They are being used as action triggers in some devices including Pixels.
So vendor-init-actionable should be allowed for them.
Bug: 74266614
Test: building succeeded and tested on a Pixel with
PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I713c5c1a50053f8d64e1cecd1f7ab5dc18201da1
Merged-In: I713c5c1a50053f8d64e1cecd1f7ab5dc18201da1
(cherry picked from commit 167ec7f1d2)
They are being used as action triggers in some devices including Pixels.
So vendor-init-actionable should be allowed for them.
Bug: 74266614
Test: building succeeded and tested on a Pixel with
PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I713c5c1a50053f8d64e1cecd1f7ab5dc18201da1
ro.board.platform and sys.boot_from_charger_mode are already
public-readable, but they should be used as action triggers as well for
some products including Android Go devices.
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I140a8f7ef3fa9823ceced94b00a413800518c240
Merged-In: I140a8f7ef3fa9823ceced94b00a413800518c240
(cherry picked from commit 1f90ccefb6)
ro.board.platform and sys.boot_from_charger_mode are already
public-readable, but they should be used as action triggers as well for
some products including Android Go devices.
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I140a8f7ef3fa9823ceced94b00a413800518c240
Some partners are using ro.debuggable as action trigger to config a
product differently according to its value.
Bug: 75987246
Test: succeeded building and tested taimen
Change-Id: I4cc57e7b52e17fc89e585afa0a8a10925e47fac8
Merged-In: I4cc57e7b52e17fc89e585afa0a8a10925e47fac8
(cherry picked from commit 4f214c5179)
Some partners are using ro.debuggable as action trigger to config a
product differently according to its value.
Bug: 75987246
Test: succeeded building and tested taimen
Change-Id: I4cc57e7b52e17fc89e585afa0a8a10925e47fac8
This reverts commit c9fec9d2be.
Looks like ext4 can't handle a system reboot happening in the middle
of an unmount. We'll have to find another way to handle this.
Bug: 74817735
Bug: 75310371
Test: reboot device
Merged-In: Ib4f7f7fd29988a31a99f146c40f6d987c1fef15e
Change-Id: I7c097ba5734e2e4ff320c8b02fb58324d9380513
This reverts commit c9fec9d2be.
Looks like ext4 can't handle a system reboot happening in the middle
of an unmount. We'll have to find another way to handle this.
Bug: 74817735
Bug: 75310371
Test: reboot device
Change-Id: Ib4f7f7fd29988a31a99f146c40f6d987c1fef15e
persist.sys.usb.usbradio.config can be used as an action trigger in
vendor init scripts.
Bug: 75202311
Bug: 74266614
Test: succeeded building and tested on pixels
Change-Id: I123b5ebce4bbf33f41222c2e11137d52e38ff9f8
It seems that these sync() calls may take a long time in some
occasions, so we add these logs to check.
Bug: 74817735
Test: tree hugger
Change-Id: Id3635f6c7a6618b20c7caf93b05e50cc50ef99de
The state of console can be used to set up a device for debugging.
Bug: 74266614
Test: succeeded building and tested with Pixels
Change-Id: I3691fa2819594a521e05dad150550ab309a78c68
Merged-In: I3691fa2819594a521e05dad150550ab309a78c68
(cherry picked from commit cba467eeda)
Let's increase the receive buffer size for the NETLINK_KOBJECT_UEVENT
socket to 2MB. Unless a large number of uevents queue up, that memory is
not allocated anyways. The receive buffer size serves only as an upper
limit for the total amount of memory consumed by all skbs queued to a
specific socket.
We experienced situations where ueventd got blocked for multiple seconds
while writing to /dev/kmsg, and the receive buffer overflowed in the
meantime.
Bug: 72648767
Change-Id: Ice6d7b9c5ed9c83efbad6111086ce95ac6432561
Let's increase the receive buffer size for the NETLINK_KOBJECT_UEVENT
socket to 2MB. Unless a large number of uevents queue up, that memory is
not allocated anyways. The receive buffer size serves only as an upper
limit for the total amount of memory consumed by all skbs queued to a
specific socket.
We experienced situations where ueventd got blocked for multiple seconds
while writing to /dev/kmsg, and the receive buffer overflowed in the
meantime.
