This CL extracts code from Service::Start into four helper functions,
bringing Service::Start down to 134 lines vs 212 lines originally. This
makes the method a lot easier to follow. There is no change in behaviour.
Also, make error messages consistent (start with lowercase) and
format Service::Start to fit in 100 cols.
Bug: 30035168
Change-Id: If979976fba4d339a336d030f802ca9f169fd012c
I'll come back and remove klog_init when I've removed other calls to it.
Change-Id: Iad7fd26d853b4ddc54e9abd44516b6f138cbbfcb
Test: booted N9, looked at "adb shell dmesg" output.
When the flag is on, insmod will bypass vermagic and symbol version
checking in the kernel. This is to make it possible to update kernel
without recompiling kernel modules.
BUG=28803994
Change-Id: Ib4be6999ef52baefd4210ee0d242360e43318907
Arguments of commands are expanded based on properties if they contain
${property.name}, however this is not currently done for arguments of
services.
This patch makes it that arguments of services are expanded each time
that the service starts at the point immediately before execve().
Change-Id: Iba581a8377e25a6478d4d2ec2e8b29e181d8640c
Put every service into a process group, kill the process group
and all child processes created within the group when killing the
service. Removed libutil dependency in libprocessgroup.
Bug: 25355957
Change-Id: Ieed60ec41579f638ab9b1e66a7e6330ed578ab05
Signed-off-by: Collin Mulliner <collinrm@squareup.com>
Since commit: 24a3cbfa73
ueventd is attempting to relabel devices on calls to
make_device() when the device already exists. However, it
should only be called if the contexts for relabelfrom and
relabelto are different.
When this condition occurs, one will see denials like this:
[ 14.409448] type=1400 audit(978307239.225:26): avc: denied { relabelfrom } for pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613 scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
[ 14.428107] type=1400 audit(978307239.225:27): avc: denied { relabelto } for pid=1572 comm="ueventd" name="ttyS0" dev="tmpfs" ino=9613 scontext=u:r:ueventd:s0 tcontext=u:object_r:hci_attach_dev:s0 tclass=chr_file permissive=1
Bug: 29106809
Change-Id: I2105b169206f0b26420f3c4b0ba5c49aeb98da92
Signed-off-by: William Roberts <william.c.roberts@intel.com>
am: 0da9f42f2c
* commit '0da9f42f2c2ec6985018ad45603b32532d096a60':
init: support matching sysfs class paths in ueventd.rc
Change-Id: Ifc85ba3205a5207a4285da94b483164490dbde4d
Currently, ueventd.rc files only support /sys/devices/... paths
and don't support symlinked paths, specifically /sys/class/...
Supporting the class paths is necessary to have non-hardware
dependent paths. Some subsystems like IIO use /sys/bus/iio/, so
support that as well.
Change-Id: I29f3bf67b41664d1d75ac1820c46e13afe336d56
Signed-off-by: Rob Herring <robh@kernel.org>
fixup_sys_perms does the same matching as the function perm_path_matches
other than the leading '/sys'. Adjust the path and use the common
matching function. Replace the fixed length C strings with std::string.
Change-Id: Ic09d91aa4ac1f1096018617537d782b82ee9ef63
Signed-off-by: Rob Herring <robh@kernel.org>
If we fail to set a crypto policy on a system-DE directory, this is a
serious and unrecoverable condition; the only way forward is to erase
the entire device. In a future commit we will also allow users the
option of booting again.
Bug: 28318405
Change-Id: Iff1e52c5bbee1beed29dc4b609d24bfeb7d138da
Switch insmod from using init_module to finit_module. From
"man finit_module":
The finit_module() system call is like init_module(), but reads the
module to be loaded from the file descriptor fd. It is useful when the
authenticity of a kernel module can be determined from its location in
the file system; in cases where that is possible, the overhead of
using cryptographically signed modules to determine the authenticity
of a module can be avoided.
finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo
Bug: 27824855
(cherry picked from commit 124a9c97e9)
Change-Id: I5e87de1a7b8c3d8849bf757c71b08e81c378b021
There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. This happens
when the kernel sends events for adding block devices during ueventd's
coldboot /sys walk.
In this case the device node links used to compute the SELinux context
are not known and the node is created under the generic context:
u:object_r:block_device:s0.
A second add event for block device nodes is triggered after the platform
devices are handled by ueventd and the SELinux context is correctly computed
but the mknod call fails because the node already exists. This patch handles
this error case and updates the node's security context.
The race is introduced by the uevent sent from the sdcard device probe
function. The issue appears when this uevent is triggered during ueventd's
coldboot procedure but before the /sys/devices recursive walk reached the
corresponding sdcard platform device path.
The backtrace looks something like:
1. ueventd_main()
2. device_init()
3. coldboot("/sys/devices");
4. do_coldboot()
5. handle_device_fd()
6. handle_device_event()
6.1 handle_block_device_event()
6.2 handle_platform_device_event()
Because handle_device_fd() reads all events from the netlink socket it may
handle the add events for the sdcard partition nodes send occasionally by the
kernel during coldboot /sys walk procedure.
If handle_device_event() continues with handle_block_device_event()
before handle_platform_device_event() registers the sdcard platform device then
handle_block_device_event() will create device nodes without knowing all block
device symlinks (get_block_device_symlinks()):
1. handle_device(path=/dev/block/mmcblk0p3, links = NULL)
2. make_device(path=/dev/block/mmcblk0p3, links = NULL)
3. selabel_lookup_best_match(path=/dev/block/mmcblk0p3, links = NULL)
returns the default context (u:object_r:block_device:s0) for
/dev/block/mmcblk0p3 instead of more specific context like:
u:object_r:boot_block_device:s0
4. setfscreatecon(u:object_r:block_device:s0)
5. mknod(/dev/block/mmcblk0p3)
So the node is create with the wrong context. Afterwards the coldboot /sys walk
continues and make_device() will be called with correct path and links.
But even if the secontext is computed correctly this time it will not be
applied to the device node because mknod() fails.
I see this issue randomly appearing (one time in 10 reboots) on a Minnoboard
Turbot with external sdcard as the boot device.
BUG=28388946
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
(cherry picked from commit 24a3cbfa73)
Change-Id: I2d217f1c8d48553eb4a37457dbf27fff54051cf9
There is a race in ueventd's coldboot procedure that permits creation
of device block nodes before platform devices are registered. This happens
when the kernel sends events for adding block devices during ueventd's
coldboot /sys walk.
In this case the device node links used to compute the SELinux context
are not known and the node is created under the generic context:
u:object_r:block_device:s0.
A second add event for block device nodes is triggered after the platform
devices are handled by ueventd and the SELinux context is correctly computed
but the mknod call fails because the node already exists. This patch handles
this error case and updates the node's security context.
The race is introduced by the uevent sent from the sdcard device probe
function. The issue appears when this uevent is triggered during ueventd's
coldboot procedure but before the /sys/devices recursive walk reached the
corresponding sdcard platform device path.
