subcontext_test had been failing due to setexeccon() failing to
transition to vendor_init context. This is a good thing as nothing
other than init should be able to transition into this context.
I don't want to add code to skip the setexeccon() call only for the
tests, so I instead call setexeccon() with the return value of
getcon(). This works however only for root, so these tests are
skipped for non-root.
Test: init unit tests
Change-Id: I8a415599e0ec5506511202f7f5018c0e5265837d
wait_for_prop sets a flag that prevents the action queue from
continuing while otherwise allowing init's main loop to continue
executing. This cannot be done from a subcontext, so it's moved to
normal init.
All property functions need work in any case, particularly once
property_service is moved out of init.
Bug: 62875318
Test: boot sailfish and see that the previous failure related to this
is fixed
Change-Id: Ib9e0d0bdbd0ff22ab0e5c3fe6db620700af266c6
Java already restricts properties to only UTF8 valid strings, and
this change makes this restriction also apply to all native code.
Bug: 63177684
Test: new unit tests
Change-Id: I9fa0ecc0da066b0a026db3497c0f0cbf3f5c2d5a
To make parsing easier for last reboot reason. This also ensures that
last boot reason matches the content that is typically returned by the
bootloader or in turn landed in the canonical system boot reason.
Simplify parsing in bootstat. Adjust and fix boot_reason_test.sh for
new reality. Allow boot reason tests battery and kernel_panic to pass
if device does not support pstore (empty before and after the test).
If device somehow landed in fastboot mode while waiting for the
display, issue a fastboot reboot to move the test along. Some cleanup
and standardization changes to the test script.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 63736262
Change-Id: I97d5467c0b4a6d65df3525f1a2d0051db813d5ad
Allows partners to add a new attribute definition to their public
policy without causing a compatibility failure with the AOSP system
image.
Bug: 67092827
Bug: 37915794
Test: build and boot aosp_sailfish with a new type declared in public
policy.
Change-Id: I3899065affb6806ae9080e1a7dfa5a6f368370f0
As SEPolicy is developed, use this property to enable/disable
subcontexts.
Bug: 62875318
Test: boot device with/without subcontexts
Change-Id: Ieb879836a71c72d4de1bb16514d083d52480bf9a
The last one will avoid errors=panic in ext4.
Test: Build
Bug: 63981945
Bug: 65481582
Change-Id: I9c86afcce441767e24fc43668ab1ff6230155a9f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
'object_r' is supposed to be simply 'r'.
Test: boot sailfish with SELinux fully enabled and subcontexts enabled
Change-Id: I7eb8b2dd18e66f23c09863e8961da339f72d25c5
One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.
This change is meant to close that gap. It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to. Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.
Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.
Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish
Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
This has moved to being serialized with libprotobuf.
Test: persistent properties work on bullhead
Test: init unit tests
Change-Id: I26ebe135e37d352f9c53612301bde703144853e7
Change HandleSigtermSignal() handler to report shutdown,container. Add
the new reason to bootstat. Remove log stutter as
HandlPowerctlMessage will also do a LOG(INFO) reporting
shutdown,container as reason.
Sending SIGTERM to init is to allow a host OS to ask an Android
Container instance to shutdown. The temptation is to report
shutdown,sigterm but that does not accurately describe the usage
scenario.
Test: compile
Bug: 63736262
Change-Id: I3c5798921bdbef5d2689ad22a2e8103741b570b4
Primarily, this fixes a bug where a forked child of property service
uses exit() instead of _exit, which has the unintended consequences of
running the global destructors of init proper, which leads to
unintended cleanup.
Secondly, this replaces the remaining calls of exit() that really
should be LOG(FATAL).
Test: boot sailfish
Change-Id: I779228e7d44a73186bc7685bb723c4b9278a0a2d
I probably should have done this from the start... There's a shim to
convert my manually serialized format to protobuf, and since that has
not yet shipped, it'll be reverted in a short period of time.
