Previously, service restarts (either an explicit "restart", or a "stop,
start" pair) exhibited a race condition whereby the new (restarting)
service process was often spawned before the old (stopping) process had
terminated. This may have resulted in the new service process failing to
acquire a limited resource (file lock, socket bind, etc.) that the old
process had not yet released.
Now, a stopping service remains in the SVC_RUNNING state until its exiting
process has been reaped by waitpid. This prevents a "stop, start" sequence
from spawning a second service process before resources held by the first
are released. This enables safe service restarts by stopping the service,
waiting for the old service process to terminate, and (only then) starting
the new service process. In the event of "restarting" an already stopped
service, the previous behavior is maintained whereby the service is simply
started.
This scenario could be special-cased by the restart command, however, we
have observed instances where services are, unintentionally, stopped and
started "too quickly," and so simultaneous processes for the same service
should never be allowed.
Note that this commit alters the behaviors for explicit restarts of
critical and oneshot services. Previously these serivces would simply be
restarted, whereas now, an explicit restart of a critical service counts as
a crash (which may result in a recovery reboot) and oneshot services go
into the disabled state.
This change brings init's do_chmod, mkdir, and do_chown into line
with open's O_NOFOLLOW semantics, causing them to fail when the
last element of their target path is a symlink.
Change-Id: If00e1a25cfe17ef6f738af4bf0541abd0c1b084b
Normally, calling open on a tty will set that tty as the process
group controlling tty if none already exists. However, if the tty
is /dev/console, the kernel will never automatically set it as the
controlling tty. Call the TIOCSCTTY manually on the fd, which will
always attempt to set it as the controlling tty.
Fixes ctrl-c on the console shell when androidboot.console is not
passed on the kernel command line and the default /dev/console is
used.
Change-Id: I449cc41b47e93ac38ad6987413bb54131e1ec0cd
Add SE Android support for init and ueventd.
init:
- Load policy at boot.
- Set the security context for service daemons and their sockets.
- New built-in commands: setcon, setenforce, restorecon, setsebool.
- New option for services: seclabel.
ueventd:
- Set the security context for device directories and nodes.
Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac
Creating a root owned /data/local.prop is one of the most common
ways to root an Android device. /data/local.prop is only intended
to assist developers on debuggable devices, and is never
intended to be used on production devices.
Change-Id: Ifcfa21c2ee9914b0b54445218b4cf0fea0a98e9c
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
If we process the import directive inline, then the ordering of the
commands for the "on xxx" sections would be a little unexpected. The
init.rc files do not really have an implied order as to which section
appears and gets processed first. The init code itself provides that
ordering explicitly. For the user, the expectation is that if both the
current file and the imported file define a section (e.g. "on init"),
then the commands in the current file will be executed first, and then
the ones from the imported file(s).
The current implementation did not do that. It processed the import
directive inline, and thus the imported (i.e. dependent) files would
appear first in the command lists for the sections. This created
unintended side effects and the solution would have been to try and
put the import lines somewhere in the middle of the init file. This
would be difficult to notice and hard to extract the dependencies.
To solve this, we add the imports to a list for each file being parsed
and process the list after finishing parsing the file. This provides
predictable order for imports and provides a logical flow from the
user perspective: the currently parsed file gets to run its commands
before the files being imported.
Change-Id: I06dc35ff286314060e16b18923683cd2787269de
Signed-off-by: Dima Zavin <dima@android.com>
Also, clean up how we initialize the ro.xx properties and process
the kernel command line.
Change-Id: Iedda6c90e31340a189171a44b2767480403354f7
Signed-off-by: Dima Zavin <dima@android.com>
This removes the hardcoding of the file import in init and instead
allows the init.rc file to fully control what is loaded.
Change-Id: I933e5bbab57f1e8705a370d660f92c6508da94d2
Signed-off-by: Dima Zavin <dima@android.com>
Adds new property syntax in init files during init file filename
expansion during the import command:
${prop.name}
So, one can do: import /init.${ro.hardware}.usb.rc
Should convert other usages of property names to use the new function.
Change-Id: I9205d7d7a2da620bc8e6b89ac0eb554fad53ded3
Signed-off-by: Dima Zavin <dima@android.com>
The property service is still started later, but the property area
and the initial boot properties are initialized before the init.rc
file is processed. This allows init.rc files to have access to boot
properties during parsing.
Change-Id: Iae9ed1093c821831a864b39ae6bc697e62b94757
Signed-off-by: Dima Zavin <dima@android.com>
The class_reset command used to reset services that had been set to
"disabled" in the init.rc file to a non-disabled state. Now, if the
service was originally set to "disabled", have the reset command set
it back to disabled. Otherwise, set it to the "reset" state as it
currently does.