The backtrace looks something like:
1. ueventd_main()
2. device_init()
3. coldboot("/sys/devices");
4. do_coldboot()
5. handle_device_fd()
6. handle_device_event()
6.1 handle_block_device_event()
6.2 handle_platform_device_event()
Because handle_device_fd() reads all events from the netlink socket it may
handle the add events for the sdcard partition nodes send occasionally by the
kernel during coldboot /sys walk procedure.
If handle_device_event() continues with handle_block_device_event()
before handle_platform_device_event() registers the sdcard platform device then
handle_block_device_event() will create device nodes without knowing all block
device symlinks (get_block_device_symlinks()):
1. handle_device(path=/dev/block/mmcblk0p3, links = NULL)
2. make_device(path=/dev/block/mmcblk0p3, links = NULL)
3. selabel_lookup_best_match(path=/dev/block/mmcblk0p3, links = NULL)
returns the default context (u:object_r:block_device:s0) for
/dev/block/mmcblk0p3 instead of more specific context like:
u:object_r:boot_block_device:s0
4. setfscreatecon(u:object_r:block_device:s0)
5. mknod(/dev/block/mmcblk0p3)
So the node is create with the wrong context. Afterwards the coldboot /sys walk
continues and make_device() will be called with correct path and links.
But even if the secontext is computed correctly this time it will not be
applied to the device node because mknod() fails.
I see this issue randomly appearing (one time in 10 reboots) on a Minnoboard
Turbot with external sdcard as the boot device.
BUG=28388946
Change-Id: I96e239af29d82b753e5d349b3ecefaad09edee87
Signed-off-by: Mihai Serban <mihai.serban@intel.com>
The old way (using triggers) starts defaultcrypto twice because
queue_property_triggers_action retriggers the action.
Bug: 27452459
Change-Id: I48c844836f551673d0dbfed6c33bd8ee1e035f40
am: 1397e7a
* commit '1397e7af4b432d174dbbc7400cca9a00ce34ea5d':
ueventd: convert to use pwd family of functions
Change-Id: I02c1d78835054bd296ce84586410bbcee1760a9c
Switch ueventd to use the grp.h and pwd.h family of
functions for converting strings to uids. This removes the
need for using android_filesystem_config.h.
Change-Id: I25a6f536bb11683d5cd69a0d7b348d25a272dd3b
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Remove android_filesystem_config.h since it was not being used.
Change-Id: I691513d50a3fdb7563a63aee7551137ba983825c
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Start to move users of android_filesystem_config.h to use the
standard grp and pwd interface functions.
Advantages:
* one copy of android_ids in libc, removing it from init objects.
* immediately starts oem_xxx users and groups in rc.
* future will support _named_ oem ids via backend improvements.
Change-Id: Ib1ae1e0cbdcaaf60deb3759681a6030b615c069c
Bug: 27999086
Signed-off-by: William Roberts <william.c.roberts@intel.com>
(cherry pick from commit a98cc9c202)
Try writing a "0" into:
- /sys/class/leds/lcd-backlight/brightness
- /sys/class/backlight/*/brightness
to turn off the backlight during shutdown cleanup.
Bug: 27506425
Change-Id: Ic8a44dc8909b303f24e14f71cfb43292df60efde
Try writing a "0" into:
- /sys/class/leds/lcd-backlight/brightness
- /sys/class/backlight/*/brightness
to turn off the backlight during shutdown cleanup.
Bug: 27506425
Change-Id: Ic8a44dc8909b303f24e14f71cfb43292df60efde
Switch insmod from using init_module to finit_module. From
"man finit_module":
The finit_module() system call is like init_module(), but reads the
module to be loaded from the file descriptor fd. It is useful when the
authenticity of a kernel module can be determined from its location in
the file system; in cases where that is possible, the overhead of
using cryptographically signed modules to determine the authenticity
of a module can be avoided.
finit_module is preferred over init_module because it allows LSMs, such
as SELinux, to perform a permission check on kernel module loads based on
the file from which the module is loaded. This functionality is not yet
implemented in the Linux kernel, but is on the SEAndroid TODO list.
See https://bitbucket.org/seandroid/wiki/wiki/ToDo
Bug: 27824855
Change-Id: Id0ea88cd1930393c8c73ce38e63d5b2eeadf946a
Prebuilt kernels have not been updated with the requisite patches.
This reverts commit c819e78e7f.
Change-Id: I8e63373a9b8a1e5adcb2471dfe43bde28e3f8e65
Also make sure it is above a minimum threshold, else abort.
(cherry-pick of internal commit: 5d36813dc8)
Bug: 27681085
Change-Id: Ia1d9583254fd64828092533298a99ec64b8233f7
This CL allows enabling of multiple consoles. A service can be
mapped to a specific console by providing the optional argument,
IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3b24e7f6848bbe5c6475f11334c04ec536e6af88
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Signed-off-by: Viorel Suman <viorel.suman@intel.com>
This CL allows enabling of multiple consoles. The expected format
of "androidboot.console" kernel parameter is a list of available
consoles, as follows:
androidboot.console=tty0:ttyS0
A service can be mapped to a specific console by providing the
optional argument, IE "tty0", to "console" service attribute as follows:
service fbconsole /system/bin/sh
class core
console tty0
disabled
user shell
group shell log readproc
seclabel u:r:shell:s0
Bug: None
Change-Id: I3f8556425c8651bd121995869700f18b23365d55
Tracked-On: https://jira01.devtools.intel.com/browse/BP-289
Remove references to SELinux policy files in /data/security
from libselinux/android.c. In the process all code that is
apparently related to handling an alternate policy and/or
reloading the policy has been removed.
Bug: 26544104
Change-Id: I47bf76ac3c26c5d71f92a21ffac2b17ba14262ea
Also cleans up two instances of open() with useless mode params, and
changes a few uses of snprintf to use sizeof(buffer) instead of
hardcoded buffer sizes.
Change-Id: If11591003d910c995e72ad8f75afd072c255a3c5
Be consistent when mounting filesystems, and mount selinuxfs
at the same time other filesystems are mounted. In particular,
this ensures that a /sys/fs/selinux/null is available at early
boot, avoiding an unnecessary mknod call.
Change-Id: I01e6b3900f48b4cb3f12d8a928e1e95911524252
Instead of using chown, use the symlink safe lchown.
Instead of using chmod, use the symlink safe fchmodat
with AT_SYMLINK_NOFOLLOW.
Fix a bug where the SELinux filesystem creation context may
not be restored, and some memory not freed, if bind() fails.
Check the return values from the chown/chmod calls and unlink
the files if it ever fails.
(cherrypicked from commit ab5629c197)
Bug: 27337831
Change-Id: I28c5f4dee55aa706437eb51ad403c1fbf56138de
Instead of using chown, use the symlink safe lchown.
Instead of using chmod, use the symlink safe fchmodat
with AT_SYMLINK_NOFOLLOW.
