Commit Graph

26763 Commits

Author SHA1 Message Date
Prashant Malani 2cdc67eed5 fs_mgr: Add support for at-boot verification
Running dm-verity on heavily accessed partitions leads to performance
slowdowns, especially on low-RAM and slow-CPU devices.

This patch introduces a flag to allow an entire verified partition to be
read once at boot, to check for corruptions. If the reads are
successful, we can mount the partition as raw & read-only, and if not,
we can revert to mounting it as a verity partition, just like before.

Usage of this flag will entail a slowdown of time-to-boot, but should
lead to improvements in runtime performance.

(cherry picked from commit 34543c03e6)

Bug: 32433608
Test: Compile
Change-Id: I97717683a00ad6fa347e63b72b1a9bf1d2946315
2017-01-11 22:00:25 +08:00
Andre Eisenbach a398921635 Merge "Allow Bluetooth HAL to access /sys/class/rfkill"
am: 6ad690dfd4

Change-Id: I1988d864cfb3ed15dc2cc62e6efca554e018d448
2017-01-11 02:37:23 +00:00
Treehugger Robot 6ad690dfd4 Merge "Allow Bluetooth HAL to access /sys/class/rfkill" 2017-01-11 02:31:49 +00:00
Andre Eisenbach 8097210093 Allow Bluetooth HAL to access /sys/class/rfkill
Test: compiles; HAL can write rfkill state
Change-Id: I5815a1f50ef8d09bf83541a6d2389b61bd007306
2017-01-10 23:40:20 +00:00
Keun-young Park 3dccdc5ec5 Merge "e2fsck: drop -f when TARGET_USES_MKE2FS is enabled"
am: f3780f3cc8

Change-Id: I6c288a2ef3b571fb6ab347468e06e15ea033363c
2017-01-10 19:55:58 +00:00
Treehugger Robot f3780f3cc8 Merge "e2fsck: drop -f when TARGET_USES_MKE2FS is enabled" 2017-01-10 19:49:34 +00:00
Keun-young Park 22e8199175 e2fsck: drop -f when TARGET_USES_MKE2FS is enabled
- Drop forced (-f) e2fsck check when the product has
  enabled new ext4 generation by setting TARGET_USES_MKE2FS.
- The new generation tool is supposed to give better stability,
  thus justifying dropping -f.
- This should help reducing boot-up time as full check (-f) can
  increase boot-up time significantly depending on amount of data.

bug: 32246772
Test: many reboots
Change-Id: I631525bf7504bbfb025e170c8d24ad9d3ef3532e
2017-01-10 10:17:57 -08:00
Paul Lawrence db929bf9b7 Enable seccomp in init with generated policy
Test: Ran script to test performance - https://b.corp.google.com/issues/32313202#comment3
      Saw no significant regression with this change on or off
      Removed chroot from SYSCALLS.TXT - chroot blocked
      Boot time appears reasonable
      Device boots with no SECCOMP blockings
      Measured per syscall time of 100ns
      Empirically counted <100,000 syscalls a second under heavy load

Bug: 32313202
Change-Id: Icfcfbcb72b2de1b38f1ad6a82e8ece3bd1c9e7ec
2017-01-10 10:09:38 -08:00
Neil Fuller eec2bfb53b Change tzdatacheck to account for bundle format changes
Change tzdatacheck to account for bundle format changes:
The update bundle now contains a bundle_version file to enable
us to detect changes to the format of the files in addition to
just checking the IANA rules version. The version will be
incremented as we make incompatible changes to the structure
of the bundle (e.g. the files present or their names), the
file formats or the file contents.

The old assumption was that a system image would typically
contain newer rules than had been pushed via ConfigUpdater
and we'd never get rid of the tzdata file from the bundle
content.

If Android makes rule updates routinely or makes substantial
changes to the timezone data files between major releases
then this assumption becomes (even more) untenable.

The bundle_version file in the bundle is expected to contain
the ASCII bytes for "001". This could be extended
in a future version to include minor versioning information
(e.g. "002.001") and so the code here only reads the first
three bytes. This allows for a future change to add the minor
version suffix and optionally increment the major version if
required.

Some error conditions that were previously treated as fatal
are now handled more elegantly. Generally if things are not
as expected with the installed bundle in /data tzdatacheck
will attempt to delete it. The return code of the binary is
used to distinguish between failure cases, which will be
used in a future automated test.