Test: compile
Bug: 72648767
Change-Id: Ice6d7b9c5ed9c83efbad6111086ce95ac6432561
The state of console can be used to set up a device for debugging.
Bug: 74266614
Test: succeeded building and tested with Pixels
Change-Id: I3691fa2819594a521e05dad150550ab309a78c68
FQName::FQName(string) could leave the FQName in an
invalid state, and so this constructor is being removed
and the mValid member is being removed.
Bug: 73774955
Test: boots + interface_start control messages received by init
Change-Id: I58d4a089c0a0f1c2cc5129c5e87321e7f6663b72
We should only allow vendor-init-settable properties to be set from
.prop files on /vendor and /odm.
Bug: 73905119
Test: test on walleye that disallowed properties are rejected
Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831
Currently we only report why a property set call has failed but drop
the context of what was trying to set the property. This change
adds information about why a property was trying to be set when it
fails.
It also unifies property_set() within init to go through the same
HandlePropertySet() function as normal processes do, removing unneeded
special cases.
Test: boot bullhead
Test: attempt to set invalid properties and see better error messages
Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.
Bug: 36970783
Test: run the parser on init files on host
Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
There is currently a timeout for reboot, however if the system gets
stuck, particularly during file system operations, there is no safety
mechanism that guarantees the system will still reboot.
This change does all of the optional reboot steps in a separate thread
and waits for this thread with a timeout, such that if the reboot
steps get hung, the system is guaranteed to still reboot.
This is specific to 'reboot'. Shutdown continues to run unbounded to
run fsck.
Bug: 72781711
Test: Reboot devices hitting and not hitting this timeout
Change-Id: Id5e1b3693bab00602177e28b9b662e1499c32961
It's currently not clear that init stops processes due to being sent a
control message nor who sent that message.
Bug: 73343913
Test: send control messages and see the logs
Change-Id: I9e9eff2001e649814107ea961b3b747a1f6da598
There is a race in the very_long_name_35166374 test of
property_service. The test first sends a size value that is beyond
the limit that init will handle, then sends a dummy data value.
However, init closes the socket upon seeing the faulty size, and if
this happens before the test sends the dummy data, the test will crash
due to SIGPIPE.
Since there is no reason to send the dummy data at all, this change no
longer sends it to prevent the crash. It also now checks explicitly
that init returns an error through the socket.
Bug: 73619375
Test: the unit test in question
Change-Id: I2565a69fa54910cee0e15fc798445e18c91156ec
mount operations should be done in vendor init context, but their
complexity currently limits this. Add a TODO to make this reason
clear to those viewing the code.
Bug: 72488820
Test: N/A
Change-Id: I8b6dd92aa79f31dc24603559ed6de0815facfcba
Previously, unless the process unblocks the signal by itself,
the signal was never delivered to the process. This caused at
least one CTS test failure.
Bug: 72453675
Test: 'kill -TERM app_pid' terminates the app process
Change-Id: I3977cac75e2673b52c5cf91d34d7a9c258c1a0e4
Don't use the FDE flow to support metadata encryption; just use the
vold service which directly mounts the volume.
Bug: 63927601
Test: Boot Taimen to SUW with and without metadata encryption.
Change-Id: Idf9c27a69872cd7a9e2fb76df09a91d8e5ef4896
ro.boot.* are from kernel cmdline, and kernel is usually owned by SoC
vendor or ODM.
So those properties should be allowed as action triggers of
vendor/odm init scripts.
Additionally the state of mediadrm (/system/bin/mediadrmserver) should
be used to operate the state of drm HAL.
So init.svc.mediadrm should be whitelisted as an action trigger as well.
Bug: 36796459
Test: tested with walleye
Change-Id: Ic9f68162c577cc190f193063988ad04e42478e6e
This CL will enable reading /product/build.prop and add product paths
into ld.config.txt.in.
Bug: 64195575
Test: tested with 'PRODUCT_PRODUCT_PROPERTIES := ro.product.abc=abc' on
sailfish
Change-Id: Ie996def20e25dc1afe0c74af2096af844934b2dc
vendor_init doesn't have permissions to read rootfs labeled files, but
needs to read /vendor_file_contexts to do restorecon correctly. This
file is a file_contexts file, so labeling it as such seems appropriate.