Fix a bug where the SELinux filesystem creation context may
not be restored, and some memory not freed, if bind() fails.
Check the return values from the chown/chmod calls and unlink
the files if it ever fails.
Bug: 27337831
Change-Id: I3343786f5a4eefda7bbb8317f2eca16bd21003c0
When child (pid==0) executes fork branch 'pid_str'
will always be 0 writting wrong value to file(s).
Fix by utilizing getpid() to obtain correct pid.
Tracker link provides some insight on why use cases
aren't broken.
Bug: https://code.google.com/p/android/issues/detail?id=200392
Change-Id: I29989365a8bac94502c090918fa30e5cc88eb1ea
Signed-off-by: Anestis Bechtsoudis <anestis@census-labs.com>
This ensures that all users on device follow a consistent path for
setup and validation of encryption policy.
Also add remaining user-specific directories and fix linking order.
Bug: 25796509
Change-Id: I8c2e42a78569817f7f5ea03f54b743a6661fdb9c
In function 'load_firmware', parameter 'buf' passed to 'write'
is wrong. To fix it, use android::base::WriteFully to replace.
Change-Id: I13f79bdc9be9e5eb669f6bd975535b1dce965ef0
Signed-off-by: Biao Lu <biao.lu@intel.com>
Best practice for services that reside on the system, vendor, and odm
partitions is to have a corresponding init .rc file in the
/{system,vendor,odm}/etc/init directory, which contains its service
entry and any related actions.
Change-Id: I26204f9a0f09ce8069f3791ccd9ee61d164a048f
In current implementation, the mount_all command imports all .rc files
under /{system,vendor,odm}/etc/init/ after mouting filesystems is complete.
There's a need from ODMs to import different .rc files under different boot
modes (e.g., factory mode). Without this support, they will have to fiddle
around the init implementation.
This commit makes mount_all import the .rc files/directories specified
as additional arguments. If no path is given, the original ones are applied
the same way as the current implementation.
BUG: 26549689
Change-Id: Ie67ce13dde4c440ff8bf534826bc392c882a433f
Changes to the way FBE works to support lifecycles mean that these
commands aren't needed any more.
Bug: 22358539
Change-Id: Id73339e0aa8070dd688f35b5d59de75236961395
Don't spend CPU cycles formatting a bunch of strings if we're
just going to throw them away later. Maybe make booting faster.
Change-Id: I4d8eb99fb3fa873ca91cf776933d0ad01988abf5
Currently, properties that begin with "ro." are special cased to skip
over the "ro." part of the prefix before matching with entries in
property_contexts. This is not strictly needed however and it is
causing complications with the separated prop files work from Bug
21852512, so it is now removed.
Bug 26425619
Change-Id: I3cd14fa2176f96b3931e5f6a50c4a7bcd3af3da6
When ro.build.shutdown_timeout is set, init will send a SIGTERM signal to
all services on reboot. The normal shutdown process will continue once
all services have exited or after the shutdown timeout
(ro.build.shutdown_timeout).
If ro.build.shutdown_timeout is not set, we assume a 0s timeout.
Bug: 26216447
Test: manual: Ask to reboot. All services exit cleanly.
Change-Id: If921f6e8d87211e500ac9fa86f3e1eabe02d18cf
If ro.oem_unlock_supported is specified for the device and it supports
verified boot, export lock status in ro.boot.flash.locked.
Bug: 26039090
Change-Id: Ie7844aeb458c97944c72d46ea962b9cfb0a7875d
This is deadcode as property_init() will only ever be called once and
the only remaining caller of properties_initialized() is
Service::NotifyStateChange() which can only be called after properties
have been initialized.
Change-Id: Ie071af84fcdbead72d259890fc8fb8db624282e7
If __system_property_area_init() fails, there is a fundamental issue
with the system and we should abort from init.
Bug: 21852512
Change-Id: I05d7978ba3bcc347027a6d9443de7cdd229033d2
If the device is corrupted, set up dm-verity in EIO mode instead of
logging mode. This prevents corrupted blocks from being returned to
user space. Note that restart mode is used by default and a warning
will be displayed to the user after corruption is first detected.
Bug: 19277516
Change-Id: I38966d73eb814836bc34b4bad1192583e5010b36
/property_contexts exists before selinux policies are loaded, so we must
restorecon before other processes can access it
Bug: 21852512
Change-Id: Ie983caac635eb928ab19eea996a5625f3673de39
The init language supports setting the creation context of a socket
as the 6th argument to the socket keyword. For example, in the
following service, the context associated with the netd socket
is u:r:netd:s0
service netd /system/bin/netd
class main
socket netd stream 0660 root system u:r:netd:s0
socket dnsproxyd stream 0660 root inet
socket mdns stream 0660 root system
socket fwmarkd stream 0660 root inet
The 6 argument form of the socket statement is rarely if ever used,
since the init code supplies a sensible default.
Currently, there's no error checking on the value supplied as
the 6th argument. For example, if you have the following socket
statement:
socket netd stream 0660 root system graphics
a socket will attempt to get created with an invalid "graphics"
context. When setsockcreatecon fails, it retains the default socket
creation context, which for init is u:r:init:s0. This results in a
socket being created which is in an unexpected context.
Check the return value from the setsockcreatecon() call. If an
invalid context is specified, return early and don't subsequently
attempt to create the socket with the default context.
Bug: 25851205
Change-Id: Ic66cd6f7efe3897fb247b587ddeac5d35e1602b7
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
Now that libselinux uses libpackagelistparser, in order
for libpackagelistparser to be properly statically linked
liblog must come after libselinux for all the liblog
references to be defined in libpackagelistparser which
is included in libselinux. This patch corrects that order.
Change-Id: I7aee10c9395310919779ed2463aab6b2f8b380cc
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Keeping these means that every build has different init and debuggerd
binaries, even if the source was the same. So OTAs that don't touch
these sources would still need to update the binaries.
Both of these messages are only informational, so can be safely removed.
Bootchart already encodes build-specific information from the system
properties.
Bug: 24204119
Change-Id: I7ebd65a20a3e031e7528c9f741616e20b3cd7446
* commit '2fb90dc8b2b590e674c5e433e8bf3d3f08a887c8':
debuggerd: audit pid, uid and gid on SE Linux denial
property_service: log pid,uid and gid of setprop client
The cost of generating and throwing away a bunch of stuff that no one
normally sees is high enough to be worth avoiding.
