A service with 'updatable' option can be overriden by the same service
definition in APEXes.
/system/etc/init/foo.rc:
service foo /system/bin/foo
updatable
/apex/myapex/etc/init.rc:
service foo /apex/myapex/bin/foo
override
Overriding a non-updatable (i.e. without updatable option) service
from APEXes is prohibited.
When an updatable service is started before APEXes are all activated,
the execution is delayed until when the APEXes are all activated.
Bug: 117403679
Test: m apex.test; adb push <built_apex> /data/apex; adb reboot
adb shell, then lsof -p $(pidof surfaceflinger) shows that
the process is executing
/apex/com.android.example.apex@1/bin/surfaceflinger instead of
/system/bin/surfaceflinger
Change-Id: I8a57b8e7f6da81b4d2843e261a9a935dd279067c
The following message creates unnecessary alarm:
init: Partition system_a already existed in the by-name symlink map \
with a value of \
/dev/block/platform/soc/1d84000.ufshc/by-name/system_a, new value \
/dev/block/platform/soc/1d84000.ufshc/by-name/system_a will be \
ignored.
and in the code is cited as an ERROR. The message admittedly does
point out an inefficiency by reporting multiple updates.
Test: compile
Change-Id: I388a76fa078cf9de5840930247f732d16ccb0719
When using the recovery image as a trampoline to boot the system,
first chroot from the recovery image to /first_stage_ramdisk, to
minimize differences between these two boot paths.
Primary motivation is due to the fact that the basename of each mount
point is used by device-manager to name its nodes, and the previous
code that created used /system_recovery_mount as the mount point for
system.img broke AVB. Instead of hacking around that issue, this
change unified mounting for the recovery trampoline and true first
stage ramdisk paths.
Change when relanding: the original change skipped the move mount from
/first_stage_ramdisk to / and only did a chroot instead. This was a
mistake that resulted in the subsequent move mount of /system to / to
mount over the '/' directory instead of moving that mount. This
change uses a bind mount of /first_stage_ramdisk to itself instead of
skipping the first move mount.
Bug: 114062208
Test: AVB works with blueline_mainline
Change-Id: I65207edfe98531892da2eafcbff19b438c9c64fe
Init now parses *.rc files from the APEXs when the apexd notifies the
mount event via apexd.status sysprop.
Bug: 117403679
Test: m apex.test; adb root; adb push <builtfile> /data/apex; adb reboot
adb root; adb shell setprop ctl.start apex.test; dmesg shows that init
tries to start the service which doesn't exist.
[ 47.979657] init: Could not ctl.start for 'apex.test': Cannot find '/apex/com.android.example.apex/bin/test': No such file or directory
Change-Id: I3f12355346eeb212eca4de85b6b73257283fa054
This reverts commit 56999b41af.
Reason for revert: Something is broken here; we're not switching to /system properly.
Change-Id: I777fedcfb545c11275c9cc12f99b99a2423959a0
When using the recovery image as a trampoline to boot the system,
first chroot from the recovery image to /first_stage_ramdisk, to
minimize differences between these two boot paths.
Primary motivation is due to the fact that the basename of each mount
point is used by device-manager to name its nodes, and the previous
code that created used /system_recovery_mount as the mount point for
system.img broke AVB. Instead of hacking around that issue, this
change unified mounting for the recovery trampoline and true first
stage ramdisk paths.
Bug: 114062208
Test: AVB works with blueline_mainline
Change-Id: Iffb154962b6e160150917e068f1e7d0bf7cb84e7
This patch adds another uevent-regeneration pass to the first stage
mount. When the super partition spans multiple block devices, we need
/dev/block/by-name symlinks to have been created before we begin mapping
dynamic partitions.
Bug: 116802789
Test: retrofit device boots
Change-Id: I00bb277e1d81385a457c5b4205a95d8fbe365bb2
We need to do restorecon after the cold boot, otherwise the newly
created sysfs nodes won't be labelled.