Test: bullhead + vendor_init doesn't hit this audit
Change-Id: I475e9735616c2426b9c7073700272f878ced2135
Finishing a TODO from vendor_init, check SELinux permissions before
setting properties in vendor_init.
Bug: 62875318
Test: N/A
Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19
These are halified. Instead launch blank_screen which
does the same task w/o init itself having binder
dependencies.
Bug: 70846424
Test: manual + reboot appears similar
Change-Id: If8b2a56cbc31077122ea81406721b06034e4498f
I'd be not doing this for a while since some of this code doesn't
compile on host and libinit previously did. But after realizing
the property_service.cpp (libinit) references symbols in init.cpp
(init) and seeing a new linker error crop up due to that, it's time to
make the fix.
My only hold out previously was that libinit compiled on host bionic
and some of init (builtins.cpp, etc) do not, however given that we
don't actually have host bionic support or host bionic init tests,
that isn't a good reason. We can and should mock out the libraries
that aren't available with host bionic when ready.
Test: build, unit tests, boot
Change-Id: Ie49362ddb637924efc272540a4f32b693643fcdc
This whitelist will be applied only when
ro.actionable_compatible_property.enabled is true.
Bug: 38146102
Test: tested on walleye with ro.actionable_compatible_property.enabled=true
Change-Id: Ifd7211396b53e50a06d79e7c67224e2b38ef7c9d
Properties right now can take any format, but that makes it hard to
specify an API for these properties as Treble intends to do.
Therefore this change introduces the idea of property types, described below.
1) 'string' this is the default type and allows any property to be set.
2) 'bool' this allows only boolean values (true|false|1|0)
3) 'int' and 'uint' these allow signed and unsigned integer values
respectively.
4) 'double' this allows floating point numbers with double precision.
5) 'size' this allows for strings matching [0-9]+[gkm].
6) 'enum' this allows only a specific set of space deliminated values
to be set, e.g. 'enum allow these strings' only allows one of 'allow',
'these', or 'strings' to be set.
Bug: 70858511
Test: unit tests, test that properties are only set if their type matches
Change-Id: I7a6b00fb43ec630d1f56c9e9a1f1b61d3914f603
Currently init expands properties in arguments only when those
commands are run in a subcontext. This creates a hole where
properties that should not be accessible from a given subcontext of
init can be accessed when running a command in the main init
executable (for example `start`).
This change creates a callback in subcontext init that simply expands
and returns arguments back to the main init process, to ensure that
only those properties that a subcontext can access get expanded.
Bug: 62875318
Test: boot bullhead, new unit tests
Change-Id: I2850009e70da877c08e4cc83350c727b0ea98796
Also fallbacks to nonplat_* if it doesn't exists.
Bug: 64240127
Bug: 70279378
Test: boot bullhead and sailfish
Change-Id: I372b42a3c559ae0f9602163699eaef4df148467b
There is a 2s timeout for system property set that currently
uses boot_clock as its clock source. If the system goes to sleep
during a property set, it may erroneously cause the timeout to
be reached as boot_clock increments during sleep. This patch
changes from boot_clock to steady_clock to ignore time spent
asleep when determining this timeout.
bug: 71497234
Test: 1. System service process try to set a system property
with timeout 2s
2. At the same time, the system go into sleep mode more
than 2s
3. System property set will be ok.
Change-Id: I808b9af16974a0f4de60a4ca30ae64d095a13422
We should have done this from the beginning. Thanks to Windows, we're not
going to be able to switch libbase over to std::string_view any time soon.
Bug: N/A
Test: ran tests
Change-Id: Iff2f56986e39de53f3ac484415378af17dacf26b
Instead of requiring each process to parse the property contexts files
in libc initialization, this change has property_service parse these
files one into a serialized trie, which the property code in libc can
then directly interpret for mapping property names to their associated
SELinux context.
Bug: 36001741
Test: boot bullhead, walleye, run unit tests
Change-Id: If67073d56e800b3ca667fb5322e6b993e7d810f6
ODM partition may contain firmware and we should allow
firmware loading from this partition
Test: firmware is loaded succesfully
Change-Id: I7d327bc79a04d1a2dee0fd47407eb53f9d391665
Signed-off-by: Alin Jerpelea <alin.jerpelea@sonymobile.com>
Init currently sets the SELinux context on a mkdir but not on
other operations. This patch modifies it to do so when creating
symlinks, writing to a file, or copying a file.