Here's AOSP ToT on N9...
init: (Parsing /system/etc/init/atrace.rc took 0.0112s.)
init: (Parsing /system/etc/init/bootanim.rc took 0.0094s.)
init: (Parsing /system/etc/init/crash_reporter.rc took 0.0103s.)
init: (Parsing /system/etc/init/debuggerd.rc took 0.0090s.)
init: (Parsing /system/etc/init/debuggerd64.rc took 0.0085s.)
init: (Parsing /system/etc/init/drmserver.rc took 0.0078s.)
init: (Parsing /system/etc/init/dumpstate.rc took 0.0073s.)
init: (Parsing /system/etc/init/gatekeeperd.rc took 0.0063s.)
init: (Parsing /system/etc/init/installd.rc took 0.0067s.)
init: (Parsing /system/etc/init/keystore.rc took 0.0060s.)
init: (Parsing /system/etc/init/lmkd.rc took 0.0060s.)
init: (Parsing /system/etc/init/logcatd.rc took 0.0059s.)
init: (Parsing /system/etc/init/logd.rc took 0.0068s.)
init: (Parsing /system/etc/init/mdnsd.rc took 0.0057s.)
init: (Parsing /system/etc/init/mediaserver.rc took 0.0064s.)
init: (Parsing /system/etc/init/metrics_daemon.rc took 0.0063s.)
init: (Parsing /system/etc/init/mtpd.rc took 0.0055s.)
init: (Parsing /system/etc/init/netd.rc took 0.0066s.)
init: (Parsing /system/etc/init/perfprofd.rc took 0.0057s.)
init: (Parsing /system/etc/init/racoon.rc took 0.0054s.)
init: (Parsing /system/etc/init/rild.rc took 0.0061s.)
init: (Parsing /system/etc/init/servicemanager.rc took 0.0063s.)
init: (Parsing /system/etc/init/surfaceflinger.rc took 0.0061s.)
init: (Parsing /system/etc/init/uncrypt.rc took 0.0068s.)
init: (Parsing /system/etc/init/vdc.rc took 0.0065s.)
init: (Parsing /system/etc/init/vold.rc took 0.0063s.)
0.0112+0.0094+0.0103+0.0090+0.0085+0.0078+0.0073+0.0063+0.0067+0.0060+
0.0060+0.0059+0.0068+0.0057+0.0064+0.0063+0.0055+0.0066+0.0057+0.0054+
0.0061+0.0063+0.0061+0.0068+0.0065+0.0063 = 0.1809
And here it is again with the logging disabled:
init: (Parsing /system/etc/init/atrace.rc took 0.0021s.)
init: (Parsing /system/etc/init/bootanim.rc took 0.0006s.)
init: (Parsing /system/etc/init/crash_reporter.rc took 0.0007s.)
init: (Parsing /system/etc/init/debuggerd.rc took 0.0004s.)
init: (Parsing /system/etc/init/debuggerd64.rc took 0.0005s.)
init: (Parsing /system/etc/init/drmserver.rc took 0.0005s.)
init: (Parsing /system/etc/init/dumpstate.rc took 0.0005s.)
init: (Parsing /system/etc/init/gatekeeperd.rc took 0.0005s.)
init: (Parsing /system/etc/init/installd.rc took 0.0005s.)
init: (Parsing /system/etc/init/keystore.rc took 0.0013s.)
init: (Parsing /system/etc/init/lmkd.rc took 0.0006s.)
init: (Parsing /system/etc/init/logcatd.rc took 0.0013s.)
init: (Parsing /system/etc/init/logd.rc took 0.0007s.)
init: (Parsing /system/etc/init/mdnsd.rc took 0.0005s.)
init: (Parsing /system/etc/init/mediaserver.rc took 0.0009s.)
init: (Parsing /system/etc/init/metrics_daemon.rc took 0.0008s.)
init: (Parsing /system/etc/init/mtpd.rc took 0.0011s.)
init: (Parsing /system/etc/init/netd.rc took 0.0005s.)
init: (Parsing /system/etc/init/perfprofd.rc took 0.0005s.)
init: (Parsing /system/etc/init/racoon.rc took 0.0005s.)
init: (Parsing /system/etc/init/rild.rc took 0.0005s.)
init: (Parsing /system/etc/init/servicemanager.rc took 0.0005s.)
init: (Parsing /system/etc/init/surfaceflinger.rc took 0.0005s.)
init: (Parsing /system/etc/init/uncrypt.rc took 0.0005s.)
init: (Parsing /system/etc/init/vdc.rc took 0.0005s.)
init: (Parsing /system/etc/init/vold.rc took 0.0006s.)
0.0021+0.0006+0.0007+0.0004+0.0005+0.0005+0.0005+0.0005+0.0005+0.0013+
0.0006+0.0013+0.0007+0.0005+0.0009+0.0008+0.0011+0.0005+0.0005+0.0005+
0.0005+0.0005+0.0005+0.0005+0.0005+0.0006 = 0.0181
It's less than a second, but one problem is that the cost of the current
dumping is proportional to the number of init.rc files, so the more
cleanly you factor things, the more it would cost.
Change-Id: Id96f59e7d0b082d8cfdba4bdbff43a922ba4eeee
When auditing setprop denials, it is often unclear of who the process is
in a multi-process domain. To help identify the invoker, log the pid, uid,
and gid of the caller.
Before:
avc: denied { set } for property=wifi.xxx ...
After:
avc: denied { set } for property=wifi.xxx pid=30691 uid=123 gid=345 ...
Change-Id: I5cdcb3d18fbd52e0987b5e1497b9f6620c6c742a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
device.shell() was changed to return a (stdout, stderr) tuple in
the following CL.
https://android-review.googlesource.com/170420
This CL fixes perfboot.py to work with the return value.
Change-Id: I85d72fc63c1f96257fb19c3051482991a7b4049d
Updates are as follows:
A detailed explanation of event triggers and property triggers
including how they can now be used
A new section describing .rc files, their locations, and the
intentions for each of these locations
A new section describing the import keyword and how it is not a
command but rather its own section
Removal of deprecated or incorrect text
Change-Id: If0a37375ac92a857900f3303ada4ba742360daff
Create a Parser class that uses multiple SectionParser interfaces to
handle parsing the different sections of an init rc.
Create an ActionParser and ServiceParser that implement SectionParser
and parse the sections corresponding to Action and Service
classes.
Remove the legacy keyword structure and replace it with std::map's
that map keyword -> (minimum args, maximum args, function pointer) for
Commands and Service Options.
Create an ImportParser that implements SectionParser and handles the
import 'section'.
Clean up the unsafe memory handling of the Action class by using
std::unique_ptr.
Change-Id: Ic5ea5510cb956dbc3f78745a35096ca7d6da7085
When init queues a trigger, it actually enqueues all of the Actions
that match with that given trigger. This works currently because
all init scripts are loaded and therefore all Actions are available
before init starts queueing any triggers.
To support loading init scripts after init has started queueing
triggers, this change enqueues Trigger objects instead of their
matching Actions. Each Trigger object then matches its associated
Actions during its execution.
Additionally, this makes a few cosmetic clean ups related to triggers.
Bug: 23186545
Change-Id: I5d177458e6df1c4b32b1072cf77e87ef952c87e4
The current behavior, which is to use tags[-1] for end_tag, is good
enough in most cases, but sometime it makes more sense to use a
different one as end_tag.
For example, when optimizing APK scanning code in package manager,
using 'boot_progress_pms_scan_end' as end_tag would give us quicker
benchmark iterations as well as more relevant numbers possibly with
a smaller standard deviation.