Change-Id: I0c10582e46a8e443d4748d9d893ae762b19b653a
x86 emulator passes hardware name through the androidboot.hardware kernel cmd option, and
ueventd must pick up on it to locate proper ueventd.rc file for that hardware.
Change-Id: Id61c5b67fe6275a15c7aa62556e0b89eda7968f8
Introduces a 'charger' section that is processed when androidboot.mode
supplied on the kernel commandline is "charger".
In this mode, sections such as fs, post-fs, etc are skipped. Only the
'early-init' and 'init' sections of the init rc files are processed before
processing the 'charger' section.
Change-Id: If9eb6334de18f04cbcf2aab784578e2993615242
Signed-off-by: Dima Zavin <dima@android.com>
VPN no longer uses system properties to keep network parameters.
Besides, profiles are now stored and encrypted by keystore.
Change-Id: I7575f04f350b7d8d5ba7008eb874a72180d057e8
This allows us to change permissions and ownerships of directories
in init scripts without adding additional commands.
Change-Id: I1815d6015953035251b98f28c0f3efd3c7f25f80
For example, the following trigger will fire when the sys.foo property
is set to any value:
on property:sys.foo=*
write /data/foo hello
It is also possible to refer to the property within the trigger actions:
on property:sys.foo=*
write /data/foo $sys.foo
Change-Id: If78d20a532f77e17aa5703d53be581ad6736cbcf
Signed-off-by: Mike Lockwood <lockwood@android.com>
The write command will write a property value if the value starts with a "$'
For example:
write /sys/class/android_usb/iSerial $ro.serialno
Use double leading '$' if you need to write a string that starts with '$':
write /data/foo $$hello
to write "$hello" to /data/foo
Change-Id: I55431ac7715a5347bb95c3a15aee97c575444dde
There was a build error in init.c if you enabled bootchart, this
should probably be shipped upstream if not fixed already.
Change-Id: Iea3451c3e15d5cac00c5420d99bfce9a950aaaac
The mmc block devices on panda boards use a platform device called
omap/omap_hsmmc.0. The number of path entries in the uevent after
the platform device is unknown, and the number of path entries in
the platform device is unknown, so the only way to determine how
many entries make up the platform device is to compare against
a list of platform devices.
Add a list of platform devices that have been registered, and
iterate through it to determine the platform device portion of
a block device uevent.
Change-Id: I1480bc6429172ca6997d548787be3863ce062472
In some situations a driver could try to request firmware before
/system is mounted. Previously we'd fail the request. Now we
will retry the read-from-filesystem every 100ms until we find the
firmware or we've finished the "fs" and "post-fs" stages of init.
Change-Id: Ie32402f7d41c818bf20f3297286ed5f99705b72c
Fix for bug 3415286. The persistent properties are normally read early
in the boot process after /data is mounted. However, for an encrypted
system, at that point /data is a tmpfs ramdisk. This change adds a new
command to init (load_persist_props) to read the persistent properties,
and adds an action to init.rc to load the persistent properties. This
action is triggered by setting a property in vold, but that's in a
different CL.
Change-Id: I74b3057974ee6029c29d956b76fef5566700d471
Ext4 filesystems like to be unmounted before rebooting. The Android system
doesn't have a traditional Linux init setup, and shutting down the system
was not much more than calling sync(2) and reboot(2). This adds a new
function to libcutils called android_reboot(). By default, it calls sync()
and then remounts all writable filesystems as read-only and marks them clean.
There is a flag parameter in which the caller can ask for sync() not to be
called, or to not remount the filesystems as read-only. Then it will call
reboot(2) as directed by the other parameters. This change also updates
adb, init and toolbox to call the new android_reboot() function.
Fixes bugs 3350709 and 3495575.
Change-Id: I16d71ffce3134310d7a260f61ec6f4dd204124a7
rm only removes a single non-directory directory entry (no -r support)
rmdir removes a single empty directory
Change-Id: I49702b02ba98a177027b126268c2c2846f968195
The UI needs to know if the device is running with an encrypted
filesystem or now. So set a read-only property at boot to let it know.
Change-Id: I753de2d606c975bcbe9946d10fd47558cf357dac
If a keychord is pressed when debugging is turned off, the main
event poll in init will return an event on the keychord fd,
but handle_keychord never reads the data. Once this happens,
the poll will always return immediately, and init enters an
infinite loop. Fix it by always reading from the keychord fd,
but only handling the returned keychord if debugging is
enabled.