Test: init unit tests
Test: upgrade from legacy and intermediate property formats successfully
Change-Id: Iad25f6c30d0b44d294230a53dd6876222d1c785b
This command functions similarly to `exec` except that it does not
cause init to halt executing commands until the process has
terminated. It is useful for launching simple one time background
tasks.
Bug: 65736247
Test: create an exec_background service and see it function properly
Change-Id: I719c8b85479b65201770aedc0a13191303007c11
Builtin commands may set the sys.powerctl property, which causes
reboot to be immediately processed. Unfortunately, part of the reboot
processing involves clearing the action queue, so when this scenario
happens, ActionManager::ExecuteOneCommand() can abort due to its state
being unexpectedly changed.
Longer term, the real fix here is to split init and property service.
In this case, the property sets will be sent to property service and
the reboot will only be processed once property service responds back
to init that the property has been set. Since that will not happen
within the action queue, there will be no risk of failure.
Short term, this change sets a flag in init to shutdown the device
before the next action is run, which defers the shutdown enough to fix
the crash, but continues to prevent any further commands from running.
Bug: 65374456
Test: force bullhead into the repro case and observe that it no longer
repros
Change-Id: I89c73dad8d7912a845d694b095cab061b8dcc05e
ExpandArgs() was factored out of Service::Start() to clean up init,
however this introduced a bug: the scope of expanded_args ends when
ExpandArgs() returns, yet pointers to the c strings contained within
those std::strings are returned from the function. These pointers are
invalid and have been seen to cause failures on real devices.
This change moves the execv() into ExpandArgs() and renames it
ExpandArgsAndExecv() to keep the clean separation of Service::Start()
but fix the variable scope issue.
Bug: 65303004
Test: boot fugu
Change-Id: I612128631f5b58d040bffcbc2220593ad16cd450
This allows Android to cleanly shutdown when running in a PID namespace
in a way that does not rely on adbd running. This is useful to allow
Android to be running in a container and its lifetime managed by an
OCI-compliant tool.
Bug: 65415372
Test: `kill -TERM 1` as root is correctly dropped.
Test: `kill -TERM 1` from the init PID namespace causes init to cleanly shutdown.
Change-Id: Ia66ebdb436221919081bc4723337c0c7f1e53b09
Unless a process logs that it is requesting a device to reboot, there
are no logs to show which process triggered a reboot. This change
introduces such a log in property service such that system initiated
reboots can be clearly blamed back to a calling process.
Bug: 64214361
Test: reboot and check kernel log for reboot string
Change-Id: I18de33d2a0933d20bdb581025b78020c88c5c6eb
init: support loading odm sepolicy
Currently init merges two sepolicy cil files:
- /system/etc/selinux/plat_sepolicy.cil
- /vendor/etc/selinux/nonplat_sepolicy.cil
This change replaces nonplat_sepolicy.cil with the following two files:
- /vendor/etc/selinux/declaration/nonplat_declaration.cil
- /vendor/etc/selinux/vender_sepolicy.cil
And support merging another default (but optional):
- /odm/etc/selinux/odm_sepolicy.cil.
Bug: 64240127
Test: boot sailfish normally without odm.cil
Test: boot another device having odm.cil
Change-Id: I0b7f8c656c73ddb0fd46f2af3c625d7c81566f2f
We have seen that storing persistent properties in separate files
causes increased boot latency compared to if they were stored in a
single contiguous file.
This change creates a simple format for a contiguously stored property
file, and adds the support for arbitrary characters in the names of
persistent properties, which previously had been restricted. It has a
mechanism for converting older devices to the new format as well.
Bug: 64392887
Test: boot bullhead with new properties
Test: boot bullhead and verify old properties are converted to the new
property file
Test: corrupt property file and ensure that it gets recovered from memory
Test: new unit tests
Change-Id: I60d8201d655ce5c97b33faae81d5ca8dbbb21a14
Tom Cherry