Test: Built, flashed, and booted. Added fake init entries and
verified that they received the proper SELinux context.
Change-Id: I836b570fef81d74f3b6c8e7ce0274e94ca7b12d3
The content of nonplat_declaration.cil in /vendor is a versioned public
sepolicy exported from ${AOSP}/system/sepolicy/public. Renames it to
better reflect the fact.
Bug: 64240127
Test: boot sailfish normally without odm
Test: boot another device having odm
Change-Id: I654f5bbde2f2d666a2a5c7ed8561ccd93c983a6e
This change explicitly drops all inheritable capabilities (and, by
extension, ambient capabilities) when there are no explicit capabilities
being set by a service and the user is changed. This prevents Android
running in a container from accidentally granting extra capabilities to
services.
Bug: 69320306
Test: aosp_sailfish still boots
Test: sailfish:/ $ grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Test: sailfish:/ $ grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000440000000
CapEff: 0000000440000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Test: Android in Chrome OS still boots
Test: localhost ~ # grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000000006daefdff
CapAmb: 0000000000000000
Test: localhost ~ # grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000040000000
CapEff: 0000000040000000
CapBnd: 000000006daefdff
CapAmb: 0000000000000000
Change-Id: I9218f2e27ff4fb4d91d50f9a98c0fdb4e272952c
For instance, on vendor.img:
service foo /vendor/bin/nfc
...
And then on odm.img:
service foo /odm/bin/super-nfc
override
Allows a service on ODM to override a HAL on vendor.
Bug: 69050941
Test: boot, init_tests
Change-Id: I4e908fb66e89fc6e021799fe1fa6603d3072d62a
This is paving the way to allow an "override" tag
in init services. This also means that errors for
part of a service definition in its section will
be shown in addition to the fact that the service
is duplicated.
Bug: 69050941
Test: boot, init_tests
Change-Id: Ic1ea8597789f45ead1083451b3e933db1524bdc9
Allow it to fail. When there is an error for a section ending,
print the error pointing to the line where the section starts.
Bug: 69050941
Test: boot, init_tests
Change-Id: I1d8ed25f4b74cc9ac24d38b8075751c7d606aea8
The client of FirstStageMount class should check the existence of fstab
in device-tree prior to using it. So raising a FATAL error inside
FirstStageMount when failed to parsing the fstab, in order to expose
more accurate error messages.
Also fixing a comment in fs_mgr, where it might happen in either
non-A/B or A/B.
Bug: 69102431
Test: boot sailfish
Change-Id: Ifb525beaa3423b118644778bfe0f84bff9465303
If there is a restart follow a stop/reset immediately or vice versa,
clear previous flag bits.
Test: manual - trigger restart after stop immediately to check if
service get started.
Change-Id: I4503177d7cb5ed054dbcf50cd8e09728415404d4
For a oneshot service, if start happens immediately after stop,
the service could be still in stopping status and then start
won't do anything. This fix this race condition.
Test: manual - see reproduce instructions in bug.
Bug: 68020256
Change-Id: I20202fa346f1949a8bda3d90deedc8b6a6d814d3
Fixed issues related to forking services into new PID + mount
namespaces.
Remounting rootfs recursively as slave when creating a service in new
PID + mount namespaces. This prevents the service from interfering with
mount points in the parent namespace.
Unmount then mount /proc instead of mounting it with MS_REMOUNT, since
MS_REMOUNT is not sufficient to update /proc to the state appropriate
for the new PID namespace. Note that the /proc mount options specified
here are not the same as those used in the default mount namespace. I
kept them consistent with those used in the code prior to this fix.
Test: Used custom sleepd service to test init 'namespace' keyword.
Tested on angler in oreo-dev - I had to add PID namespaces to the
kernel (commit ad82c662).
Change-Id: I859104525f82fef3400d5abbad465331fc3d732f
See https://lkml.org/lkml/2005/9/10/129 for details.
Bug: 20501816
Test: code compiles and boots with no obvious problems.
