd <value>
Bug: 12020135
Change-Id: Id34194b085206fd02e316401c0fbbb9eb52522d2
(cherry picked from commit 7c862c8b5e)
- init: set /proc/sys/net/unix/max_dgram_qlen to 300
- libsysutils: Add listen backlog argument to startListener
- logd: set listen backlog to 300
Change-Id: Id6d37d6c937ba2d221e76258d89c9516619caeec
mkdir /data/misc/wifi subdirectories and /data/misc/dhcp is performed
in the various device-specific init*.rc files but seems generic.
Move it to the main init.rc file.
Drop the separate chown for /data/misc/dhcp as this is handled by mkdir
built-in if the directory already exists.
Add a restorecon_recursive /data/misc/wifi/sockets.
Change-Id: I51b09c5e40946673a38732ea9f601b2d047d3b62
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Create a new userspace log daemon for handling logging messages.
Original-Change-Id: I75267df16359684490121e6c31cca48614d79856
Signed-off-by: Nick Kralevich <nnk@google.com>
* Merge conflicts
* rename new syslog daemon to logd to prevent confusion with bionic syslog
* replace racy getGroups call with KISS call to client->getGid()
* Timestamps are filed at logging source
* insert entries into list in timestamp order
* Added LogTimeEntry tail filtration handling
* Added region locking around LogWriter list
* separate threads for each writer
* /dev/socket/logd* permissions
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry picked from commit 3e76e0a497)
Author: Nick Kralevich <nnk@google.com>
Change-Id: Ice88b1412d8f9daa7f9119b2b5aaf684a5e28098
The kernel's default is between 4~20.
Prepare for javaland to modify the value at runtime.
It can be done via
setprop sys.sysctl.tcp_def_init_rwnd <value>
Bug: 12020135
Change-Id: Id34194b085206fd02e316401c0fbbb9eb52522d2
* Create a new userspace log daemon for handling logging messages.
Original-Change-Id: I75267df16359684490121e6c31cca48614d79856
Signed-off-by: Nick Kralevich <nnk@google.com>
* Merge conflicts
* rename new syslog daemon to logd to prevent confusion with bionic syslog
* replace racy getGroups call with KISS call to client->getGid()
* Timestamps are filed at logging source
* insert entries into list in timestamp order
* Added LogTimeEntry tail filtration handling
* Added region locking around LogWriter list
* separate threads for each writer
* /dev/socket/logd* permissions
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Change-Id: Ice88b1412d8f9daa7f9119b2b5aaf684a5e28098
Set
* /sys/module/lowmemorykiller/parameters/adj
* /sys/module/lowmemorykiller/parameters/minfree
to 0220. This better indicates that these files are only intended
to be written to, never read.
Change-Id: I9ef054f032b3955e04128fc1a472a17c7b1fa792
If userdata is default encrypted, we should mount it at boot
to avoid bringing the framework up and then down unnecessarily.
Needs matching vold changes from
https://googleplex-android-review.googlesource.com/#/c/412649/
Bug: 8769627
Change-Id: I4b8276befd832cd788e15c36edfbf8f0e18d7e6b
With the following prior changes:
I77bf2a0c4c34b1feef6fdf4d6c3bd92dbf32f4a1
I698b1b2c3f00f31fbb2015edf23d33b51aa5bba1
I8dd915d9bb80067339621b905ea2b4ea0fa8d71e
it should now be safe (will correctly label all files)
and reasonably performant (will skip processing unless
file_contexts has changed since the last call) to call
restorecon_recursive /data from init.rc.
The call is placed after the setprop selinux.policy_reload 1 so that
we use any policy update under /data/security if present.
Change-Id: Ib8d9751a47c8e0238cf499fcec61898937945d9d
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The script that writes the recovery partition after a successful
update of system needs to be made executable. This change also moves
it from /system/etc to /system/bin.
Bug: 12893978
Change-Id: I686e2392a2392515a6859a7381b735de1007b7ea
mkdir /data/misc/wifi subdirectories and /data/misc/dhcp is performed
in the various device-specific init*.rc files but seems generic.
Move it to the main init.rc file.
Drop the separate chown for /data/misc/dhcp as this is handled by mkdir
built-in if the directory already exists.
Add a restorecon_recursive /data/misc/wifi/sockets.
Change-Id: I51b09c5e40946673a38732ea9f601b2d047d3b62
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
When adbd runs as root, it should transition into the
su domain. This is needed to run the adbd and shell
domains in enforcing on userdebug / eng devices without
breaking developer workflows.
Introduce a new device_banner command line option.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
Add a service called "pre-recovery" which is normally stopped but can
be started by the system server when we want to go into recovery. It
will do any preparation needed (currently needed to handle update
packages that reside on an encrypted /data partition) and then set
sys.powerctl when it's ready to actually reboot.
Bug: 12188746
Change-Id: I894a4cb200395a0f6d7fe643ed4c2ac0a45d2052
Otherwise it will be mislabeled on upgrades with existing userdata.