Some of the ConfigUpdater deletion code has been temporarily
retained (with a TODO) so the v2 of the installer code can be
used with ConfigUpdater/ConfigInstaller and keep something
like the existing process working until we have replaced it
with some thing better.

Using the v2 installer code with ConfigInstaller is one
possible fallback if the new distribution approach is not
completed in time.

Bug: 31008728
Test: Manual testing
Change-Id: Ib253f7d4c9cd72d3e392754f4b787a98ec22bc53
2017-01-10 14:38:35 +00:00
Hung-ying Tyan 7da0c3db16 Merge "fs_mgr: add verify_dev flag to fs_mgr_setup_verity()"
am: abc26ed753

Change-Id: I25ade5d260a61c4af89d370471114b320eb4fe05
2017-01-10 04:07:03 +00:00
Treehugger Robot abc26ed753 Merge "fs_mgr: add verify_dev flag to fs_mgr_setup_verity()" 2017-01-10 04:00:19 +00:00
Tomasz Wasilczyk a6cbd75741 Merge "Make metadata field mandatory for program info struct."
am: e324500f3f

Change-Id: I21ffde4a3160cbf1d1c089a715cd0e61f977087e
2017-01-10 01:33:24 +00:00
Tomasz Wasilczyk e324500f3f Merge "Make metadata field mandatory for program info struct." 2017-01-10 01:24:27 +00:00
Elliott Hughes 5f57659030 Merge "Revert "Revert "android_ids: move to bionic"""
am: b2375fc40c

Change-Id: Ifc69bdc6668e173517206b75f9d1f0f7f28d8095
2017-01-10 01:23:33 +00:00
Elliott Hughes b2375fc40c Merge "Revert "Revert "android_ids: move to bionic""" 2017-01-10 01:15:30 +00:00
Tomasz Wasilczyk 70a8148b52 Make metadata field mandatory for program info struct.
Also, make metadata struct aligned.

Test: VTS, manual
Change-Id: I7dbd62d36ac21475fdbc49723ba3ea6744460d21
2017-01-09 14:26:43 -08:00
Mark Salyzyn 295f3ba442 Merge "liblog: retry -ENOTCONN | -ECONNREFUSED | -ENOENT indefinitely"
am: d5583867c6

Change-Id: I60b71aa34c305b5af0487a512b6f63f31caaaef3
2017-01-09 17:18:20 +00:00
Treehugger Robot d5583867c6 Merge "liblog: retry -ENOTCONN | -ECONNREFUSED | -ENOENT indefinitely" 2017-01-09 17:11:12 +00:00
Wei Wang 63c3065bdc Merge "Restart wificond when zygote died"
am: 7e6c19e8b8

Change-Id: If6bbfb9c68c83d7183e725818cd51ae5e9ed1573
2017-01-09 16:39:49 +00:00
Wei Wang 7e6c19e8b8 Merge "Restart wificond when zygote died" 2017-01-09 16:30:54 +00:00
Mark Salyzyn 65e1e6284c liblog: retry -ENOTCONN | -ECONNREFUSED | -ENOENT indefinitely
Deal with recovering after transitory failures surrounding logd
crash or recovery.  Improve the chances that the logging functions
can work in a signal handler, not officially supported, but making
sure logging is not blamed for system lockups when misused.

Reorder gTests so that setuid(AID_SYSTEM) is performed after
liblog.enoent test, and that this occurs after other tests that
like to see buffers with content in them as we stop logd.

Test: gTest liblog-unit-tests --gtest_filter=liblog.enoent
Bug: 33755074
Change-Id: I66f88599534614b7b61da6b2ae5fe099ebaced3a
2017-01-09 15:51:09 +00:00
Wei Wang 38fcd33e46 Restart wificond when zygote died
This helps to avoid tearDownInterfaces call from WiFiStateMachine's
constructor.