Change-Id: Ic6371c936b36d1d87e9742502fd8958682a3b7d5
Previously, the action, command, and service structs contained char*s
that referenced memory within the buffer returned by the strdup() of
the input buffer of parse_config. This prevented this entire memory
region from being freed, leaking contents that would never be referenced again.
The changes to convert the previous action, command, and service
structs to C++ classes created explicit ownership of the contents within
each class in the form of std::strings. With these changes, there are
no remaining references to the memory allocated by this strdup(), which
can now be freed.
This commit replaces the strdup() with std::vector<char> to allow for
the copied string to be freed when it goes out of scope instead of
relying on the C strdup() and free() functions.
Change-Id: Id0a5f711e33363082ba201afda6b26043998cb1c
This CL adds --apk-dir option, which specifies the directory
that contains APK files to be installed before measuring
boot time.
BUG: 22207911
Change-Id: Ifeacf34c779248686443a9ef02485272c140a456
'sf_stop_bootanim' is useful for tracking the time wasted by
showing the 'outro' part of the boot animation.
'wm_boot_animation_done' is also useful for tracking user
perceived boot time.
(cherry-pick of cbcf2778c3)
Bug: 22207911
Change-Id: I3549338a2161fa29675993c239f57809270797f8
This creates the concept of 'event_trigger' vs 'property_trigger'
Previously these were merged into one, such that 'on property:a=b &&
property:b=c' is triggered when properties a=b and b=c as expected,
however combinations such as 'on early-boot && boot' would trigger
during both early-boot and boot. Similarly, 'on early-boot &&
property:a=b' would trigger on both early-boot and again when property
a equals b.
The event trigger distinction ensures that the first example fails to
parse and the second example only triggers on early-boot if
property a equals b.
This coalesces Actions with the same triggers into a single Action object
Change-Id: I8f661d96e8a2d40236f252301bfe10979d663ea6
Adds a C++ tokenizer along with unit tests.
This tokenizer will replace the current C implementation
which does a poor job of keeping track of pointers.
This CL is a prerequisite for up coming changes to
the parser. This CL does not wire up this tokenizer and
changes no exsiting code. All that builds is the unit tests.
Change-Id: Iec3740bce7153640adc5e5bbdc57e644cedf0038
TEST: Unit tests all pass. No leaks under valgrind
BUG: 22843198
perfboot.py repeats the record of each event log during Android
boot specified times. By default, interval between measurements
is adjusted in such a way that CPUs are cooled down sufficiently
to avoid boot time slowdown caused by CPU thermal throttling.
This script also works around the issue of dropbox slowing down
boot time on userdebug build (http://b/20890386) by limiting
the number of files to be created by dropbox.
The result is output in a tab-separated value format.
BUG: 22207911
Change-Id: I0ddbac5d1c941efda87bc6db6388d8194d4bb3dd
This CL adds a trigger and a service so that Systrace can be used
for tracing events during boot.
persist.debug.atrace.boottrace property is used for switching on
and off tracing during boot. /data/misc/boottrace/categories
file is used for specifying the categories to be traced.
These property and file are rewritten by Systrace when the newly
added option --boot is specified.
Here is an example of tracing events of am and wm catetories
during boot.
$ external/chromium-trace/systrace am wm --boot
This command will cause the device to reboot. Once the device has
booted up, the trace report is created by hitting Ctrl+C.
As written in readme.txt, this mechanism relies on persistent
property, so tracing events that are emitted before that are not
recorded. This is enough for tracing events after zygote is
launched though.
This only works on userdebug or eng build for security reason.
BUG: 21739901
Change-Id: I03f2963d77a678f47eab5e3e29fc7e91bc9ca3a4
Support added so init scripts can now import directories.
BUG: 22721249
Change-Id: I02b566bfb50ea84469f1ea0c6ad205435a1df286
TEST: Tested importing a folder on arm64 emulator
It is only a temporary fix. I hope the code can be moved into a member
function of class Command.
Bug: 22654233
Change-Id: I38c24fb624e54986a953f44d398b3b80c3795d24
Instead, run the command only when sys.powerctl is set to
"shutdown,userrequested". This way, we can avoid running
fsck when shutdown is triggered due to a low power state.
This is a follow-up CL for http://r.android.com/158525.
Bug: 21853106
Change-Id: Ie57c23cd25162cc2a8726f876a9ba212080105fb
- Get rid of log stutter, tag (executable basename) is added by
the logging routines
Bug: 17914575
Change-Id: If00eb1b915065fb52c9311648b7ada4c9e2696bd
When SELinux is in enforcing mode, any process executed by
init must have a domain transition defined. See
https://android-review.googlesource.com/108640 for details. This
prevents an executable spawned by init from remaining in init's
(very powerful) SELinux domain.
However, this is only enforced when SELinux is in enforcing mode.
During new device bringup, it's common to run an Android device
in globally permissive mode. In globally permissive mode, SELinux
denials are logged only, but otherwise ignored. If appropriate
SELinux domain transitions are not defined from init to init spawned
processes, this could cause misleading SELinux denials attributed
to init instead of the child process.
To help address these misleading denials, modify init to not spawn
processes unless a domain transition is defined. This essentially
enforces the rules in https://android-review.googlesource.com/108640
on both permissive and enforcing kernels.
While I'm here, change some "freecon()" calls to "free()", with the
long term goal of deleting freecon() entirely.
Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
and run fsck with -f on clean shutdown instead.
With -f, fsck.f2fs always performs a full scan of the /data
partition regardless of whether the partition is clean or not.
The full scan takes more than 2 seconds on volantis-userdebug
and delays the OS boot.
With -a, the command does almost nothing when the partition
is clean and finishes within 20-30ms on volantis-userdebug.
When the partition has an error or its check point has
CP_FSCK_FLAG (aka "need_fsck"), the command does exactly the
same full scan as -f to fix it.
Bug: 21853106
Change-Id: I126263caf34c0f5bb8f5e6794454d4e72526ce38
When launched with "-bootchart <timeout>", the Android emulator appends
"androidboot.bootchart=<timeout>" to the kernel command line, which
signals /init to start bootcharting. However, the current implementation
of bootchart_init() in init/bootchart.cpp does not parse the timeout
value correctly, preventing bootcharting to be enabled on the emulator.
This bug was introduced by commit 841b263 ("Further refactoring of the
bootchart code"). Fix it to honor the "androidboot.bootchart" trigger.
Change-Id: I221fe2c2f40a3a04bd478c3a083f7723bc309c8c
Signed-off-by: Yu Ning <yu.ning@intel.com>
* commit 'ee923139c346e6751203fc7d2a341388e01c7b19':
Set up user directory crypto in init.
logd: switch to unordered_map from BasicHashtable
rootdir: make sure the /oem mountpoint is always available
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
File level encryption must get the key between mounting userdata and
calling post_fs_data when the directories are created. This requires
access to keymaster, which in turn is found from a system property.