Change-Id: I5a9c470156d498852cfd81fbd59ddcf267309e73
std::all_of is using std::find_if, which means, if any element the given
predicate returns false, it stops further iteration and just returns false.
std::all_of used in Reboot.cpp will cause umount not to be called on all
block devices if some block device returns false in the middle.
Bug: 68158923
Test: reboot
Change-Id: I43ba6bd0c18018c1ed5fe2b63996552bc51cc67c
This associates every service with a list of HIDL services
it provides. If these are disabled, hwservicemanager will
request for the service to startup.
Bug: 64678982
Test: manual with the light service
Change-Id: Ibf8a6f1cd38312c91c798b74574fa792f23c2df4
Children of init that use any of the SELinux wrapper functions,
including make_dir(), mkdir_recursive(), and plenty others, need to
first initialize the sehandle with SelabelInitialize().
I wish there were a better solution, but early init doesn't actually
want this handle initialized, so that is a valid use case. Ueventd
needs to initialize this before fork()'ing, so lazy initialization is
not universally acceptable either. Likely we won't have other
children that fork() then exec() init again, so this should be okay.
Bug: 62875318
Test: init unit tests
Test: sailfish creates directories with correct SELabel after wipe
Change-Id: I6de937604a060e18945427418f15b90e0b9d5c37
subcontext_test had been failing due to setexeccon() failing to
transition to vendor_init context. This is a good thing as nothing
other than init should be able to transition into this context.
I don't want to add code to skip the setexeccon() call only for the
tests, so I instead call setexeccon() with the return value of
getcon(). This works however only for root, so these tests are
skipped for non-root.
Test: init unit tests
Change-Id: I8a415599e0ec5506511202f7f5018c0e5265837d
wait_for_prop sets a flag that prevents the action queue from
continuing while otherwise allowing init's main loop to continue
executing. This cannot be done from a subcontext, so it's moved to
normal init.
All property functions need work in any case, particularly once
property_service is moved out of init.
Bug: 62875318
Test: boot sailfish and see that the previous failure related to this
is fixed
Change-Id: Ib9e0d0bdbd0ff22ab0e5c3fe6db620700af266c6
Java already restricts properties to only UTF8 valid strings, and
this change makes this restriction also apply to all native code.
Bug: 63177684
Test: new unit tests
Change-Id: I9fa0ecc0da066b0a026db3497c0f0cbf3f5c2d5a
To make parsing easier for last reboot reason. This also ensures that
last boot reason matches the content that is typically returned by the
bootloader or in turn landed in the canonical system boot reason.
Simplify parsing in bootstat. Adjust and fix boot_reason_test.sh for
new reality. Allow boot reason tests battery and kernel_panic to pass
if device does not support pstore (empty before and after the test).
If device somehow landed in fastboot mode while waiting for the
display, issue a fastboot reboot to move the test along. Some cleanup
and standardization changes to the test script.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 63736262
Change-Id: I97d5467c0b4a6d65df3525f1a2d0051db813d5ad
Allows partners to add a new attribute definition to their public
policy without causing a compatibility failure with the AOSP system
image.
Bug: 67092827
Bug: 37915794
Test: build and boot aosp_sailfish with a new type declared in public
policy.
Change-Id: I3899065affb6806ae9080e1a7dfa5a6f368370f0
As SEPolicy is developed, use this property to enable/disable
subcontexts.
Bug: 62875318
Test: boot device with/without subcontexts
Change-Id: Ieb879836a71c72d4de1bb16514d083d52480bf9a
The last one will avoid errors=panic in ext4.
Test: Build
Bug: 63981945
Bug: 65481582
Change-Id: I9c86afcce441767e24fc43668ab1ff6230155a9f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
'object_r' is supposed to be simply 'r'.
Test: boot sailfish with SELinux fully enabled and subcontexts enabled
Change-Id: I7eb8b2dd18e66f23c09863e8961da339f72d25c5
One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.
This change is meant to close that gap. It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to. Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.
Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.
Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish
Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
This has moved to being serialized with libprotobuf.
Test: persistent properties work on bullhead
Test: init unit tests
Change-Id: I26ebe135e37d352f9c53612301bde703144853e7
Change HandleSigtermSignal() handler to report shutdown,container. Add
the new reason to bootstat. Remove log stutter as
HandlPowerctlMessage will also do a LOG(INFO) reporting
shutdown,container as reason.