Bug: 33752168
Test: on device

(cherry picked from commit 0db195d0757e36c73b9da5a95d9b9986386f0f2e)

Change-Id: I55f56dd8daa5089073ff8dd424e92d09326c7d00
2017-01-07 19:45:42 -08:00
James Hawkins 449826ad8c Merge "bootstat: Log ro.boottime.init timing properties."
am: cdd7ec12be

Change-Id: Ia2ae2106b2140131498dfd53df17dd3c586aeb81
2017-01-07 22:19:45 +00:00
Treehugger Robot cdd7ec12be Merge "bootstat: Log ro.boottime.init timing properties." 2017-01-07 22:12:46 +00:00
Mark Salyzyn a7ce596bba Merge "liblog: test: switch to private event structures"
am: bfe1d9b83b

Change-Id: I997f81725348ac6566910c2142b6f4334ab0df34
2017-01-06 23:13:24 +00:00
Treehugger Robot bfe1d9b83b Merge "liblog: test: switch to private event structures" 2017-01-06 23:10:52 +00:00
James Hawkins ef0a090e6f bootstat: Log ro.boottime.init timing properties.
Bug: none
Test: adb logcat | grep bootstat
Change-Id: I3375c75e8ef39be710c8001f19a9e2fb493805e9
2017-01-06 14:52:52 -08:00
Mark Salyzyn b52f445dbb liblog: test: switch to private event structures
Some tests use hard-coded offsets to interpret the binary
events buffers.  Switch to using the private event structures
to access the components of common event messages.

Test: gTest liblog-unit-tests
Bug: 33755074
Change-Id: I17447814583099d5ec417a54389e962158456005
2017-01-06 22:13:34 +00:00
Dan Albert 5e650e53ff Merge "Unversion NDK stub libraries."
am: 879fc83ad1

Change-Id: Iabff159275551a9944f1e8fe39e9ef3d3f9f1079
2017-01-06 20:57:12 +00:00
Treehugger Robot 879fc83ad1 Merge "Unversion NDK stub libraries." 2017-01-06 20:49:30 +00:00
Dan Albert 9a41bcecc6 Unversion NDK stub libraries.
The system versions of these libraries aren't versioned yet.

Bug: https://github.com/android-ndk/ndk/issues/278
Test: make ndk
Change-Id: Icf5ff9921441d3e252771aef37002c772c08cbd0
2017-01-06 11:04:15 -08:00
Tao Bao b26579f326 Merge "adb: Fix the 'adb reboot sideload' for A/B devices."
am: 9f59a4663c

Change-Id: I9d1998124a38508a5681b0230ad7d11eba3edb60
2017-01-06 17:04:28 +00:00
Tao Bao 9f59a4663c Merge "adb: Fix the 'adb reboot sideload' for A/B devices." 2017-01-06 16:59:39 +00:00
Tao Bao 40e0ec918e adb: Fix the 'adb reboot sideload' for A/B devices.
We used to write the command file (/cache/recovery/command) to trigger
the sideload mode. A/B devices don't support that (may not have /cache
paritition). This CL switches to using libbootloader_message which
writes the command to BCB (bootloader control block) instead.

Test: "adb root && adb reboot sideload" reboots sailfish into recovery
      sideload mode.

Change-Id: I158fd7cbcfa9a5d0609f1f684a2d03675217628f
2017-01-05 18:01:01 -08:00
Jaekyun Seok 70f6d5878e Merge "Use shared lib of libutils, libz and libbase."
am: 4bf9c82857

Change-Id: I7429632c24ca9f7581eb4e4d94640fb222b8d56e
2017-01-05 23:27:45 +00:00
Treehugger Robot 4bf9c82857 Merge "Use shared lib of libutils, libz and libbase." 2017-01-05 23:24:21 +00:00
Sandeep Patil 871c306855 init: split property context into platform & non-platform components
Bug: 33746484
Test: Successfully boot with original service and property contexts.
Test: Successfully boot with split serivce and property contexts.
Test: 'getprop -Z'
Change-Id: I62689b229a67e319c65bf034da804f660f82bd35
Signed-off-by: Sandeep Patil <sspatil@google.com>
2017-01-05 13:19:01 -08:00
Mark Salyzyn f80377d73a Merge "logd: sepolicy dynamic rate limiting"
am: 8954ef987b

Change-Id: Id219bfcf31a621afe0c0109455119da0a29ba2d5
2017-01-05 20:44:58 +00:00
Treehugger Robot 8954ef987b Merge "logd: sepolicy dynamic rate limiting" 2017-01-05 20:28:34 +00:00
Mark Salyzyn 247d682fe1 logd: sepolicy dynamic rate limiting
Processing overhead for selinux violation messages is costly. We want
to deal with bursts of violations, but we have no intent of allowing
that sustained burst to go unabated as there is a cost of processing
and battery usage.

