A typo in the documentation for one, and a couple of signed/unsigned warnings
in the implementation of the other.
Change-Id: I8fb4b7448ac901c543dea7420aabcedf13ec1bd8
"&&" operator can now be used to test the validity
of two of more properties.
For example:
on property:test.a=1 && property:test.b=1
setprop test.c 1
The above stub sets the test.c to 1 only when
both test.a=1 and test.b=1
(cherry-pick of 162f7d797c67019a7a3f08c3b0f0ffc91d548ddc.)
Change-Id: I72c19f7aa92231372a416193618ee6c7fd368141
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
42a9349dc4 modified init's
builtin chmod, chown, and mkdir calls to avoid following
symlinks. This addressed a number of attacks we were seeing
at the time where poorly written init scripts were following
attacker supplied symlinks resulting in rooting vulnerabilities.
To avoid race conditions, the previous implementation only ran
fchown / fchmod on file descriptors opened with open(O_NOFOLLOW).
Unfortunately, unlike the normal "chown" or "chmod" calls, this
requires read or write access to the underlying file. This
isn't ideal, as opening some files may have side effects, or
init may not have permission to open certain files (such as when
SELinux is enabled).
Instead of using open(O_NOFOLLOW) + fchown(), use lchown() instead.
As before, the target of the symlink won't be modified by chown.
This also supports setting the ownership of symlinks.
Instead of using open(O_NOFOLLOW) + fchmod(), use
fchmodat(AT_SYMLINK_NOFOLLOW) instead. As before, the target of the
symlink won't be modified by chmod.
This change will continue to ensure that chown/chmod/mkdir doesn't
follow symlinks, without requiring init to open every file in
read-only or read-write mode.
This change depends on bionic commit I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
Addresses the following mako/occam SELinux denial:
audit(1422770408.951:6): avc: denied { write } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=7207 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
Change-Id: I14fde956784d65c44e7aa91dd7eea9a004df3081
LOCAL_FORCE_STATIC_EXECUTABLE was not working properly for clang
because -Bstatic was ignored by clang. We can now enable clang
for init after the -static flag is added to link static executable
files in build/core/definitions.mk.
BUG: 18008984
Change-Id: I3f361b83c1e0b313914603dff33fd090cd3b116a
For build-system CFLAGS clean-up, fix unused variables.
Use a #define instead of static variable in a header file.
Change-Id: Id47bf38e51644b61a9f3ac1893a16553695f1aac
init doesn't start when built with clang.
Set LOCAL_CLANG:=false until this is analyzed and fixed.
Change-Id: I5a7944aef676ce88defe5c0449e712d9812fb5f3
Signed-off-by: Bernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
Change-Id: I76553d7f183236a78a0bc7b408e92559b98f732f
waitpid breaks whenever child status signals. Need to loop, continuing
on errno EINTR
Bug: 17515976
Change-Id: Ibb29056a38b3c90dc7904de8c6aedb5a362e511d
We originally included a warning to not invoke restorecon_recursive
with a path leading to a shell-writable or app-writable directory
due to concerns about the potential for mischief with symlinks during
the restorecon_recursive. However, this warning was never necessary for
calling restorecon_recursive during system initialization before an adb
shell or app can run, and we have further prohibited init from
reading/following symlinks that can be created by shell or apps in
policy, so this warning is superfluous. It also contradicts current
usage of restorecon_recursive in rootdir/init.rc, since it is called
there on /data.
Change-Id: I28a635e0b5991ced8adcef93e7a04f9d9e5634fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need to not set this property) during mount, since it can't
be changed later (ro property)
Also no reason to start class main on encryption cycle - we'll
show surfaceflinger, which is enough UI for this short cycle.
Bug: 17041092
Change-Id: Ica5339c54e45716d0fe20e23c0ab857f388d23ed
Make sure to call _exit instead of exit to avoid triggering exit
handlers that may have existed in the parent process.
Print out a log message when forking to process firmware events fails.
Change-Id: I2436bdf85d9a8ea26b718e62023f1dac89864667
Ideally bootchart collects system data every BOOTCHART_POLLING_MS ms.
However, the current bootchart pacing logic would collect data every
time the main loop in init.c is executed. This results in:
1. Multiple data samples being taken consecutively or prematurely. In
many cases, these data samples have the same timestamp (in jiffies).
The off-line data processing tool would complain about dividing by
zero "interval" and bail out.
2. Because of the ineffective pacing, bootchart data collection would
terminate prematurely. The total duration of data collection is usually
much shorter than what the user specifies.
