Current first stage mount for AVB requires specifying a common prefix of
by-name symlink for all AVB partitions. It limits all AVB partitions to be on
the same block device.
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name" <-- *removing this*
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
For normal mount with AVB, it extracts the by-name prefix of /misc
partition and use it as the prefix for all other partitions:
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/misc ->
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a
Fix this by adding an internal map in FsManagerAvbOps to record the mapping
from partition name to its by-name symlink:
ByNameSymlinkMap["vendor_a"] = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a"
Two overloaded factory methods are then provided for FsManagerAvbUniquePtr:
- FsManagerAvbUniquePtr Open(ByNameSymlinkMap&& by_name_symlink_map):
for first stage mount, where the by-name symlink map will be
constructed externally, from the uevents processed by init, before
invoking this factory method.
- FsManagerAvbUniquePtr Open(const fstab& fstab): for normal mount,
where the by-name symlink map will be constructed from the input fstab
internally.
Bug: 37552224
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Test: normal mount /vendor with vboot 2.0 (AVB)
Change-Id: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
restorecon() has become nothing more than a small wrapper around
selinux_android_restore(). This itself isn't super problematic, but
it is an obstacle for compiling util.cpp on the host as that function
is not available on the host.
Bug: 36970783
Test: Boot bullhead
Merged-In: I7e209ece6898f9a0d5eb9e5d5d8155c2f1ba9faf
Change-Id: I7e209ece6898f9a0d5eb9e5d5d8155c2f1ba9faf
In the init scripts for socket, the type can have a suffix of
"+passcred" to request that the socket be bound to report SO_PASSCRED
credentials as part of socket transactions.
Test: gTest logd-unit-tests --gtest_filter=logd.statistics right after boot
(fails without logd.rc change)
Bug: 37985222
Change-Id: Ie5b50e99fb92fa9bec9a32463a0e6df26a968bfd
Their callers may be able to add more context, so use an error string
to record the error.
Bug: 38038887
Test: boot bullhead
Test: Init unit tests
Change-Id: I46690d1c66e00a4b15cadc6fd0d6b50e990388c3
Check the result of DecodeUid() and return failure when uids/gids are
unable to be decoded.
Also, use an error string instead of logging directly such that more
context can be added when decoding fails.
Bug: 38038887
Test: Boot bullhead
Test: Init unit tests
Change-Id: I84c11aa5a8041bf5d2f754ee9af748344b789b37
This should affect only builds that call clang-tidy.
Without this change, clang-tidy has segmentation fault
when compiling several files in the system/core/init directory.
Bug: 38002385
Test: build with WITH_TIDY=1
Change-Id: I63b898370c43e1d6b02671751137b1027ba4cdac
First kill the process group before killing the cgroup to catch
the hopeful case that killing the cgroup becomes a no-op as all of its
processes have already been killed.
Do not report an error if kill fails due to ESRCH, as this happens
often when reaping processes due to the order in which we call
waitpid() and kill().
Do not call killProcessGroup in libprocessgroup if we have already
successfully killed and removed a process group.
Bug: 36661364
Bug: 36701253
Bug: 37540956
Test: Reboot bullhead
Test: Start and stop services
Test: Init unit tests
Change-Id: I172acf0f8e00189f910f865f4635a7b1782fc7e3
The exec_service documentation was difficult to read, clarify it.
Tests:
Run grip.py to verify that the markdown still works correctly.
Run aspell to verify spelling.
Change-Id: I29bdd456f3d3ea2a91c9d4772bd09a5a195f97a9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Files in the ramdisk by default have the rootfs label and must be
manually restoreconed.
Bug: 35219933
Change-Id: I2a749f128dc3a609907101ce703747f8990b4386
Invent keyutils.h to supply capability to set session keyring.
The keyring will hold things like the FBE encryption keys.
Test: gTest logd-unit-tests --gtest_filter=logd.statistics
Bug: 37751120
Bug: 36645158
Change-Id: Ieb44fa8f53dda6cf506a6243498c72d7f7f3cde7
Similar to what installkey used to do, init_user0 forks and
synchronously waits for vdc to return. This is dangerous to do in
init however as init also processes properties from a single thread.
I'm not aware of any specific issues that this is currently causing,
but it's a good preventative measure to match what installkey does and
use do_exec().