Split property loaded into system and data, and load in right order.
Bug: 22233063
Change-Id: I8a6c40d44e17de386417a443c9dfc3b4e7fe59a5
android_name_to_id() returns -1U on error, which causes a
crash when the following clang options are enabled:
-fsanitize=signed-integer-overflow,unsigned-integer-overflow
-ftrap-function=abort
-fsanitize-undefined-trap-on-error
Rather than returning a negative unsigned value (which doesn't
make a lot of sense, IMHO), return a positive unsigned value.
While we're here, add logging on decode_uid failures.
Bug: 21880301
Change-Id: I652e4c1daa07c7494cceca2b4e1656b9158f2604
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
(cherry picked from commit d62f0608d9)
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
Shamu boots, but hammerhead doesn't. Likely cause is this change.
This reverts commit 18ae44bf3d.
Bug: 21880301
Change-Id: I490816060209c15aa07c783d05fe5b141c7c9023
Usage: system/core/init/compare-bootcharts.py base_bootchart_dir
exp_bootchart_dir
For example, here is the output where the bootanimation is changed
from "d 0 0 part2" to "c 0 0 part2":
--
process: baseline experiment (delta)
- Unit is ms (a jiffy is 10 ms on the system)
------------------------------------
/init: 50 40 (-10)
/system/bin/surfaceflinger: 4320 4470 (+150)
/system/bin/bootanimation: 6980 6990 (+10)
zygote64: 10410 10640 (+230)
zygote: 10410 10640 (+230)
system_server: 15350 15150 (-200)
bootanimation ends at: 33790 31230 (-2560)
--
In this example bootanimation is finished (estimated) 2.56 seconds sooner.
Change-Id: I39d59897c8c53d7d662676813e884b9d58feec3c
d34e407aeb removed support for
running with SELinux completely disabled. SELinux must either be
in permissive or enforcing mode now.
Remove unnecessary calls to is_selinux_enabled(). It always returns
true now.
Change-Id: Ife3156b74b13b2e590afe4accf716fc7776567e5
This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.
Shifts both SELinux actions to occur before the actual property set
occurs, so setters can watch for completion.
Bug: 21121357
Change-Id: I3db3eb876ae66e144b3bfd648349b66a028511fd
* commit 'e0e565635a7c6c36a05282622c01203afbec5ca5':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
As 1s timeout can be requested, using second resolution time to check
for timeout prevent from being accurate on the actual time we wait.
Use available gettime_ns instead.
Bug: 21374269
Change-Id: I8be1b69e02beacc7196427f97855e036addf54d1
Signed-off-by: Thierry Strudel <tstrudel@google.com>
read_file() used to append a new line character to the end of the buffer it
returns, because parse_config() isn't able to cope with input that's not
'\n'-terminated. Fix read_file() to be less insane, and push the workarounds
into the parse_config() callers.
Longer term we should rewrite parse_config().
Bug: http://b/21079470
Change-Id: Ie9d9a7adcd33b66621726aef20c4b8cc51c08be7
(cherry picked from commit eaa3b4ec6f)
read_file() used to append a new line character to the end of the buffer it
returns, because parse_config() isn't able to cope with input that's not
'\n'-terminated. Fix read_file() to be less insane, and push the workarounds
into the parse_config() callers.
Longer term we should rewrite parse_config().
Change-Id: Ie9d9a7adcd33b66621726aef20c4b8cc51c08be7
Helped debug a problem where the N9 bootloader incorrectly
concatenated the various command lines.
Bug: http://b/20906691
Change-Id: I0580b06f4185129c7eedf0bdf74b5ce17f88bf9c
Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.
Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.
Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
Don't double mount /dev and its subdirectories anymore. Instead, the
first stage init is solely responsible for mounting it.
Don't have init prepare the property space. This is the responsibility
of the second stage init.
Don't have SELinux use the property space to determine how we should
be running. Instead, create a new function and extract the data we
need directly from /proc/cmdline. SELinux needs this information in
the first stage init process where the property service isn't available.
Change-Id: I5b4f3bec79463a7381a68f30bdda78b5cc122a96
SELinux provides it's own /dev/null character device at
/sys/fs/selinux/null. This character device is exactly the same
as /dev/null, including the same major/minor numbers, and can
be used wherever /dev/null is used.
Use /sys/fs/selinux/null instead of trying to create our own
/dev/__null__ device. This moves us one step closer to eliminating
all uses of mknod() by init.
/sys/fs/selinux/null is only available once the /sys/fs/selinux filesystem
is mounted. It's not available to the first stage init, so we
still have to fall back to mknod then.
Change-Id: Ic733767ea6220a130537de33cc478ae79578ce20
The first stage init mounts /proc and /sys, and then the second
stage init also mounts /proc and /sys on top of the existing mount.
Only mount these two directories once, in the first stage init.
Not yet fixed: the double mounting of /dev. Removing the double
mounting doesn't work right now because both init stages are trying
to create a property space, and if the double mount of /dev goes away,
the property service in the second stage init fails to work.
Change-Id: I13719027a47526d074390c2b1a605ad99fb43a8f
write_file() returned -errno on error, not -1. Callers who check for
-1 would falsely believe that the write was successful when it wasn't.
Fixup write_file so that it return -1 on error consistent
with other functions.
Change-Id: Ic51aaf8678d8d97b2606bd171f11b3b11f642e39
Not just because it's what the cool kids are doing --- it also lets us
simplify the inner loop and decouple it from whatever systems want to
be woken to perform some activity if there's data to be read on some fd.
Currently this is just used to clean up the existing signal handling,
keychord, and property service code.
Change-Id: I4d7541a2c4386957ad877df69e3be08b96a7dec5
All the code that was being delayed does is create a socket. We can
do that straight away, avoid the overhead, and simplify our main loop.
The keychord fd, on the other hand, seems a little tricky. It looks
like /dev/keychord isn't immediately available, at least not on N9;
we have to wait for ueventd to set us up the bomb.
Change-Id: I020e75b8e4b233497707f0a3cbbb6038b714161f
We can set it up earlier, and error reporting like this helped me find
the SELinux problem with the last change to this code.
Change-Id: If0f38bc5ff0465c4030e2d39d34f31f49b2d8487
This reverts commit b862bd00a4.
This change was fine but an earlier change it depended on was broken.
That change has been fixed and resubmitted.
Bug: http://b/19702273
Change-Id: I17e565721026e48e2a73526f729f2481d4d6edb5
This reverts commit 4217374611.
It turns out that the kernel passes any unrecognized arguments on to init,
and (at least) N6 and N9 have such arguments. My lazy check of argc was
thus insufficient to recognize what stage of init we were in, so we'd
skip to stage 2 and not set up SELinux. And apparently you can get a
very long way with SELinux off... We'll fix that in a later change.