The fix is to check whether BOOTCHART_POLLING_MS ms has elapsed
before taking a new data sample. For this purpose, /proc/uptime
is used to get the time values, consistent with the precision of
bootchart timestamps.
Change-Id: I106bf91dbda01059b719df6c73b8bd1cd54a64f0
Signed-off-by: Bo (Andover) Zhang <zhang@broadcom.com>
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: Ifdd5dd1e95d7e064dde5c80b70198882d949a710
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: I7442df2042cc2788d0301f00e3c2fba7d6e0e1c7
The init process allows environment variables to be specified in
the rc script globally, via 'export', and for a specific process,
via the 'setenv' option.
However, the mechanism for assembling the environment simply
appended the new variable without checking whether it was already
defined, so it was not possible to overwrite an existing entry.
This patch fixes that behaviour.
Limitations and concerns:
The limit of a maximum number of 31 variables is unchanged.
Currently, most callers of "add_environment" do not check the return
value, but the function now logs the failure rather than failing
silently.
Change-Id: Ie9a68c37a0f55c5b40e904e695cd35514f67f480
Currently, the fixup code in fixup_sys_perms() scans through all
entries in uevent*.rc. If it finds a match, then it performs a fixup.
If there's no match in that file, no fixup is performed.
SELinux file labels are independently stored in /file_contexts,
with no relationship to the files in /ueventd.rc. Even when no
entries exist in ueventd.rc, we still want to fixup the SELinux
file label in /sys when a uevent message occurs.
Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
If the encryptable partition is wiped (4KB worth of 0 or 0xff),
then reboot into recovery to format /data+/cache
This is while waiting for the Mac OS support to format f2fs.
The flashstation running on Mac OS will currently just erase userdata
and not format it with f2fs.
Bug: 15720406
Bug: 15747366
Change-Id: Ib7cca3e1701483a09573457a835750f34da71ee0
Move the code that attempts to mount alternative fstab entries
into its own function.
Clarify return codes.
Suggest wipe via recovery in error messages.
Bug: 15747366
Change-Id: I3634477cd4d1d73f974f3e906c53285f0d9e0eac
Signed-off-by: JP Abgrall <jpa@google.com>
+ Add a new property, sys.init_log_level, which can be set after init
bootstrap. This will control the level at which init does prints to klog.
Change-Id: Ia15b2110157b5e6b713785ece9b0fb94889be6c8
+ Make prints of rc commands significantly more verbose. All commands
will log all arguments, file/line number of the command, return value,
and parent action which triggered the command.
init: command 'mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000' action=init
status=0 (/init.rc:89)
init: command 'setprop net.tcp.default_init_rwnd 60' action=boot status=0
(/init.rc:403)
Change-Id: I5498c7258e4891706be4a12546df4231d14d86c4
We already do this for init, but had failed to do it for ueventd
and could not capture any logging from libselinux calls made by
ueventd.
Truly enabling non-error logging also requires uncommenting a line
in Android.mk:
LOCAL_CFLAGS += -DLOG_UEVENTS=1
which enables other logging and sets the default log level to INFO,
or otherwise changing the klog level in the ueventd code (is not
settable by init.rc loglevel).
Change-Id: I00e6f9d6271f2a21d9078c96368816d74d6d2850
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Add the ability to boot up directly from charger mode, instead of forcing
charger mode to initiate a full restart to launch 'full' android. This
should shave a few seconds off of boot time on supported devices (just
manta for now).
Change-Id: Ieec4494d929e92806e039f834d78b9002afd15c4
The sysfs nodes can change from devices to devices for
a particular class of peripheral. Some of them even change
after suspend/resume, e.g. rfkill for USB bluetooth adapters.
This patch adds to the way how ueventd rules with wildcard are
handled. In addition to matching the prefix with a trailing
wildcard, now rules can have wildcard anywhere in the rule.
The wildcard matching is implemented using fnmatch(), where
its matching is simliar to shell pathname expansion. It suits
this particular usage model well. To avoid abuse, the number of
slashes has to match between path name and the rule.
For example, instead of creating a rule to match:
/sys/devices/pci0000:00/0000:00:1d.0/usb2/2-1/2-1.3/2-1.3:1.0/bluetooth/hci0/rfkill*
, this would suffice:
/sys/devices/pci0000:00/0000:00:1d.0/*/*/*/*/bluetooth/hci0/rfkill*
The prefix matching behavior is retained, such that those
rules do not have to pay for processing penalty with fnmatch().