Change-Id: Ie4efa98247d3cc978d275dc8a4516b32aa710278
These are the changes to init and init.rc necessary to
support booting with and encrypted /data filesystem.
A corresponding change to init.<device>.rc goes along
with this change.
Change-Id: I0c7e2cc39568358014a82e317735c0eae14dd683
This keyword will cause init to wait a few seconds before exec'ing
the target binary. Maybe only useful for hacks and debugging.
Change-Id: I85caa0bcbc0be7e48bd21eb9e31e039c0740c8d5
Under some circumstances, setuid() and family can fail,
returning a non-zero value. (see "man setuid" for details).
If this happens, we want to ensure that init doesn't spawn a
process which has root privileges when it's not suppose to.
Change-Id: Idd03f2c8f82a7eaf6e696b5bcfe308e51ea58b52
If firmware is not found, write -1 /sys/$DEVPATH/loading to cancel the
firmware load. Otherwise the driver has to wait for the 60s timeout.
Change-Id: Id2787cda9b2be45b9adea41f6f161cd54cda212e
Signed-off-by: Benoit Goby <benoit@android.com>
This should be much nicer than peppering init.rc with chown/chmod
directives.
Also, remove some dead code and obsolete comments.
Change-Id: I10895f10a9cf2f1226c8d12976cd3db3743da9ec
This enhances robustness by allowing the Telephony Framework to restart
ril-daemon if it notices some catastrophic failure.
Added setprop ctl.restart.
Added ril-daemon to setprop control_perms and allow users/groups
with the AID_RADIO ID to control it.
Change-Id: I195abdd754a731ce0b77e8f71ab47fde8c3e7977
Merge commit '78ea2374c5c87d7bb58747b1a6173c598f386600'
* commit '78ea2374c5c87d7bb58747b1a6173c598f386600':
init: Add support for SOCK_SEQPACKET socket type
Merge commit '912ff85b035e0e6bc109812c1ea5661ea4df5967' into gingerbread-plus-aosp
* commit '912ff85b035e0e6bc109812c1ea5661ea4df5967':
init: Add support for SOCK_SEQPACKET socket type
- look in /vendor/firmware/... in addition to /system/etc/firmware/... for firmware loading
- add /vendor/bin to path before /system/bin
- add /vendor/lib to ldpath before /system/lib
- configure appropriate permissions for /system/vendor/bin
- symlink /vendor -> /system/vendor
Change-Id: I0c06ca1e38a44f0c7024cee6cea8907aa93a4532
Merge commit '49b8124a1759cb8b27e0c21a1a5a54b8a81bdb19'
* commit '49b8124a1759cb8b27e0c21a1a5a54b8a81bdb19':
Use makedev helper for device major and minor numbers
Merge commit '17dcc5c57dcffb919f3de65ff7a0134ffa3bd874' into gingerbread-plus-aosp
* commit '17dcc5c57dcffb919f3de65ff7a0134ffa3bd874':
Use makedev helper for device major and minor numbers
Major and minor numbers can be greater than 255. Major numbers
are 12 bits, and minor numbers are 20 bits. Supporting major
and minor numbers > 255 allows the use of the extended block
device for extra mmc partitions.
Change-Id: I4c42bfe0781069e8e4cb13ebe26e860cdc03f866
Since we now support USB host mode, devices might get a different device
file depending if other devices are connected on the host port. This
patch creates symlinks to USB character devices that depend on the port
devices are connected to, but not on the order they have been probed.
(e.g. /dev/usb/tty2-1:1.0 -> /dev/ttyUSB0)
Change-Id: I285bcc2d59446fbff8a7abbe39c21781f3bb4bd3
Merge commit 'fad7204e9eac20a87afacd7547ed8202a39319f8' into gingerbread-plus-aosp
* commit 'fad7204e9eac20a87afacd7547ed8202a39319f8':
validate the source of uevent messages
Merge commit '742150c031756da1393bf4223b2468b17cb79326'
* commit '742150c031756da1393bf4223b2468b17cb79326':
Use complete hardware name without spaces.
Merge commit '62a54f3b1343043528b7e93c1a4311a5e9d5f358'
* commit '62a54f3b1343043528b7e93c1a4311a5e9d5f358':
init: use tmpfs/ftruncate for properties backing store instead of ashmem
This removes the need for ashmem for early bringup and avoids an issue
with permissions enforcement.
Change-Id: I405b080660934d73048c79d614b6b2ebc43ab182
Signed-off-by: Brian Swetland <swetland@google.com>
init now creates files in /dev/bus/usb/ for user access to USB devices.