Sending SIGTERM to init is to allow a host OS to ask an Android
Container instance to shutdown. The temptation is to report
shutdown,sigterm but that does not accurately describe the usage
scenario.
Test: compile
Bug: 63736262
Change-Id: I3c5798921bdbef5d2689ad22a2e8103741b570b4
Primarily, this fixes a bug where a forked child of property service
uses exit() instead of _exit, which has the unintended consequences of
running the global destructors of init proper, which leads to
unintended cleanup.
Secondly, this replaces the remaining calls of exit() that really
should be LOG(FATAL).
Test: boot sailfish
Change-Id: I779228e7d44a73186bc7685bb723c4b9278a0a2d
I probably should have done this from the start... There's a shim to
convert my manually serialized format to protobuf, and since that has
not yet shipped, it'll be reverted in a short period of time.
Test: init unit tests
Test: upgrade from legacy and intermediate property formats successfully
Change-Id: Iad25f6c30d0b44d294230a53dd6876222d1c785b
This command functions similarly to `exec` except that it does not
cause init to halt executing commands until the process has
terminated. It is useful for launching simple one time background
tasks.
Bug: 65736247
Test: create an exec_background service and see it function properly
Change-Id: I719c8b85479b65201770aedc0a13191303007c11
Builtin commands may set the sys.powerctl property, which causes
reboot to be immediately processed. Unfortunately, part of the reboot
processing involves clearing the action queue, so when this scenario
happens, ActionManager::ExecuteOneCommand() can abort due to its state
being unexpectedly changed.
Longer term, the real fix here is to split init and property service.
In this case, the property sets will be sent to property service and
the reboot will only be processed once property service responds back
to init that the property has been set. Since that will not happen
within the action queue, there will be no risk of failure.
Short term, this change sets a flag in init to shutdown the device
before the next action is run, which defers the shutdown enough to fix
the crash, but continues to prevent any further commands from running.
Bug: 65374456
Test: force bullhead into the repro case and observe that it no longer
repros
Change-Id: I89c73dad8d7912a845d694b095cab061b8dcc05e
ExpandArgs() was factored out of Service::Start() to clean up init,
however this introduced a bug: the scope of expanded_args ends when
ExpandArgs() returns, yet pointers to the c strings contained within
those std::strings are returned from the function. These pointers are
invalid and have been seen to cause failures on real devices.
This change moves the execv() into ExpandArgs() and renames it
ExpandArgsAndExecv() to keep the clean separation of Service::Start()
but fix the variable scope issue.
Bug: 65303004
Test: boot fugu
Change-Id: I612128631f5b58d040bffcbc2220593ad16cd450
This allows Android to cleanly shutdown when running in a PID namespace
in a way that does not rely on adbd running. This is useful to allow
Android to be running in a container and its lifetime managed by an
OCI-compliant tool.
Bug: 65415372
Test: `kill -TERM 1` as root is correctly dropped.
Test: `kill -TERM 1` from the init PID namespace causes init to cleanly shutdown.
Change-Id: Ia66ebdb436221919081bc4723337c0c7f1e53b09
Unless a process logs that it is requesting a device to reboot, there
are no logs to show which process triggered a reboot. This change
introduces such a log in property service such that system initiated
reboots can be clearly blamed back to a calling process.
Bug: 64214361
Test: reboot and check kernel log for reboot string
Change-Id: I18de33d2a0933d20bdb581025b78020c88c5c6eb
init: support loading odm sepolicy
Currently init merges two sepolicy cil files:
- /system/etc/selinux/plat_sepolicy.cil
- /vendor/etc/selinux/nonplat_sepolicy.cil
This change replaces nonplat_sepolicy.cil with the following two files:
- /vendor/etc/selinux/declaration/nonplat_declaration.cil
- /vendor/etc/selinux/vender_sepolicy.cil
And support merging another default (but optional):
- /odm/etc/selinux/odm_sepolicy.cil.
Bug: 64240127
Test: boot sailfish normally without odm.cil
Test: boot another device having odm.cil
Change-Id: I0b7f8c656c73ddb0fd46f2af3c625d7c81566f2f
We have seen that storing persistent properties in separate files
causes increased boot latency compared to if they were stored in a
single contiguous file.