Change-Id: Ibde88d5d692ead45b480bb34cfe0831baeffbf94
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
On a 64-bit system, 64-bit processes will want one path, 32-bit processes
another. The dynamic linker already provides the correct defaults for
native code, and we've coupled the VM and dynamic linker so that
LD_LIBRARY_PATH will be set correctly in any VM during startup if it's not
being manually overridden.
Change-Id: Icbffc0d451dbc242cdfb9267413d8bcac434e108
Use restorecon_recursive to label devices
where the directory and subfiles have
already been built and labeled.
Change-Id: I0dfe1e542fb153ad20adf7b2b1f1c087b4956a12
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
If checkreqprot == 1, SELinux only checks the protection flags passed
by the application, even if the kernel internally adds PROT_EXEC for
READ_IMPLIES_EXEC personality flags. Switch to checkreqprot == 0
to check the final protection flags applied by the kernel.
Change-Id: Ic39242bbbd104fc9a1bcf2cd2ded7ce1aeadfac4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This allows it to be permissive in userdebug/eng builds
but confined/enforcing in user builds.
Change-Id: Ie322eaa0acdbefea2de4e71ae386778c929d042b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
The files in zoneinfo changed from system_data_file to
zoneinfo_data_file. Fixup pre-existing files.
Change-Id: Idddbd6c2ecf66cd16b057a9ff288cd586a109949
There is no longer any reason to permit system UID to set enforcing mode.
Change-Id: Ie28beed1ca2b215c71f2847e2390cee1af1713c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need the set correct permission for print-tgid option or tracing of
sched can't work on user build.
Change-Id: Ia88aabe58128b911afd78f01c27f7da884ed03f0
Signed-off-by: Carton He <carton.he@marvell.com>
MS_MOVE was used when staging external storage devices, which no
longer occurs. In fact, having a writable tmpfs was masking a vold
bug around moving apps to SD cards.
Bug: 11175082
Change-Id: Ib2d7561c3a0b6fde94f651a496cb0c1f12f88d96
Add sdcard FUSE daemon flag to specify the GID required for a package
to have write access. Normally sdcard_rw, but it will be media_rw
for secondary external storage devices, so DefaultContainerService
can still clean up package directories after uninstall.
Create /mnt/media_rw which is where vold will mount raw secondary
external storage devices before wrapping them in a FUSE instance.
Bug: 10330128, 10330229
Change-Id: I4385c36fd9035cdf56892aaf7b36ef4b81f4418a
I97b3d86a69681330bba549491a2fb39df6cf20ef introduced a separate type
for the adb_keys file. Set the security context of the adb_keys file
accordingly by adding restorecon commands to init.rc.
Change-Id: I30e4d2a1ae223a03eadee58a883c79932fff59fe
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Use kernel oom_score_adj interface to make init and children unkillable.
Stop using older, deprecated oom_adj interface.
Use OOM_SCORE_ADJ_MIN to make the processes unkillable (previously the processes
were set to a very low score, but not unkillable).
Change-Id: I680965009585c2a5a580859fb946f2d0caa95d9c
The log_target parameter of android_fork_execvp_ext() is now a
bit field, and multiple targets can be set to log to multiple
places at the same time.
The new target LOG_FILE will log to a file specified by the new
parameter file_path.
Set LOG_FILE and log to a file in /dev (the only writable filesystem
avilable when e2fsck runs) when invoking e2fsck in fs_mgr.
Bug: 10021342
Change-Id: I63baf644cc8c3afccc8345df27a74203b44d0400
Before this change, FUSE lookup() would have the side effect of
creating the directory on behalf of apps. This resulted in most
directories being created just by Settings trying to measure disk
space. Instead, we're switching to have vold do directory creation
when an app doesn't have enough permissions.
Create fs_mkdirs() utility to create all parent directories in a
path as needed. Allow traversal (+x) into /storage directories.
Fix FUSE derived permissions to be case insensitive. Mark well-known
directories as .nomedia when created.
Bug: 10577808, 10330221
Change-Id: I53114f2e63ffbe6de4ba6a72d94a232523231cad
Policy reload is handled by setting the selinux.reload_policy property
and letting the init process perform the actual loading of policy into
the kernel. Thus, there should be no need for the system UID to directly
write to /sys/fs/selinux/load.
Change-Id: I240c5bb2deaee757a2e1e396e14dea9e5d9286f5
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
It's a security best practice to carry entropy across reboots.
(see "man 4 random"). Currently, entropy saving and mixing occur
in the system_server, via the EntropyMixer code. Unfortunately, the
EntropyMixer code runs fairly late in the boot process, which means
early boot doesn't have high quality entropy. This has caused security
problems in the past.
Load entropy data as soon as we can in the early boot process, so that
we can get /dev/random / /dev/urandom into a "random" state earlier.
Bug: 9983133
Change-Id: Id4a6f39e9060f30fe7497bd8f8085a9bec851e80