Bug: 118861992
Test: manual - do insmod, check sysfs nodes are properly labelled
Change-Id: I4bdfb4a68206724a568d8cbb6c644ba8764b5fa7
Current hwasan implementation breaks when stderr (fd 2) is missing.
Bug: 118776698
Test: hwasan boots without serial console
Change-Id: Id095a87212096526a497563adab3d7f2f9fe8ab0
Using overlayfs, the system partition may provide files for older
version of vendor partitions by overlaying on the vendor partition.
Directories in /system/vendor_overlay will be overlaid on the
directories in /vendor to override existing files or provide new
files.
This feature works only if the kernel support overlayfs and has a
patch for override_creds. Otherwise, no-op.
Bug: 114679254
Test: Build and boot: nothing affected without overlayfs, or
vendor file is overrided with overlayfs
Change-Id: Iff3a308945299034123ba7bcb40dc787e102730e
The memcg.limit_percent option can be used to limit the cgroup's
max RSS to the given value as a percentage of the device's physical
memory. The memcg.limit_property option specifies the name of a
property that can be used to control the cgroup's max RSS. These
new options correspond to the arguments to the limitProcessMemory
function in frameworks/av/media/libmedia/MediaUtils.cpp; this will
allow us to add these options to the rc files for the programs that
call this function and then remove the callers in a later change.
There is also a change in semantics: the memcg.* options now have
an effect on all devices which support memory cgroups, not just
those with ro.config.low_ram or ro.config.per_app_memcg set to true.
This change also brings the semantics in line with the documentation,
so it looks like the previous semantics were unintentional.
Change-Id: I9495826de6e477b952e23866743b5fa600adcacb
Bug: 118642754
Found the following 2 binary is not in the path
system/core/init/grab-bootchart.sh: line 20: bootchart: command not found
system/core/init/grab-bootchart.sh: line 21: gnome-open: command not found
Use a more commonly available command to create bootchart
Test: system/core/init/grab-bootchart.sh started a bootchart
successfully
Change-Id: I6d5b4a692af2fd53ea636b768f55c697586e6898
If a section header such as 'on' or 'service' has an error with it,
the rest of the commands / options are currently reported as errors
since there is no valid parser object to parse them. For example,
service !@#$%%^&*() /system/bin/false
user root
group blah
blah blah
Generates:
init: /system/etc/init/bad.rc: 2: invalid service name '!@#$%%^&*()'
init: /system/etc/init/bad.rc: 3: Invalid section keyword found
init: /system/etc/init/bad.rc: 4: Invalid section keyword found
init: /system/etc/init/bad.rc: 5: Invalid section keyword found
This change suppresses the extraneous 'Invalid section keyword found'
messages.
Test: faulty error messages are suppressed.
Change-Id: Ieeb2d5b8b7eea33e191a88ce5a0d41701686943f
Partial revert of "init: if vendor_init can read a property, let it be
a trigger too" (b35f827c97).
We made a mistake when we allowed vendor init to action on any vendor
or odm property, since when a new SELinux label is created for a
vendor property, vendor_init does not automatically get read
permissions for it.
Recently, we tried to use read permissions instead of the built-in
list in init, but that broke due to the above mistaken. Since we have
already launched with these permissions as is, we must restore them.
Bug: 118457755
Test: no denials for vendor init actionable properties on crosshatch
Change-Id: I7a9a560c9a54a177c6b83d28309e2f288f05d400
The file-based encryption setup code is being refactored into its own
library because it applies to both ext4 and f2fs, not just ext4. Update
init to use the new location. For fs_mgr, just remove the include of
ext4_crypt_init_extensions.h since it was unneeded.
Test: built, booted device with f2fs encryption
Change-Id: I392a763e3349f001bdbc09eb9ca975aa3451fd68
There is a list of 'stable_properties' that vendor_init can use as
property triggers for Treble property compliance. This list came about
since init parses init scripts before all partitions are mounted and
therefore before all property context files are available, such that
init cannot use the normal SELinux mechanisms for determining if a
given property is vendor_init readable.
