Instead of setting global ASAN_OPTIONS in immutable init.environ.rc,
load them from a file that can be changed later. The file has to be
on the /system partition to both be editable and available at the
early stages of boot.
Also add allocator_may_return_null=1 as that is closer to the
non-ASan allocator behavior.
Bug: 22846541
Change-Id: Ib0f41393c528f2e7cb398470e41f50abf5f4f455
We have a bunch of magic that mounts the correct view of storage
access based on the runtime permissions of an app, but we forgot to
protect the real underlying data sources; oops.
This series of changes just bumps the directory heirarchy one level
to give us /mnt/runtime which we can mask off as 0700 to prevent
people from jumping to the exposed internals.
Also add CTS tests to verify that we're protecting access to
internal mount points like this.
Bug: 22964288
Change-Id: I32068e63a3362b37e8ebca1418f900bb8537b498
system.img may contain the root directory as well. In that case, we
need to create some symlinks init.rc would during the build.
Change-Id: I4e7726f38c0f9cd9846c761fad1446738edb52c0
This CL adds a trigger and a service so that Systrace can be used
for tracing events during boot.
persist.debug.atrace.boottrace property is used for switching on
and off tracing during boot. /data/misc/boottrace/categories
file is used for specifying the categories to be traced.
These property and file are rewritten by Systrace when the newly
added option --boot is specified.
Here is an example of tracing events of am and wm catetories
during boot.
$ external/chromium-trace/systrace am wm --boot
This command will cause the device to reboot. Once the device has
booted up, the trace report is created by hitting Ctrl+C.
As written in readme.txt, this mechanism relies on persistent
property, so tracing events that are emitted before that are not
recorded. This is enough for tracing events after zygote is
launched though.
This only works on userdebug or eng build for security reason.
BUG: 21739901
Change-Id: I03f2963d77a678f47eab5e3e29fc7e91bc9ca3a4
Ensure that /data/anr always exists. This allows us to eliminate
some code in system_server and dumpstate. In addition, this change
solves a common problem where people would create the directory
manually but fail to set the SELinux label, which would cause
subsequent failures when they used the directory for ANRs.
Bug: 22385254
Change-Id: I29eb3deb21a0504aed07570fee3c2f87e41f53a0
Required by logd on devices with USE_CPUSETS defined.
Make /dev/cpuset/background, /dev/cpuset/foreground and
/dev/cpuset/task writeable by system gid. Add logd to system
group for writing to cpuset files and to root group to avoid
regressions. When dropping privs, also drop supplementary groups.
Bug: 22699101
Change-Id: Icc01769b18b5e1f1649623da8325a8bfabc3a3f0
The cfs tunables auto-scale with the number of active cpus by default. Given
that the tunable settings are in device-independent code and it's not
known how many cores are currently active when the init.rc file runs,
the cfs tunables can vary pretty significantly across devices depending
on the state at boot. Disable scaling of the the tunables so that we
can get more consistent behavior of cfs across devices. If we want to
do per-device tuning of these values, we can override what's written
here in device specific files.
Bug: 22634118
Change-Id: Id19b24ef819fef762521e75af55e6d4378cfc949
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I312104ff926fb08d98ac8256b76d01b0a90ea5e5
* commit 'ee923139c346e6751203fc7d2a341388e01c7b19':
Set up user directory crypto in init.
logd: switch to unordered_map from BasicHashtable
rootdir: make sure the /oem mountpoint is always available
Folders in the root directory are now created during the build,
as we may be building without a ramdisk, and when we do that,
the root directory will be read-only. With those changes,
these mkdirs will never need to run.
Change-Id: I49c63e8bfc71d28e3f938ed41f81d108359fa57a
system.img may contain the root directory as well. In that case, we
need to create some folders init.rc would during the build.
Change-Id: I157ccbebf36bee9916f3f584551704ec481ae1d1
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
gatekeeperd depends on having /data to determine whether
to call setup routines for qcom HALs.
Bug: 22298552
Change-Id: I6c552016dc863bbb04bd5a949a2317a720c8263f
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
Change-Id: I8a6c40d44e17de386417a443c9dfc3b4e7fe59a5
Now that we're treating storage as a runtime permission, we need to
grant read/write access without killing the app. This is really
tricky, since we had been using GIDs for access control, and they're
set in stone once Zygote drops privileges.