Tunables in libaudit.h are:

AUDIT_RATE_LIMIT_DEFAULT 20        /* acceptable burst rate      */
AUDIT_RATE_LIMIT_BURST_DURATION 10 /* number of seconds of burst */
AUDIT_RATE_LIMIT_MAX     5         /* acceptable sustained rate  */

Since we can only asymptotically handle DEFAULT rate, we set an upper
threshold of half way between the MAX and DEFAULT rate.

Default kernel audit subsystem message rate is set to 20 a second.
If sepolicy exceeds 125 violation messages over up to ten seconds
(>=~12/s), tell kernel audit subsystem to drop the rate to 5 messages
a second.  If rate drops below 50 messages over the past ten seconds
(<5/s), tell kernel it is ok to increase the burst rate back to 20
messages a second.

Test: gTest logd-unit-tests --gtest_filter=logd.sepolicy_rate_limiter_*
Bug: 27878170
Change-Id: I843f8dcfbb3ecfbbe94a4865ea332c858e3be7f2
2017-01-04 14:46:58 -08:00
Elliott Hughes 3f789b70ea Merge "Don't use bare `noreturn` in log.h."
am: fe05f1cde4

Change-Id: I5e1fa172496d2b5c038df9e1f66a7ac3734ed3bc
2017-01-04 00:42:00 +00:00
Elliott Hughes fe05f1cde4 Merge "Don't use bare `noreturn` in log.h." 2017-01-04 00:37:18 +00:00
Adrian Salido 7cc669c493 Merge "init/service.cpp: fix access check for console"
am: 4a3b03e9e5

Change-Id: I69e33c783d8afb7cd7781a8782504f3307b61435
2017-01-03 23:30:36 +00:00
Treehugger Robot 4a3b03e9e5 Merge "init/service.cpp: fix access check for console" 2017-01-03 23:27:40 +00:00
Nick Kralevich d4fc568820 Merge "Send property_service AVC messages to the kernel audit system"
am: d06f86ced6

Change-Id: I6a1b06620029935bedc28b69ec46eff0bade140b
2017-01-03 23:26:06 +00:00
Treehugger Robot d06f86ced6 Merge "Send property_service AVC messages to the kernel audit system" 2017-01-03 23:24:48 +00:00
Nick Kralevich 5083c589fa Merge "LogAudit.cpp: replace newlines with spaces in audit messages"
am: 5badada997

Change-Id: Ic19c090caafa110a88eded401015d1eebfede58d
2017-01-03 22:30:01 +00:00
Treehugger Robot 5badada997 Merge "LogAudit.cpp: replace newlines with spaces in audit messages" 2017-01-03 22:21:37 +00:00
Nick Kralevich 8adb4d9d12 Send property_service AVC messages to the kernel audit system
The property service uses an SELinux userspace check to determine if a
process is allowed to set a property. If the security check fails, a
userspace SELinux denial is generated. Currently, these denials are only
sent to dmesg.

Instead of sending these denials to dmesg, send it to the kernel audit
system. This will cause these userspace denials to be treated similarly
to kernel generated denials (eg, logd will pick them up and process
them). This will ensure that denials generated by the property service
will show up in logcat / dmesg / event log.

After this patch, running "setprop asdf asdf" from the unprivileged adb
shell user will result in the following audit message:

  type=1107 audit(39582851.013:48): pid=1 uid=0 auid=4294967295
  ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for
  property=asdf pid=5537 uid=2000 gid=2000 scontext=u:r:shell:s0
  tcontext=u:object_r:default_prop:s0 tclass=property_service'

Test: manual
Bug: 27878170
Change-Id: I0b8994888653501f2f315eaa63d9e2ba32d851ef
2017-01-03 13:50:13 -08:00
Elliott Hughes 9b3b119912 Don't use bare `noreturn` in log.h.
toybox has a #define noreturn that trips over this.

Also move `format` out of the way, just in case.

Bug: https://github.com/android-ndk/ndk/issues/271
Test: builds
Change-Id: Ib8811136b4b422ff74625509539a5464a3c9af18
2017-01-03 13:17:42 -08:00