Bug: 19702273
Change-Id: I43b3fb722fed35dd217cb529cbcac9a29aff4e4b
Certain platforms list their platform devices with a path other than
the current /devices or /devices/platform. Additionally, sometimes
these paths are a platform device themselves. An example are devices
with a path /devices/soc.0/... where /devices/soc.0 is also a platform
devices.
Instead of continuing to special case these path prefixes, we can
consider the entire path, given that no mmc or usb devices create
platform devices as subdevices, which they should not by their very
nature.
This keeps the symlinks for block devices named identically for
current platform devices and places them in /dev/block/<full path to
device> for devices in locations other than /devices or
/devices/platform, eg /dev/block/platform/soc.0/7824900.sdhci
This keeps the symlinks for character deviced named identically for
all cases.
Change-Id: Ifc8eedf1086db1826dbc8f7e96cdfcfa5da876b3
Fixes init deadlock when an exec command was called
in an on-init section.
The exec command handling relies on that the signal handler
mechanism is working to know when to continue executing
commands.
Change-Id: Ib0ce75ffad7cf3bf926c93d0506b2fe3e5a92630
Move fastboot's format logic into fs_mgr, to consolidate the knowledge
about how to do this (and when to wipe metadata).
Try to format these formattable paritions if they are wiped.
If formatting fails, we will fall out to let recovery mode handle it.
Bug: 20082763
Change-Id: I397cc197550e78d932e8a154fd234695c46dbe7b
- Cleanup the code to get filesystem size in a block device
- Add support to reading size of squashfs in a block device
Change-Id: I3848a705ed4dc2fc9afad20331f0fdecfee545c5
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
Set the verity mode as the value for partition.%s.verified to make it
easier for userspace to determine in which mode dm-verity was started.
Change-Id: Icc635515f8a8ede941277aed196867351d8387cb
Make it clearer in dmesg when we're deliberately not doing
bootcharting, and explain in the documentation that the output
for init is quite misleading (and, as far as I can tell, not
within our power to fix).
Change-Id: I0b22a56f83521d64c6d176dc423c81f7ea86b23c
Also don't manually set FD_CLOEXEC on a socket that's always opened
with SOCK_CLOEXEC. (None of the other callers to the function do this.)
Also move locals to where they're first used to help prevent more of this
kind of breakage.
Change-Id: I1ba7cd9400f53508dffb51a2bbf9d491ae647f26
Also make important events in init's life NOTICE rather than INFO,
and ensure that NOTICE events actually make it to the kernel log.
Also fix the logging so that if you have a printf format string
error, the compiler now catches it.
Also give messages from init, ueventd, and watchdogd distinct tags.
(Previously they'd all call themselves "init", and dmesg doesn't
include pids, so you couldn't untangle them.)
Also include the tag in SELinux messages.
Bug: 19544788
Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
Neither of the built-in verity state commands accept arguments, so
set the number of required arguments to zero.
Change-Id: Id57fe671b6b82eaf1e43b8ed7ff9d1e502ada5bd
- Make sure compatible DT node is "android,firmware"
- Set ro.boot.* properties from firmware/android/ DT node
(cherry-pick of cbcbea27c70846a96f4bba2f7cb245f937de4d3f.)
Change-Id: If3d0716831516cb3d3fde1f75d57e2691d42d054
Add a command that updates dm-verity state and sets partition.%.verified
properties used by adb remount.
This is needed in init since fs_mgr cannot set properties:
I6a28cccb1ccce960841af20a4b20c32d424b5524
Change-Id: I0fdf5bc29c56690dcadff9d0eb216d3c68483538
- Clean up the paths for ro.revision and ro.hardware parsing
- Use ro.hardwre in ueventd instead of parsing the kernel command line
(cherry-pick of 38b340a52f8e864650db8bae1eb88d5c00485db0.)
Bug: 19366018
Change-Id: I018a293f3d46e736a8b65132b5b00b0f7c20edae
These were leftovers from the SELinux boolean support that
was originally merged. Since Android prohibits SELinux policy
booleans, we can just drop it.
Change-Id: I02f646a7d8db65e153702205b082b87a73f60d73
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Adding "setenforce 0" to init.rc isn't a supported way to turn off
SELinux, and doesn't work with AOSP SELinux policy. Remove the code
from init.
Change-Id: If8c8149560789c9a7ba518a0a100e6033bb68898
I've been deliberately vague about the name of the readme because I want to
come back and switch to markdown, but that probably won't happen today.
Change-Id: I60651703709bbfd499227f882eb949396e8f4f6c
Add a built-in command for loading verity state. If dm-verity
will be started in logging mode, trigger verity-logging.
Needs changes from
Ibb82953594d234f81ad21c40f524190b88e4ac8f
Change-Id: I5af4918f2f14fdd4d07f51c55837e08111fd3748
- KISS as all options are now passed to adb for better or worse
- runs bootchart and immediately displays the results
Bug: 19485335
Bug: 18390773
Change-Id: Id32930031371d0368e605810f0c998232a1d4f16
bootchart uses a file on the data partition to decide if it should collect
data for bootchart, but the data partition will be mounted by the mount_all
command in the "on fs" section, and it will be only added into the action
queue when command "trigger fs" is executed, but that's after the
bootchart_init action (late_init).
This change makes bootchart_init a builtin command of init,
and make it executed as the first command of "on post-fs" section
which will be triggered after the "on fs" section.
This change also refactors the bootchart code to all be in bootchart.cpp.
Change-Id: Ia74aa34ca5b785f51fcffdd383075a549b2a99d9
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
In the case of do_write (write to generic file) there
is really no relation to the PROP_VALUE_MAX limitation
of system properties. The current value, 92, is not so
much for writing to files so bump it a bit.
Ideally there should not be any low hard limit in this
case. Either expand_props should allocate the output
buffer or take the output fd and to streaming write.
Such a change is rather invasive though and at this
point in time it seems reasonable that one dont want
more than 256 character strings in the init files.
Change-Id: I846a282ae4e747e6171eef38b302b46287951451
This isn't particularly useful in and of itself, but it does introduce the
first (trivial) unit test, improves the documentation (including details
about how to debug init crashes), and made me aware of how unpleasant the
existing parser is.
I also fixed a bug in passing --- unless you thought the "peboot" and "pm"
commands were features...
Bug: 19217569
Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
Also switch the revision parsing over to sscanf as promised. I haven't
done the hardware parsing because I don't yet know whether we actually need
to keep the space-stripping code.
Change-Id: Ic33378345cd515cb08d00c543acf44eb72673396
A typo in the documentation for one, and a couple of signed/unsigned warnings
in the implementation of the other.
Change-Id: I8fb4b7448ac901c543dea7420aabcedf13ec1bd8
"&&" operator can now be used to test the validity
of two of more properties.
For example:
on property:test.a=1 && property:test.b=1
setprop test.c 1
The above stub sets the test.c to 1 only when
both test.a=1 and test.b=1
(cherry-pick of 162f7d797c67019a7a3f08c3b0f0ffc91d548ddc.)