The only thing left that can change dynamically is the filesystem
itself, so let's do that. This means changing the FUSE daemon to
present itself as three different views:
/mnt/runtime_default/foo - view for apps with no access
/mnt/runtime_read/foo - view for apps with read access
/mnt/runtime_write/foo - view for apps with write access
There is still a single location for all the backing files, and
filesystem permissions are derived the same way for each view, but
the file modes are masked off differently for each mountpoint.
During Zygote fork, it wires up the appropriate storage access into
an isolated mount namespace based on the current app permissions. When
the app is granted permissions dynamically at runtime, the system
asks vold to jump into the existing mount namespace and bind mount
the newly granted access model into place.
Bug: 21858077
Change-Id: I5a016f0958a92fd390c02b5ae159f8008bd4f4b7
Fix the file access permissions and group ownership of
"/data/misc/bluedroid/bt_config.conf" so the file can be reused when
switching users on the device.
For that purpose, we need to do the following:
1. Set the set-group-ID (bit 02000) flag for directory "/data/misc/bluedroid"
so the files created in that directory will have group-id of
"net_bt_stack" .
2. Change the file's permissions of file "/data/misc/bluedroid/bt_config.conf"
to Read/Write by User and Group.
Bug: 21493919
Change-Id: Ie00ab4695198ef2aa299b484ef9d4f17bd41b98a
allow_user_segv_handler=1 is required to run ART under ASan
detect_odr_violation=0 and alloc_dealloc_mismatch=0 suppress some of
the existing bug reports during boot.
Bug: 21951850, 21785137
Change-Id: I4d36967c6d8d936dacbfdf1b94b87fa94766bd3e
During development it is useful to be able to kill inputflinger and have
init restart it without bringing down the entire system server.
Change-Id: I8b13b94331c5045086db2f5c73a8f49efc5992cb
/system/bin/uncrypt needs to be triggered to prepare the OTA package
before rebooting into the recovery. Separate pre-recovery (uncrypt)
into two services: uncrypt that does the uncryption work and
pre-recovery that actually reboots the device into recovery.
Also create /cache/recovery on post-fs in case it doesn't exist.
Bug: 20012567
Bug: 20949086
(cherry picked from commit e48aed0f0a)
Change-Id: I9877cd6ac9412ea6a566bb1ec0807940c7a38ce5
In order to prevent this bug from happening, we must allow vold cryptfs
commands to complete while a long running mount is underway.
While waiting for vold to be changed to a binder interface, we will simply
create two listeners, one for cryptfs and one for everything else.
Bug: 19197175
Change-Id: Ie3d9567819ced7757b0a8f391547f27db944153c
An automatic domain transition is already defined by SELinux
policy. Avoid having redundant information on the exec line.
This commit depends on commit 17fff893c0
which made the SELinux process label optional.
(cherrypicked from commit 221fca7ddd)
Change-Id: I89464f2bd218c7d6e8db08aa6bed2b62ec6dad2a
An automatic domain transition is already defined by SELinux
policy. Avoid having redundant information on the exec line.
This commit depends on commit 17fff893c0
which made the SELinux process label optional.
Change-Id: I89464f2bd218c7d6e8db08aa6bed2b62ec6dad2a
* commit '560515540d3ef4da9dc58e3b7fcfeb6c067bb677':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
* commit 'e0e565635a7c6c36a05282622c01203afbec5ca5':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
(cherry pick from commit 100658c303)
- logpersistd is defined as a thread or process in the context of the
logd domain. Here we define logpersistd as logcat -f in logd domain
and call it logcatd to represent its service mechanics.
- Use logcatd to manage content in /data/misc/logd/ directory.
- Only turn on for persist.logd.logpersistd = logcatd.
- Add logpersist.start, logpersist.stop and logpersist.cat debug
class executables, thus only in the eng and userdebug builds.
ToDo: Wish to add Developer Options menu to turn this feature on or
off, complicated by the fact that user builds have no tools with
access rights to /data/misc/logd.
Bug: 19608716
Change-Id: I57ad757f121c473d04f9fabe9d4820a0eca06f31
- logpersistd is defined as a thread or process in the context of the
logd domain. Here we define logpersistd as logcat -f in logd domain
and call it logcatd to represent its service mechanics.
- Use logcatd to manage content in /data/misc/logd/ directory.
- Only turn on for persist.logd.logpersistd = logcatd.
- Add logpersist.start, logpersist.stop and logpersist.cat debug
class executables, thus only in the eng and userdebug builds.
ToDo: Wish to add Developer Options menu to turn this feature on or
off, complicated by the fact that user builds have no tools with
access rights to /data/misc/logd.