Test: Boot bullhead, see that init_user0 still happens
Change-Id: I853c61594fe3d97e91bbb2319ebddf2bbe80d457
It has been reported that fs_mgr failed to open /dev/device-mapper
during the first stage mount. It's because other uevent (e.g., i2c
charger device) happens to be sent at the same time we're triggering
the device-mapper uevent to be sent. Current implementation returns
COLDBOOT_STOP unconditionally so it will only process the first received
uevent, leaving device-mapper uevent unhandled when the race happens.
Fix this by only returning COLDBOOT_STOP when the received uevent->path
matches that of device mapper.
Bug: 37745254
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /vendor with vboot 1.0 on sailfish
Change-Id: I4a77093ec8f90a5ca981a088f34d082d0270533b
Init exposes a global 'sehandle' that ueventd references as part of
devices.cpp and util.cpp. This is particularly dangerous in
device_init() in which both uevent and init write to this global.
This change creates a separate local copy for devices.cpp and puts
restrictions on where init.h can be included to make sure the global
used by init is not reference by non-init code. Future changes to
init should remove this global.
Test: Boot bullhead
Change-Id: Ifefa9e1932e9d647d06cca2618f5c8e5a7a85460
Add unit test to ensure all POD types of Service are initialized.
Bug: 37855222
Test: Ensure bugreport is triggered via keychord properly.
Test: New unit tests
Change-Id: If2cfea15a74ab417a7b909a60c264cb8eb990de7
An forward declaration for a function that was removed in later
patchsets was merged anyway. Since it's not used anywhere, this CL
removes it.
Test: build bullhead
Change-Id: Ie7223f7d23305b71438cb063b64a574ce32f96bb
Reloading sepolicy has been removed from the system, so this support
code can also now be removed.
Bug: 26544104
Test: Boot bullhead
Change-Id: If9dbc9d540d9a69340c1dd6a483c1f8fe5feb287
- allows easier tracking of wait time from monitoring tools
- this change also reduces unnecessary log spam
- service exit log looks like this:
init: Service 'exec 4 (/system/bin/otapreopt_slot)' (pid 611) exited with status 0 waiting took 0.060771 seconds
bug: 37752410
Test: reboot and check log
Change-Id: I122902538697f33939eede548e39f155ec419e03
- Test data shows that most shutdown finishes in 6 secs.
- The original 10 secs is too long wih no shutdown animation
running in screen.
bug: 36657139
Test: check time with reboot
Change-Id: I9a805ddfde8156b066485902048d0cd01365c453
This got moved when refactoring the reboot commands.
Bug: 37540660
Test: verify bullhead's last_reboot_reason is correct
Change-Id: I3b86496fc469ca41645df7e7ba8bb51dd25b6b38
This line shows up immediately before starting a service for each
service without a 'seclabel' option, essentially becoming log spam.
We already log if we fail to compute the context as well.
Test: Boot bullhead
Change-Id: Ibe91fd2dd9f53a8ae2ca95ccea1636ecef2af224
Now that ueventd is using init's parser, we no longer need anything
other than the tokenizer from parser.cpp.
Test: Boot bullhead
Change-Id: I1f70f2c4479af576174bd74dd919d81817500216
Previously init_parser.cpp was made generic and capable of parsing any
number of differently named 'sections' or prefixed lines. We now use
these capabilities to do the parsing for ueventd.
Bug: 36250207
Bug: 33785894
Test: boot bullhead and ensure the right /dev nodes exist
with the right permissions set
Test: verify no boot time difference
Change-Id: I698ca962d414f8135af32f6c9cd778841b2b8b53
The previous check is incorrect because it compares the basename of
previous verity_loc with the full path of current verity_loc.
Changes it to compare the full device file path instead of just the basename
of verity_loc. This can catch the case of two different verity_loc
values with the same basename, e.g.,
- verify=/dev/block/platform/SOC.0/by-name/metadata
- verify=/dev/block/platform/SOC.1/by-name/metadata
Bug: 37413399
Bug: 37619597
Test: first stage mount /system and /vendor with the following fs_mgr_flags on bullhead
- wait,verify=/dev/block/platform/soc.0/f9824900.sdhci/by-name/metadataa
Test: first stage mount /system and /vendor with different verity_loc values
on bullhead, checks it bails out
Change-Id: I017c8bd9f0790d45e08e57df9a2878e4f62c5f9c
Add the ability to override the current section being parsed and
instead parse a line by itself if a given line starts with a specific
prefix.