Change-Id: I3ae6a39c838f6d12801cb71958e481b016f731f5
Signed-off-by: Daniel Leung <daniel.leung@intel.com>
Don't force people to make modifications to property_service.c
when handling properties. Exclusively use the SELinux rules,
which are more flexible and easily adjusted.
Change-Id: Ic0bbd01b5df2eef0040286ac59c0a01e9bd14315
When ueventd creates a device node, it may also create one or more
symlinks to the device node. These symlinks may be the only stable
name for the device, e.g. if the partition is dynamically assigned.
A corresponding change with the same Change-Id to external/libselinux
introduces selabel_lookup_best_match() to support looking up the "best match"
for a device node based on its real path (key) and any links to it
(aliases). This change updates ueventd to use this new interface
to find the best match for the device node when creating it.
Change-Id: Id6c2597eee2b6723a5089dcf7c450f8d0a4128f4
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Only parse and honor the kernel command line on userdebug
or eng builds. On user builds, assume that selinux is always enabled
and enforcing.
Change-Id: I71c66e4365bdf2f226800634126a38b716d96599
To ensure that well-crafted removable media can't spoof the
internal partitions, for platform devices the controller id
is inside the generated path.
We now do the same for PCI devices. The generated path has
two levels; the PCI domain/bus, and then the peripheral ID.
This lets us get by-name symlinks for PCI media, such as the
SATA controllers on PC-like hardware. The symlinks will be
created under /dev/block/pci/. For example:
/dev/block/pci/pci0000:00/0000:00:1f.2/by-name/
Change-Id: Icee3e86bef5569c2bbd94c26bc00d49028345e3b
Signed-off-by: Andrew Boie <andrew.p.boie@intel.com>
- AID_SYSTEM can set persist.logd.size
- AID_SYSTEM can issue command to /dev/socket/logd to
change the runtime global log sizes.
- Add support for ro.logd.size.* as populated by BoardConfig.mk
- Limit size to maximum ~3% of physical memory.
Bug: 14563261
Bug: 14627052
Change-Id: I606420db2e9d9d032296e71149e4a5b20cbd1137
enable <servicename>
Turns a disabled service into an enabled one as if the service did not
specify disabled in the rc file.
It will also start the service if needed.
Bug: 14472973
Change-Id: Id0b49cc687a2bc74f6f92e066c617724cc94908d
Signed-off-by: JP Abgrall <jpa@google.com>
cpufreq
The owner and permissions for the sysfs file
/sys/devices/system/cpu*/cpufreq/scaling_max/min_freq is changed.
This would allow the PowerHAL to change the max/min cpufreq even after
the associated CPU's are hotplugged out and back in.
Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
When deciding on which property_contexts policy to load
during a reload, an initial call is made to libselinux to
grab the correct policy index. This policy index represents
whether the /data/security or the rootfs version will
be used.
Change-Id: I4716039bb0f5ba1e961977a18350347a67969dca
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
Some devices leave "ro.build.fingerprint" undefined at build time,
since they need to build it from the components at runtime.
Bug: 13340779
Change-Id: I033ff7600e68edffdea101fec30246135646b4b2
Modify fs_mgr to unmount encryptable drives after test mounting them and
then trigger an auto-encrypt via the init script
Needs matching vold changes from
https://googleplex-android-review.googlesource.com/#/c/414200/
Feature is limited to list of serial numbers with this change
Bug: 11985952
Change-Id: I84f85a258b6a7e9809467c9149249302e203c41b
During boot, allow a property file to import properties from another
file. Supports importing the entire file, a specific key, or any
keys matching a specific prefix. Here's some example syntax:
import /oem/oem.prop
import /oem/oem.prop foo.*
import /oem/oem.prop foo.bar
Bug: 13340779
Change-Id: I867f9a10ca09684326675d9f051f5cf2ae171617
During boot, allow a property file to import properties from another
file. Supports importing the entire file, a specific key, or any
keys matching a specific prefix. Here's some example syntax:
import /oem/oem.prop
import /oem/oem.prop foo.*
import /oem/oem.prop foo.bar
Bug: 13340779
Change-Id: I867f9a10ca09684326675d9f051f5cf2ae171617
* changes:
init: Add "partition.*.verified" properties to the property service.
fs_mgr: Set the 'partition.*.verified' property for verified partitions.
These are intended to be used by the rest of the system as weak
indicators that the corresponding partition is verified. For
instance, if the "partition.system.verified" property is set then
using `adb remount` would be unwise.
These should not be used as the basis for security decisions.
Change-Id: Ibea4c13abd54f46537e2a406774412c25918b24d
* Modify liblog to send all messages to the new syslog user
space daemon.