Currently though, we require all partitions that would contain
property context files to be mounted during first stage mount, so we
can use the normal SELinux mechanisms here, so this change deprecates
the stable_properties list and moves init to use SELinux to determine
if a property can be a trigger.
Bug: 71814576
Test: vendor_init fails to use non-readable properties as a trigger
Test: vendor_init successfully uses readable properties as a trigger
Change-Id: I6a914e8c212a3418cbf4a8a07215056aad2e0162
Init is special.
It starts early and does not pick up the Android ASAN options provided
on the environment. Therefore we pull in /system/asan.options in
explicitly if it exists. We provide sane defaults that will allow the
system to boot otherwise.
Logging is complicated because it needs to go to the kernel log.
So use sanitizer functions to install log functions.
Bug: 117879229
Test: m && m SANITIZE_TARGET=address
Test: init boots with ASAN enabled
Change-Id: I72c033a1f86ba5d6b2e4f943e7a3acd0d399c8bf
Bug: 117828597
Test: bugreport launches with a test property set to appropriate keys
Test: bugreport doesn't launch with the test property unset
Test: no errors seen in build or boot in either of the above cases
Change-Id: Iea27032080a0a7863932b1c1b573857ac66b56b5
ParseLineSection() provides 'args' as an rvalue reference, so its
callers can and should use it as such. This saves some copying
overhead and cleans up the code a bit.
Test: boot
Change-Id: Ib906318583dc81de9ea585f5f09fdff35403be1b
With system-as-root, both first and second stage init belong to
system, but without system-as-root, first stage belongs to vendor and
second stage belongs to system. This change creates two phony
packages to achieve this correctly in the build system.
Bug: 117606184
Test: mainline builds work properly
Change-Id: I19263e76c217c2e70bc06c180be3a460e9144f18
'Critical' services have rebooted into bootloader, like all other
catastrophic init crashes, for years now. Update the text to match.
Test: n/a
Change-Id: Icfc41bf3e383958f14ecfaab9ca187e2c3dc7fd9
This keyword can (and should) be used multiple times when multiple
services are served together. I've documented this here.
Bug: N/A
Test: N/A
Change-Id: Ie986c9cac486db346555f359e9ccbed93d8d1d22
It's better to either check these results or explicitly ignore them.
Only a few callers weren't already doing this, so it's relatively
trivial to enforce.
Test: build
Change-Id: I44cdc342e46128f66cac914aaa0b9b4559cacd8c
Vendor might want to pause/resume some operations while a bugreport is captured
so that we need to export dumpstatez into stable_properties.h for vendor to get
property event when dumpstatez launch.
Test: confirmed manually with "adb bugreport"
Bug: 117536084
Change-Id: Ib743c5e59ca20cc44470110c814d85e4cbb90c0c
Signed-off-by: Minchan Kim <minchan@google.com>
1) increase thermal shutdown timeout to 3s for process to save work
2) respect property "ro.build.shutdown_timeout" in thermal shutdown if
it is set less than default time - "3s"
Bug: 112432890
Test: Build
Change-Id: Idc2b24dd44c1fab8f9b047fd2468de2ee45ff783
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
Allow services to specify a custom restart period via the
restart_period service option. This will allow services to be run
periodically, such as a service that needs to run every hour.
Allow services to specify a timeout period via the timeout_period
service option. This will allow services to be killed after the
timeout expires if they are still running. This can be combined with
restart_period for creating period services.
Test: test app restarts every minute
Change-Id: Iad017820f9a602f9826104fb8cafc91bfb4b28d6
Added fs_mgr_overlayfs_required_devices() as hint to init to make sure
the device gets created before fs_mgr_overlayfs_mount_all().
Test: manual
Bug: 109821005
Change-Id: Iab038f3e0252a357b082bb08db3679512b9badec
We ran into an issue with an fd leaking due to missing both CLO_EXEC
and fclose() in related code, so let's make sure we're safe here too.
Test: boot
Change-Id: Ief893c936859815c78fa6d7e06cb88ad34aadbac
Mark Salyzyn