Test: Boot bullhead
Change-Id: Idbbf2682b78996b41d05f3db655c8937a8c6ccda
The term 'trigger' should be used in 'Action' to indicate what causes
the 'Action' to be executed.
The term 'event' should be used in ActionManager's queue to indicate
a state change that is checked against the 'triggers' of an 'Action' to
see if it should execute.
Convert the previous Trigger class to std::variant, as the latter is
better suited for this use.
Change-Id: I2558367c8318b536aa69fcec93793f1c12857ef5
persist.sys.usb.config values can't be combined on build-time when
property files are split into each partition.
So we need to apply the same rule of
build/make/tools/post_process_props.py on runtime.
Test: building succeeded and tested on sailfish.
Bug: 37617113
Bug: 37648659
Change-Id: I78cdffee446d3ae6a89f138faed5f3149e4b507d
Previously we set ro.boot.avb_version during the first stage mount in normal mode:
- https://android-review.googlesource.com/#/c/371774/
As the first stage mount is not performed in recovery mode, we need to set the
property separately in recovery mode.
Bug: 37414003
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead in normal mode
Test: first stage mount /system with without verity on bullhead in normal mode
Test: checks ro.boot.avb_version is 1.0 on bullhead in recovery mode
Test: first mount /vendor with with vboot 1.0 on sailfish in normal mode
Test: checks ro.boot.avb_version doesn't exist on sailfish in recovery mode
Change-Id: I262e75b8b557c4de7609b4049ccb01793644245e
Also renames "early mount" to "first stage mount" to prevent confusion
with "mount_all --early", which is run in the init second stage.
Also creates a base class: FirstStageMount and two derived classes:
FirstStageMountVBootV1 and FirstStageMountVBootV2 to replace/refactor
existing functions:
- early_mount() -> DoFirstStageMount() and FirstStageMount::DoFirstStageMount()
- vboot_1_0_early_partitions -> FirstStageMountVBootV1::GetRequiredDevices()
- vboot_2_0_early_partitions -> FirstStageMountVBootV2::GetRequiredDevices()
- vboot_1_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV1::SetUpDmVerity()
- vboot_2_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV2::SetUpDmVerity()
Bug: 37413399
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /system with without verity on bullhead
Test: first stage mount /vendor with with vboot 1.0 on sailfish
Change-Id: I6584bdf7d832c9fbc8740f97c9b8b94e68a90783
Start a init_tests.cpp file for end-to-end tests that parse small init script
segments and verify that they act as expected.
The first tests ensure that the execution order of event triggers
happens appropriately.
Test: Boot bullhead, run unit tests
Change-Id: Ic446c02605ab796fd41e0596ce1fd381aee80ce0
Remove the dependency on Action and Service from what should be a
generic Parser class.
Make ActionParser, ImportParser, and ServiceParser take a pointer to
their associated classes instead of accessing them through a
singleton.
Misc fixes to SectionParser Interface:
1) Make SectionParser::ParseLineSection() non-const as it always should
have been.
2) Use Rvalue references where appropriate
3) Remove extra std::string& filename in SectionParser::EndFile()
4) Only have SectionParser::ParseSection() as pure virtual
Document SectionParser.
Make ImportParser report the filename and line number of failed imports.
Make ServiceParser report the filename and line number of duplicated services.
Test: Boot bullhead
Change-Id: I86568a5b375fb4f27f4cb235ed1e37635f01d630
KillProcessGroup can return -1 without errno set, which produces error
messages like this:
init: Sending signal 15 to service 'vold' (pid 1806) process group...
init: failed to kill 2 processes for processgroup 1806
init: killProcessGroup(0, 1806, 15) failed: Success
Test: boot and reboot hikey.
Change-Id: I51f242da234daee84795a3fbdffe9ad1f4567140
Signed-off-by: William Roberts <william.c.roberts@intel.com>
- init will only keep animation related services as shutdown critical.