Files are chmod 660 with group AID_USB.
Signed-off-by: Mike Lockwood <lockwood@android.com>
init now creates files in /dev/bus/usb/ for user access to USB devices.
Files are chmod 660 with group AID_USB.
Signed-off-by: Mike Lockwood <lockwood@android.com>
make doesn't seem to handle the absolute symlink from
$OUT/root/sbin/ueventd to /init well - it follows the link during
dependency resolution, decides $OUT/root/sbin/ueventd doesn't exist
because /init doesn't exist, and relinks it every time.
Change-Id: I9ca1c14fe5fa80634f51ffc51a7c73146d29d42e
When the init process ran out of actions to execute, cur_action was
NULL and action_queue_empty() was true, but cur_command was still
set. This patch clears cur_command when a new action is retreived,
and only depends on cur_action and action_queue_empty() to determine
the poll timeout.
Change-Id: Iaa95063c8c267a5b1ada9f20363b99c433e61ac4
If any child processes exit before signal_init, they won't get reaped
unless another child process exits after signal_init. Calling
handle_signal from signal_init forces them to be reaped immediately.
Change-Id: I459cfbfe6cf00f29454c62a8c840baf21cb1fb03
eMMC block device names may change based on the detection order of
the eMMC device and any other SD bus devices, such as a removable SD
card.
This patch adds support to init for:
* Symlinks to block devices. When a block device uevent is
processed, if it starts with "/devices/platform", the platform
driver name is parsed out, and symlinks to the block device are
created in /dev/block/platform/<platform driver>/
* Symlinks based on partition name and number. If the uevent for
a block device contains information on the partition name or
number, symlinks are created under
/dev/block/platform/<platform driver>/by-num/p<partition>
and
/dev/block/platform/<platform driver>/by-name/<partition name>
init.rc can then use a device path like the following to mount an
eMMC device:
/dev/block/platform/<platform>/by-name/system /system ro
Change-Id: Id11bb7cdf1e2ada7752a5bd671cbf87237b34ae2
Devices with non-MTD storage need to override the filesystem mounting
commands in init.rc. Moving them to a new "fs" init level allows a
custom init.<device>.rc to handle the mounting.
Change-Id: If0e655139b9734650fb798b6eb0a90e2241fc29b
Merge commit '1404c27bff1499dae9b640870ce2251d78cdc5ef' into eclair-plus-aosp
* commit '1404c27bff1499dae9b640870ce2251d78cdc5ef':
system/core/init: set proper permissions for tpa2018d1 (CDMA)
Drop init's egid to AID_INPUT while creating the device node, so that it is
created with the correct gid. This eliminates the
possibility of system_server opening the device node before its permissions
are set correctly.
Using setegid() allows us to swap back to AID_ROOT immediately after mknod().
Bug: 2375632
The rationale being that we do not want this enabled by default, but
tying it to adb being enabled allows convenient bugreport collection
for savvy users and developers using production devices.
Change-Id: I71535b33f0774faf1975c98d106080f2ff12e349
Signed-off-by: Mike Lockwood <lockwood@android.com>
This change enables persist.security.* flags in the device, allowing oly the system to modify them.
Change is necessary to allow for further progress in the project, as this is an ideal location for access both from the
framework as well as from the recovery mode / transition.
Merge commit '7789f4cc4b712f15e0e5306a874ad6f47dc8c5c0' into eclair-mr2-plus-aosp
* commit '7789f4cc4b712f15e0e5306a874ad6f47dc8c5c0':
init: devices: Remove pmem_gpu regions as they are not needed since we have an mmu
Merge commit '065694b32e481a50e57a793d61181494fbf6ef04' into eclair-plus-aosp
* commit '065694b32e481a50e57a793d61181494fbf6ef04':
init: devices: Remove pmem_gpu regions as they are not needed since we have an mmu
add O_TRUNC flag in open(), which will truncate the target file,
otherwise, copy will keep the old content of the target file.
Signed-off-by: Tom Zhu <ling.zhu@motorola.com>
Signed-off-by: San Mehat <san@google.com>
Merge commit 'e67eff1c615c98bf9ad51be9e474ef9ee82b6565' into eclair-plus-aosp
* commit 'e67eff1c615c98bf9ad51be9e474ef9ee82b6565':
init: Make /dev/pmem_gpu* be writable by all
STOPSHIP: The actual device entry needs to be removed once the products
that use this switch on the mmu.