Original-Change-Id: I0ce439738cd921efb2db4c1d6a289a96bdbc8bc2
Original-Change-Id: If4eb0d09409f7e9be3eb4bb7017073dc7e931ab4
Signed-off-by: Nick Kralevich <nnk@google.com>
* Add a TARGET_USES_LOGD make flag for BoardConfig.mk to manage
whether logd is enabled for use or not.
* rename syslog to logd to avert confusion with bionic syslog
* Add fake log support back in
* prefilter for logging messages from logd
* Fill in timestamps at logging source
* update abstract log reader
* switch from using suffix for id to v3 format
* log a message when creating devices that a deprecated interface
is being utilized.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
(cherry pick from commit 099e2c1f6f706a8600c1cef74cce9066fc315480)
Change-Id: I47929a5432977a1d7235267a435cec0a7d6bd440
* Modify liblog to send all messages to the new syslog user
space daemon.
Original-Change-Id: I0ce439738cd921efb2db4c1d6a289a96bdbc8bc2
Original-Change-Id: If4eb0d09409f7e9be3eb4bb7017073dc7e931ab4
Signed-off-by: Nick Kralevich <nnk@google.com>
* Add a TARGET_USES_LOGD make flag for BoardConfig.mk to manage
whether logd is enabled for use or not.
* rename syslog to logd to avert confusion with bionic syslog
* Add fake log support back in
* prefilter for logging messages from logd
* Fill in timestamps at logging source
* update abstract log reader
* switch from using suffix for id to v3 format
* log a message when creating devices that a deprecated interface
is being utilized.
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Change-Id: I47929a5432977a1d7235267a435cec0a7d6bd440
Eliminates various warnings from SELinux-related code.
Bug: 12587913
Change-Id: I28921f0ebd934324436609540d95ccef58552b64
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
If userdata is default encrypted, we should mount it at boot
to avoid bringing the framework up and then down unnecessarily.
Needs matching vold changes from
https://googleplex-android-review.googlesource.com/#/c/412649/
Bug: 8769627
Change-Id: I4b8276befd832cd788e15c36edfbf8f0e18d7e6b
libselinux selinux_android_restorecon API is changing to the more
general interface with flags and dropping the older variants.
Also get rid of the old, no longer used selinux_android_setfilecon API
and rename selinux_android_setfilecon2 to it as it is the only API in use.
Change-Id: I1e71ec398ccdc24cac4ec76f1b858d0f680f4925
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Any app can
socket_local_client_connect(s, "property_service", ANDROID_SOCKET_NAMESPACE_RESERVED, SOCK_STREAM)
and just keep it open without sending anything.
From then on, the property_service.c::handle_property_set_fd() will
just recv() forever.
This prevents any other properties (i.e. property_set("sys.powerctl", "reboot"))
from being processed.
Now, we just poll() for 2 sec before recv(...,MSG_DONTWAIT).
Bug: 12061560
Change-Id: Iffea4ebb444c7100b59c43ed87aecc5c99f9d3e8
This requires telling libselinux to use the sehandle already
obtained by init rather than re-acquiring it internally. init
retains ownership of the sehandle because it performs the
initial load, uses the sehandle for other purposes (e.g. labeling
of directories created via mkdir and labeling of socket files),
and handles the policy reload property trigger.
Change-Id: I4a380caab7f8481c33eb64fcdb16b6cabe918ebd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This cleans up most of the size-related problems in system/core.
There are still a few changes needed for a clean 64-bit build,
but they look like they might require changes to things like the
fastboot protocol.
Change-Id: I1560425a289fa158e13e2e3173cc3e71976f92c0
Add a service called "pre-recovery" which is normally stopped but can
be started by the system server when we want to go into recovery. It
will do any preparation needed (currently needed to handle update
packages that reside on an encrypted /data partition) and then set
sys.powerctl when it's ready to actually reboot.
Bug: 12188746
Change-Id: I894a4cb200395a0f6d7fe643ed4c2ac0a45d2052
Currently, the restorecon_recursive("/sys") call in
init.c takes approx 2 seconds on hammerhead. This change
reduces the delay to 1.2 seconds.
1) Avoid double stat call when using nftw (time savings
of 0.3 seconds)
2) Avoid the repeated calls to is_selinux_enabled() (time
savings of 0.5 seconds)
Avoid calling lsetfilecon if the file is already properly
labeled. This doesn't speed up the restorecon on /sys,
but it should help when handling files on /data.
Bug: 11640230
Change-Id: Ie212ce4f4acade208c5676d60c1f03f50e2388a4