- external component like system server can start shutdown animation.
bug: 37500823
Test: reboot
Change-Id: Ief328306eba7e3b15402ae27e6236767095f508c
In the past, I had thought it didn't make sense to have multiple
Action classes with identical triggers within ActionManager::actions_,
and opted to instead combine these into a single action. In theory,
it should reduce memory overhead as only one copy of the triggers
needs to be stored.
In practice, this ends up not being a good idea.
Most importantly, given a file with the below three sections in this
same order:
on boot
setprop a b
on boot && property:true=true
setprop c d
on boot
setprop e f
Assuming that property 'true' == 'true', when the `boot` event
happens, the order of the setprop commands will actually be:
setprop a b
setprop e f
setprop c d
instead of the more intuitive order of:
setprop a b
setprop c d
setprop e f
This is a mistake and this CL fixes it. It also documents this order.
Secondly, with a given 'Action' now spanning multiple files, in order
to keep track of which file a command is run from, the 'Command'
itself needs to store this. Ironically to the original intention,
this increases total ram usage. This change now only stores the file
name in each 'Action' instead of each 'Command'. All in all this is a
negligible trade off of ram usage.
Thirdly, this requires a bunch of extra code and assumptions that
don't help anything else. In particular it forces to keep property triggers
sorted for easy comparison, which I'm using an std::map for currently,
but that is not the best data structure to contain them.
Lastly, I added the filename and line number to the 'processing
action' LOG(INFO) message.
Test: Boot bullhead, observe above changes
Test: Boot sailfish, observe no change in boot time
Change-Id: I3fbcac4ee677351314e33012c758145be82346e9
Currently if a process sets the sys.powerctl property, init adds this
property change into the event queue, just like any other property.
The actual logic to shutdown the device is not executed until init
gets to the action associated with the property change.
This is bad for multiple reasons, but explicitly causes deadlock in
the follow scenario:
A service is started with `exec` or `exec_start`
The same service sets sys.powerctl indicating to the system to
shutdown
The same service then waits infinitely
In this case, init doesn't process any further commands until the exec
service completes, including the command to reboot the device.
This change causes init to immediately handle sys.powerctl and reboot
the device regardless of the state of the event queue, wait for exec,
or wait for property conditions.
Bug: 37209359
Bug: 37415192
Test: Init reboots normally
Test: Update verifier can reboot the system
Change-Id: Iff2295aed970840f47e56c4bacc93001b791fa35
Create classes for dev and sys permissions and store these permissions
in std::vector instead of the C list.
Test: boot bullhead
Test: init unit tests
Change-Id: I874039a3db29b4c70149506da8e407123ab7eca2
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
Also simplify this code a bit.
There's only one consumer that removes the /devices/platform prefix,
so have them handle it instead of storing two copies of the string.
Remove an unneeded search for '/' in get_character_device_symlinks()
as a / will always be the next character after a parent path, by
nature of FindPlatformDevice().
Test: boot bullhead
Test: init unit tests
Change-Id: I9d0482d137b1342ae7509ae993ff99198be814f0
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
libavb requires verifying AVB metadata on all verified partitions at
once. For example, /vbmeta, /boot, /system and /vendor. We need to
invoke device_init() for those partitions even if we only want to early
mount some of them, like /vendor and /system.
This CL gets all AVB partitions and the early mount partitions from
device tree through "firmware/android/vbmeta" and "firmware/fstab",
respectively. The following is an example to early mount /vendor
partition on bullhead:
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name"
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
Bug: 33254008
Test: early mount /vendor with vboot 2.0 (AVB) on bullhead
Test: early mount /system without dm-verity on bullhead
Test: early mount /vendor with vboot 1.0 on sailfish
Change-Id: I89a1f77c97124f309346b33d9e700544b92ecf05
Default signature WriteStringToFile creates world-writeable files.
Set owner and group system and remove read/write for non-owner.
Bug: 37251463
Test: Manual: reboot, inspect
Change-Id: I6a29c678168dcae611b120dc52170f4eee7069a9
* changes:
ueventd: Fix up string handling in handle_*_device_event()
ueventd: convert mkdir_recursive() to std::string
ueventd: move subsystem logic from code to ueventd.rc
This was marked deprecated in 2014 and removed in 2015, let's remove
the uevent rule now too.