Bug: 19608716
Change-Id: I57ad757f121c473d04f9fabe9d4820a0eca06f31
/system/bin/uncrypt needs to be triggered to prepare the OTA package
before rebooting into the recovery. Separate pre-recovery (uncrypt)
into two services: uncrypt that does the uncryption work and
pre-recovery that actually reboots the device into recovery.
Also create /cache/recovery on post-fs in case it doesn't exist.
Bug: 20012567
Bug: 20949086
Change-Id: If67fe1e9ee6279593d2788452febcd3f0fe714c2
This was causing some confusion during shark bringup and we weren't able
to find docs online, so let's add some hints at the top of the file in
case it comes up again.
Change-Id: Ica2cd8a0fb28efb99077fdc98673dbbdd6f58ff6
Signed-off-by: Kevin Cernekee <cernekee@google.com>
The /oem mount point is used to mount semi-trusted data, and
many Android One devices depend on it. Make sure it's guaranteed
to always be available.
(cherrypicked from commit f3b554fc61)
Bug: 20816563
Change-Id: Ib5272f025d14d4da6125d753879054b3faeae696
The /oem mount point is used to mount semi-trusted data, and
many Android One devices depend on it. Make sure it's guaranteed
to always be available.
Bug: 20816563
Change-Id: Ib5272f025d14d4da6125d753879054b3faeae696
This reverts commit 4217374611.
It turns out that the kernel passes any unrecognized arguments on to init,
and (at least) N6 and N9 have such arguments. My lazy check of argc was
thus insufficient to recognize what stage of init we were in, so we'd
skip to stage 2 and not set up SELinux. And apparently you can get a
very long way with SELinux off... We'll fix that in a later change.
Bug: 19702273
Change-Id: I43b3fb722fed35dd217cb529cbcac9a29aff4e4b
tzdatacheck is exec'd from init.rc early in boot just after /data is
mounted. It checks to make sure that the tz rule data in /data
is newer than the version in /system. If the data is older it is
deleted. This is to address problems with earlier tz rule updates
that occurred: after an OTA upgrade previous updates in /data
would override newer versions in the system partition.
Includes change to init.rc neccessary to run it at boot time. Other
changes are in external/selinux.
Bug: 19941636
Bug: https://code.google.com/p/android/issues/detail?id=35730
Change-Id: I7cc61e058424c856da88f11ff9b259f34cb39dc7
Until we have SELinux support for gating access
to individual TEE services, we will proxy TEE requests
to GateKeeper via this daemon.
Change-Id: Ifa316b75f75bff79bdae613a112c8c3c2e7189a8
The earliest point we can start logd is after /system is mounted.
Ideally on post-fs-system (does not exist), post-fs will do.
As insurance, we will also make sure logd is started if a
logd-reinit is requested. This results in logd starting at least
4 processes earlier than it does currently, with a tighter
grouping of threads which means we are taking advantage of a
lighter CPU load at the time, rather than taking cycles during
heavy activity during core startup.
Change-Id: If4f0bd3a53bb4c47500a54d741ca635d87c0c330
Fix build break caused by original change
This reverts commit 84b0bab58f.
(cherry picked from commit bbb4c85bdcc9a1bce315ed9d61a228bb1b992a1c)
Change-Id: If0ead0f2656b69f33f72c64b03a05784455a4143
Tell vold about which SELinux domains to use for different classes
of devices. Also create a directory for vold to store private
files.
Bug: 19993667
Change-Id: Ib7bc80234f2b13a89b143bf90f147140109570cd
To support external storage devices that are dynamically added and
removed at runtime, we're changing /mnt and /storage to be tmpfs that
are managed by vold.
To support primary storage being inserted/ejected at runtime in a
multi-user environment, we can no longer bind-mount each user into
place. Instead, we have a new /storage/self/primary symlink which
is resolved through /mnt/user/n/primary, and which vold updates at
runtime.
Fix small mode bugs in FUSE daemon so it can be safely mounted
visible to all users on device.
Bug: 19993667
Change-Id: I0ebf4d10aba03d73d9a6fa37d4d43766be8a173b
Also make important events in init's life NOTICE rather than INFO,
and ensure that NOTICE events actually make it to the kernel log.
Also fix the logging so that if you have a printf format string
error, the compiler now catches it.
Also give messages from init, ueventd, and watchdogd distinct tags.
(Previously they'd all call themselves "init", and dmesg doesn't
include pids, so you couldn't untangle them.)
Also include the tag in SELinux messages.
Bug: 19544788
Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
Add file encryption flag to fstab.