Change-Id: I72c19f7aa92231372a416193618ee6c7fd368141
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
42a9349dc4 modified init's
builtin chmod, chown, and mkdir calls to avoid following
symlinks. This addressed a number of attacks we were seeing
at the time where poorly written init scripts were following
attacker supplied symlinks resulting in rooting vulnerabilities.
To avoid race conditions, the previous implementation only ran
fchown / fchmod on file descriptors opened with open(O_NOFOLLOW).
Unfortunately, unlike the normal "chown" or "chmod" calls, this
requires read or write access to the underlying file. This
isn't ideal, as opening some files may have side effects, or
init may not have permission to open certain files (such as when
SELinux is enabled).
Instead of using open(O_NOFOLLOW) + fchown(), use lchown() instead.
As before, the target of the symlink won't be modified by chown.
This also supports setting the ownership of symlinks.
Instead of using open(O_NOFOLLOW) + fchmod(), use
fchmodat(AT_SYMLINK_NOFOLLOW) instead. As before, the target of the
symlink won't be modified by chmod.
This change will continue to ensure that chown/chmod/mkdir doesn't
follow symlinks, without requiring init to open every file in
read-only or read-write mode.
This change depends on bionic commit I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
Addresses the following mako/occam SELinux denial:
audit(1422770408.951:6): avc: denied { write } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=7207 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
Change-Id: I14fde956784d65c44e7aa91dd7eea9a004df3081
LOCAL_FORCE_STATIC_EXECUTABLE was not working properly for clang
because -Bstatic was ignored by clang. We can now enable clang
for init after the -static flag is added to link static executable
files in build/core/definitions.mk.
BUG: 18008984
Change-Id: I3f361b83c1e0b313914603dff33fd090cd3b116a
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
(cherry picked from commit 07f3fee164)
Bug: 18885357
Change-Id: If6b01fe2b9bd5985f08f1278deb03b311d0170dc
For build-system CFLAGS clean-up, fix unused variables.
Use a #define instead of static variable in a header file.
Change-Id: Id47bf38e51644b61a9f3ac1893a16553695f1aac
init doesn't start when built with clang.
Set LOCAL_CLANG:=false until this is analyzed and fixed.
Change-Id: I5a7944aef676ce88defe5c0449e712d9812fb5f3
Signed-off-by: Bernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
Change-Id: I76553d7f183236a78a0bc7b408e92559b98f732f
waitpid breaks whenever child status signals. Need to loop, continuing
on errno EINTR
Bug: 17515976
Change-Id: Ibb29056a38b3c90dc7904de8c6aedb5a362e511d
We originally included a warning to not invoke restorecon_recursive
with a path leading to a shell-writable or app-writable directory
due to concerns about the potential for mischief with symlinks during
the restorecon_recursive. However, this warning was never necessary for
calling restorecon_recursive during system initialization before an adb
shell or app can run, and we have further prohibited init from
reading/following symlinks that can be created by shell or apps in
policy, so this warning is superfluous. It also contradicts current
usage of restorecon_recursive in rootdir/init.rc, since it is called
there on /data.
Change-Id: I28a635e0b5991ced8adcef93e7a04f9d9e5634fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need to not set this property) during mount, since it can't
be changed later (ro property)
Also no reason to start class main on encryption cycle - we'll
show surfaceflinger, which is enough UI for this short cycle.
Bug: 17041092
Change-Id: Ica5339c54e45716d0fe20e23c0ab857f388d23ed
Make sure to call _exit instead of exit to avoid triggering exit
handlers that may have existed in the parent process.
Print out a log message when forking to process firmware events fails.
Change-Id: I2436bdf85d9a8ea26b718e62023f1dac89864667
Ideally bootchart collects system data every BOOTCHART_POLLING_MS ms.
However, the current bootchart pacing logic would collect data every
time the main loop in init.c is executed. This results in:
1. Multiple data samples being taken consecutively or prematurely. In
many cases, these data samples have the same timestamp (in jiffies).
The off-line data processing tool would complain about dividing by
zero "interval" and bail out.
2. Because of the ineffective pacing, bootchart data collection would
terminate prematurely. The total duration of data collection is usually
much shorter than what the user specifies.
The fix is to check whether BOOTCHART_POLLING_MS ms has elapsed
before taking a new data sample. For this purpose, /proc/uptime
is used to get the time values, consistent with the precision of
bootchart timestamps.
Change-Id: I106bf91dbda01059b719df6c73b8bd1cd54a64f0
Signed-off-by: Bo (Andover) Zhang <zhang@broadcom.com>
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: Ifdd5dd1e95d7e064dde5c80b70198882d949a710
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: I7442df2042cc2788d0301f00e3c2fba7d6e0e1c7
The init process allows environment variables to be specified in
the rc script globally, via 'export', and for a specific process,
via the 'setenv' option.
However, the mechanism for assembling the environment simply
appended the new variable without checking whether it was already
defined, so it was not possible to overwrite an existing entry.
This patch fixes that behaviour.
Limitations and concerns:
The limit of a maximum number of 31 variables is unchanged.
Currently, most callers of "add_environment" do not check the return
value, but the function now logs the failure rather than failing
silently.
Change-Id: Ie9a68c37a0f55c5b40e904e695cd35514f67f480
Currently, the fixup code in fixup_sys_perms() scans through all
entries in uevent*.rc. If it finds a match, then it performs a fixup.
If there's no match in that file, no fixup is performed.
SELinux file labels are independently stored in /file_contexts,
with no relationship to the files in /ueventd.rc. Even when no
entries exist in ueventd.rc, we still want to fixup the SELinux
file label in /sys when a uevent message occurs.
Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
If the encryptable partition is wiped (4KB worth of 0 or 0xff),
then reboot into recovery to format /data+/cache
This is while waiting for the Mac OS support to format f2fs.
The flashstation running on Mac OS will currently just erase userdata
and not format it with f2fs.
Bug: 15720406
Bug: 15747366
Change-Id: Ib7cca3e1701483a09573457a835750f34da71ee0
Move the code that attempts to mount alternative fstab entries
into its own function.
Clarify return codes.
Suggest wipe via recovery in error messages.
Bug: 15747366
Change-Id: I3634477cd4d1d73f974f3e906c53285f0d9e0eac
Signed-off-by: JP Abgrall <jpa@google.com>
+ Add a new property, sys.init_log_level, which can be set after init
bootstrap. This will control the level at which init does prints to klog.
Change-Id: Ia15b2110157b5e6b713785ece9b0fb94889be6c8
+ Make prints of rc commands significantly more verbose. All commands
will log all arguments, file/line number of the command, return value,
and parent action which triggered the command.
init: command 'mount tmpfs tmpfs /mnt/obb mode=0755,gid=1000' action=init
status=0 (/init.rc:89)
init: command 'setprop net.tcp.default_init_rwnd 60' action=boot status=0
(/init.rc:403)
Change-Id: I5498c7258e4891706be4a12546df4231d14d86c4
Treehugger Robot