Test: see that logging still works on bullhead
Change-Id: Idaf3f49a1afe7046eba6c976628b9f1c8b3ec094
- umount operation is asynchronous except for root partition.
Returning from umount does not guarantee completion of
umount. Poll /proc/mounts to confirm completion of umount.
- Treat all devices mounting to /data as emulated devices. This is
future proof when fs other than sdcardfs is used.
- Drop quota sync from sync step. There is no differences in
frequencies of quota error.
- Run umount in reverse order from mounting order so that any
hidden dependency can be auto-resolved.
- Add dump of lsof and /proc/mounts when umount fails. lsof only runs
when selinux is toggled into permissive mode. The dump is enabled
only for non-user build.
- Keep logcat until vold shutdown in case vold has any error to report.
bug: 36551218
Test: python packages/services/Car/tools/bootanalyze/bootanalyze.py -r -c packages/services/Car/tools/bootanalyze/config.yaml -n 1000 -f -e 20 -w 30
Change-Id: I87b17b966d7004c205452d81460b02c6acf50d45
Additionally replace the associated C string parsing with C++ and write
unit tests.
Bug: 33785894
Bug: 36250207
Test: Boot bullhead + unit tests
Change-Id: Iee1f72d248bca3bd2e1227045628935b3dd6195a
Remove includes of "log.h" that really want <android-base/logging.h>
Fix header include order
Remove headers included in .cpp files that their associated .h already includes
Remove some unused headers
Test: boot bullhead
Change-Id: I2b415adfe86a5c8bbe4fb1ebc53c7b0ee2253824
Crashes that happen before tombstoned is running are extremely hard to
diagnose, because tombstones aren't written to disk, and the window of
opportunity to get logs via `adb logcat` is small (potentially
nonexistent).
Solve this by adding a world-writable /dev/kmsg_debug on userdebug
builds, and writing to it in addition to logcat when tombstoned hasn't
started yet.
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: Ib22c02a002afb602933155fb2c9b7a8abbe9ed38
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
(cherry-pick of commit: 39ffec779a)
Change-Id: I9c3df2e7ed3f0eadd98e98529ebed360fec66dba
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Bug: 36726045
Test: manual with hikey
Test: boot and init tests on bullhead
Test: cast with fugu, per b/36726045
Merged-In: If3c30a2fff58cfece2fcd27e69c30382146e6808
Change-Id: If3c30a2fff58cfece2fcd27e69c30382146e6808
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
The content parameter of write_file() previously took a char* that was
then converted to a std::string in WriteStringToFd(). One unfortunate
effect of this, is that it is impossible to write data that contains
'\0' within it, as the new string will only contain characters up
until the '\0'.
This changes write_file() to take an std::string, such that
std::string::size() is used to determine the length of the string,
allowing it to contain null characters.
Also change the path parameter of read_file() and write_file() for
consistency.
Lastly, add a test for handling strings with '\0' in them.
Bug: 36726045
Test: Boot bullhead, run unit tests
Change-Id: Idad60e4228ee2de741ab3ab6a4917065b5e63cd8
- Run shutdown animation during shutdown if surfaceflinger is
available / running.
- services necessary for animation should be added to animation
class.
- Keep debugging tools while non-critical services are terminated:
logd, adbd, tombstoned
bug: 36526187
Test: many reboots
Change-Id: I758f700a622c6005f3df9f29de2b55270055ad4d
Use this for bootstat and init. This replaces the custom uptime parser in
bootstat.
This is a reland of aosp/338325 with a stubbed implementation for Darwin.
This change also has clang_format fixes (automatic).
Bug: 34352037
Test: chrono_utils_test
Change-Id: I72a62a3ca1ccfc0a4ccc6294ff1776c263144686
init used to block on installkey such that it was unable to
process property events. This lead to a deadlock by which
the Keymaster HAL would wait indefinitely for the
hwservicemanager.ready=true.
This fixes the issue by implementing the builtin in terms of
do_exec, which allows init to stay responsive to properties
while waiting for the child to terminate.
Bug: 36278706
Test: Add a 3s delay into hwservicemanager before it sets the property
hwservicemanager.ready and the device still boots.
Change-Id: Iaefd31156ca01f3a44b4f85a8bf78beee8dfe224
Bowgo Tsai