If file encryption flag set in fstab, handle identically to block
encrypted volumes.
Requires matching change:
https://googleplex-android-review.git.corp.google.com/#/c/642778/
Change-Id: I28c236959f2d7d5f0dccc8ea45c325ea0cf871fc
This reverts commit b3739735b8.
Values are helpful to inspect during memory performance tuning.
b/19847626
Change-Id: I004ed37d5cc67e466c1fd1a84e47348524056e87
bootchart uses a file on the data partition to decide if it should collect
data for bootchart, but the data partition will be mounted by the mount_all
command in the "on fs" section, and it will be only added into the action
queue when command "trigger fs" is executed, but that's after the
bootchart_init action (late_init).
This change makes bootchart_init a builtin command of init,
and make it executed as the first command of "on post-fs" section
which will be triggered after the "on fs" section.
This change also refactors the bootchart code to all be in bootchart.cpp.
Change-Id: Ia74aa34ca5b785f51fcffdd383075a549b2a99d9
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
This reverts commit bda6272446.
The original fix seems to have led to boot failures in QA. Rather than
risk shipping, revert the change. Bug 18764230 reopened.
Requires change
https://googleplex-android-review.git.corp.google.com/#/c/629764/
Bug: 19278390
Bug: 19199624
Change-Id: I8b6ab585666f2b0f585ffb2a5f61ac2e3462e06e
The upstream kernel now includes support for emulating legacy AArch32
instructions on ARMv8 devices. By default this framework emulates
deprecated instructions but not obsolete instructions.
Android requires support for the obsolete SWP and SWPB instructions on
all ARM devices, so override this default for the swp emulation hook.
Change-Id: I82b9bdb564413ec7c1a101da75a9928aebe1606b
Signed-off-by: Greg Hackmann <ghackmann@google.com>
/data/tombstones is referenced by core platform code, but is not
guaranteed to exist on all Android devices. Move the directory
creation out of device specific files and into the core
init.rc file.
Bug: https://code.google.com/p/android/issues/detail?id=93207
Change-Id: I94ae5199a6a32c4fe555ca994fc4a8345e0c9690
Delay mounting encryptable but unencrypted volumes until we can
check the ro.vold.forceencrypt flag, then optionally encrypt.
Requires matching vold change from
https://googleplex-android-review.git.corp.google.com/#/c/615309/
Bug: 18764230
Change-Id: If22008be8de6a4f3216b349f81ace49be1730314
Delay mounting encryptable but unencrypted volumes until we can
check the ro.vold.forceencrypt flag, then optionally encrypt.
Requires matching vold change from
https://googleplex-android-review.git.corp.google.com/#/c/615309/
Bug: 18764230
Change-Id: If22008be8de6a4f3216b349f81ace49be1730314
/dev/pmsg0 used to record the Android log messages, then
on reboot /sys/fs/pstore/pmsg-ramoops-0 provides a means
to pull and triage user-space activities leading
up to a panic. A companion to the pstore console logs.
Change-Id: Id92cacb8a30339ae10b8bf9e5d46bb0bd4a284c4
Ensure that /data/adb always exists. This directory is used
for writing adb debugging information when persist.adb.trace_mask
is set.
Bug: https://code.google.com/p/android/issues/detail?id=72895
(cherry picked from commit 89252ce31a)
Change-Id: I44e01bee50125f4e6e5fff6e74c53bb2022ce355
Ensure that /data/adb always exists. This directory is used
for writing adb debugging information when persist.adb.trace_mask
is set.
Bug: https://code.google.com/p/android/issues/detail?id=72895
Change-Id: I9cee2a0202417ff72a5ede7742e25877f51732dd
All kernel services will now be in the same cgroup as
foreground applications. This will now make kernel threads
not implicitly higher priority than android foreground
services.
Bug 17681097
Change-Id: I28e81c7aade50428d5395df86f00ce01c1e7af02
The systrace permissions from init.trace.rc and the "class_start core"
which launches surfaceflinger are both in an "on boot" section. However,
the init.trace.rc commands are parsed after all commands in init.rc.
This means that "class_start core" is executed before the chmod command
which allows processes to write to trace_marker. If any services
execute their first trace command before the chmod occurs, then that
service won't be able to write traces until the service is restarted.
To fix this, run all of the init.trace.rc commands in the "early-boot"
section to ensure they are completed first.
Bug: 17612265
Change-Id: Ibf544762173d5ba98272c66ef485d8eab7d70bf3
They have no dependencies on /data so can be started early.