Change-Id: I10afea36c8731d845382665ed3db7647f68d1276
Signed-off-by: Dima Zavin <dima@android.com>
Merge commit 'e991decf340e24203ed63f87d9313598cd09a46c' into eclair-plus-aosp
* commit 'e991decf340e24203ed63f87d9313598cd09a46c':
init.rc: Add dumpstate service
init: Add support for enforcing setprop by caller's group.
adb: "adb bugreport" now runs dumpstate via init rather than execing it in the shell.
* changes:
init.rc: Add dumpstate service
init: Add support for enforcing setprop by caller's group.
adb: "adb bugreport" now runs dumpstate via init rather than execing it in the shell.
Merge commit '69551d85e95d2ba712f083b39f3ff0b32f865e34' into eclair-plus-aosp
* commit '69551d85e95d2ba712f083b39f3ff0b32f865e34':
init: add some more audio devices
For example,
service recovery /sbin/recovery
onrestart start loadkeys
onrestart class_start con
onrestart stop recovery
Previously, if you had a service like the above, the "onrestart stop
recovery" clause would not have any effect, because the restart flag
would be re-set after the stop command had executed.
This is similar to a service with the "oneshot" keyword, with the critical
difference being that it executes the other onrestart commands when the
service dies.
LOG_UEVENTS is a boolean value as defined in system/core/init/init.h.
Therefore, code should use an #if check and not an #ifdef check as the
macro will always be defined.
The radio bringup script was changed from operating as root to operating as radio. This is
preventing it from adding the "net.ppp0.dns0" and "net.ppp0.dns1" properties that
ConnectivityService needs to correctly set dns.
bug: 2077628
This will allow the the uinput driver to be used by the system process
as well as bluetooth, which is needed for sensors.
Signed-off-by: Ken Schultz <kschultz@motorola.com>
Signed-off-by: Mike Lockwood <lockwood@android.com>
Merge commit 'fc0182eb1db0620eb71fb6ca219b15a17dcd912f'
* commit 'fc0182eb1db0620eb71fb6ca219b15a17dcd912f':
add support and proper permissions for /dev/msm_camera/
To add arguments dynamically to a service, start the service like so:
setprop ctl.start service_to_run:arg1 arg2 arg3...
To start a service with *no* dynamic arguments, start the service normally:
setprop ctl.start service_to_run
Dynamic arguments are only supported on 'oneshot' services
Signed-off-by: San Mehat <san@google.com>
Merge commit 'c83cd879d45e667fbb4763f18c908928ee9d67d8'
* commit 'c83cd879d45e667fbb4763f18c908928ee9d67d8':
init: Fix heap corruption for services with arguments
toolbox: ifconfig: Implement mtu setting, plus setting interface addr should
toolbox: route: Reflow some of the mess, fix route add parameter names to
The 'args' array *must* be the last entry in the structure.
This fixes a longstanding issue (apparently since tc3) where
a service with an argument would corrupt the heap. The more
arguments, the more corruption :|. This will probably also end up
making key-code bound services more reliable (ie: bugreports triggered
via the keyboard)
Signed-off-by: San Mehat <san@google.com>
Merge commit 'b3779558dcfbe99f0b9c1ef796e3728edad25672'
* commit 'b3779558dcfbe99f0b9c1ef796e3728edad25672':
init: Fix some broken code that did not cause problems until switching to gcc 4.4
Merge commit '27808271934622e6473d7d664303fa3efb4cd662'
* commit '27808271934622e6473d7d664303fa3efb4cd662':
Make the /dev/qemu_trace device readable and writable by all.
Merge commit '770354d7e6cd471daed426fcf04bf7246e7cb18b'
* commit '770354d7e6cd471daed426fcf04bf7246e7cb18b':
init: Fix segfault when log_write() was missing an arg to format.
In keeping with the pattern of mtd@partition, I have added loop@path as a way to specify a loopback device. This way you can do things like mount directories in /system using cramfs from a file otherwise on /system (just one example oof how I'm using it). I specifically went with loop@ rather than adding this feature as a flag as the flags system is designed to set bits in the flags argument to mount: using loop@ fit the model in a much simpler manner and actually feels "correct".
This is a better version of the previously submitted 4045 that also refactors the mtd@ case. The reason for this is that I received comments that I should check for errors and return errors rather that do work in the case of success and fall through, but the mtd@ case wasn't doing that either and it became awkward to design the function so that it was half in one style of error handling and half in another. I also made certain to use inequality comparisons for Unix's -1 error returns rather than checking for -1, refactored my large if statement so as not to have danling parentheses, and disassocited the loop device on mount failure.