This permits us to unmount /data while bootanimation is running,
allowing an uninterrupted first boot encryption sequence.
Bug: 17260550
Change-Id: I323fe23e8cf488d8bc136387efdd9fcea96625eb
Need to not set this property) during mount, since it can't
be changed later (ro property)
Also no reason to start class main on encryption cycle - we'll
show surfaceflinger, which is enough UI for this short cycle.
Bug: 17041092
Change-Id: Ica5339c54e45716d0fe20e23c0ab857f388d23ed
On mako only, there is a race condition such that
core + main services must be started after releasing
ueventd (by removing /dev/.booting).
bug 16304711
bug 16333352
On mako only, there is a race condition such that
core + main services must be started after releasing
ueventd (by removing /dev/.booting).
bug 16304711
bug 16333352
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: Ifdd5dd1e95d7e064dde5c80b70198882d949a710
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: I7442df2042cc2788d0301f00e3c2fba7d6e0e1c7
Make sure all files / directories within /cache are properly
labeled, not just the directory itself.
Addresses the following denial:
type=1400 audit(0.0:26): avc: denied { getattr } for comm="Thread-85" path="/cache/lost+found" dev="mmcblk0p27" ino=11 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:unlabeled:s0 tclass=dir
Change-Id: I5937b30043efeb696ffaa77258b7294d20d1494e
This may require changes to other code, such as fastbootd, which relies on this
service. sshd is not currently, used, however, so this change will force any
such code to be changed.
Bug: 11594902
Change-Id: I07e52008290dab5825be2ad062cbe730fa7dff71
Moving the vendor symlink down was causing issues with some devices.
Moved it back up, and adjusted mount to remove symlinks if necessary.
Change-Id: I77126d77cfbef32250012bea3960c99b55db4cbb
Signed-off-by: Daniel Rosenberg <drosen@google.com>
+ Add a new property, sys.init_log_level, which can be set after init
bootstrap. This will control the level at which init does prints to klog.
Change-Id: Ia15b2110157b5e6b713785ece9b0fb94889be6c8
Modified fastboot to flash vendor.img as well. Moved symlink
for /vendor to occur after mounting partitions. Changed mount
to also create the mount point.
Change-Id: I78e1ba24e6bb8b4af96a67ee0569af579439e682
Signed-off-by: Daniel Rosenberg <drosen@google.com>
Add the ability to boot up directly from charger mode, instead of forcing
charger mode to initiate a full restart to launch 'full' android. This
should shave a few seconds off of boot time on supported devices (just
manta for now).
Change-Id: Ieec4494d929e92806e039f834d78b9002afd15c4
Make sure /data/dalvik-cache/profiles gets the correct
permissions and SELinux context, and ownership is properly
assigned to the system UID.
Change-Id: Ic1b44009faa30d704855e97631006c4b990a4ad3
dmesg_restrict is too coarse of a control. In Android's case,
we want to allow the shell user to see dmesg output, but disallow
others from seeing it.
Rather than rely on dmesg_restrict, use SELinux to control access
to dmesg instead. See corresponding change in external/sepolicy .
Bug: 10020939
Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177
Define a UID to be used by the process responsible for creating shared
RELRO files for the WebView native library, and create a directory owned
by that UID to use to store the files.
Bug: 13005501
Change-Id: I5bbb1e1035405e5534b2681f554fe16f74e3da1a
To remove the need to modify the bionic dynamic linker, add the
signal chaining library as a preload in the environment. This
will be picked up by the dynamic linker and will override
sigaction and sigprocmask to allow for signal chaining.
Change-Id: I6e2d0628b009bd01e0ed9aed0b311871b9c8363a
cpufreq
The owner and permissions for the sysfs file
/sys/devices/system/cpu*/cpufreq/scaling_max/min_freq is changed.
This would allow the PowerHAL to change the max/min cpufreq even after
the associated CPU's are hotplugged out and back in.
Change-Id: Ibe0b4aaf3db555ed48e89a7fcd0c5fd3a18cf233
Signed-off-by: Ruchi Kandoi <kandoiruchi@google.com>
Volantis SurfaceFlinger holds open a file on data partition.
SurfaceFlinger is not running when we trigger_default_encryption
but if we start it before starting defaultcrypto it locks open
data, so we can't unmount it.
It will start anyway when main starts, so not starting it here
is safe - it will just cause a 1-2 second delay in the graphics
appearing.
Change-Id: Idd546a578e62a24f999367b1407b37ad0f00f3a2
Riley Andrews