This change creates a simple format for a contiguously stored property
file, and adds the support for arbitrary characters in the names of
persistent properties, which previously had been restricted. It has a
mechanism for converting older devices to the new format as well.
Bug: 64392887
Test: boot bullhead with new properties
Test: boot bullhead and verify old properties are converted to the new
property file
Test: corrupt property file and ensure that it gets recovered from memory
Test: new unit tests
Change-Id: I60d8201d655ce5c97b33faae81d5ca8dbbb21a14
Add a new service option, `rlimit` that allows a given rlimit to be
set for a specific service instead of globally.
Use the same parsing, now allowing text such as 'cpu' or 'rtprio'
instead of relying on the enum value for the `setrlimit` builtin
command as well.
Bug: 63882119
Bug: 64894637
Test: boot bullhead, run a test app that attempts to set its rtprio to
95, see that the priority set fails normally but passes when
`rlimit rtprio 99 99` is used as its service option.
See that this fails when `rlimit rtprio 50 50` is used as well.
Test: new unit tests
Change-Id: I4a13ca20e8529937d8b4bc11718ffaaf77523a52
Child processes inherit the signal handlers and the 'Aborter' for
logging from their parent process. In the case of init, fork()'ed
processes, will attempt to reboot the system if they receive a fatal
signal or if they call LOG(FATAL). This is not the correct behavior;
these processes should terminate due to the provided signal like other
processes on the system.
This is particularly important as there are multiple LOG(FATAL) calls
in service.cpp for failures after fork() but before execv() when a
service is started.
Note, that pthread_atfork() is not a viable solution since clone() is
used in some cases instead of fork() and atfork handlers are not
called with clone().
Test: LOG(FATAL) from a child process of init and see that it
terminates due to a signal correctly
Test: LOG(FATAL) from init proper and see that it reboots to the
bootloader
Change-Id: I875ebd7a5f6b3f5e3e2c028af3306917c4409db3
1) Attempt to make the error message associated with a missing service
better.
2) Provide a link to more in-depth documentation.
Bug: 65023716
Test: code compiles.
Change-Id: Ie0f1896fb41d5afd11501f046cb51d4c8afe0a62
The move to returning Result from Service::Start() for better context
when starting process through init's builtins stops Service::Start()
failures from being logged from other contexts. This change adds
those logs along with their context.
Test: boot bullhead, fail to start services via `setprop ctl.start`,
see the expected error in dmesg
Change-Id: I45294f6abf00852f3d4c549a32eaf4920a51e6f0
Switch from /data/misc/reboot/last_reboot_reason to persistent
Android property persist.sys.boot.reason for indicating why the
device is rebooted or shutdown.
persist.sys.boot.reason has a standard as outlined in b/63736262 and
the associated investigation. Made adjustments to the values so that
we did not create a problem even before we started. Compliance is
part of the tests in boot_reason_test.sh.
Test: system/core/bootstat/boot_reason_test.sh
Bug: 64687998
Change-Id: I812c55a12faf7cb7ff92101009be058ad9958d07
With full disk encryption, a temporary /data partition is mounted to
start a minimum subset of the frameworks. Later, once /data can be
decrypted it is mounted again. load_persist_props is called both when
the temporary /data partition is mounted and again after the real
/data is mounted; this is a mistake.
This change checks to see if we're a FDE device and if so, returns the
first time load_persist_props is called.
Test: boot bullhead (FDE) with and without boot pin and check that
persistent properties are loaded
Test: boot sailfish (FBE) and check that persistent properties are loaded
Change-Id: I6ed725072bdb27d80bfa6575d0a4876b08c6a4bc
Enable error reporting when builtin functions fail. These errors are
now reported with full context including the source file and line
number, e.g.
init: Command 'write /sys/module/subsystem_restart/parameters/enable_debug ${persist.sys.ssr.enable_debug}' action=early-boot (/init.bullhead.rc:84) took 0ms and failed: cannot expand '${persist.sys.ssr.enable_debug}'
There are two small caveats:
1) There are nearly 200 reports of builtins failure due to "No such
file or directory". Many of these are due to legacy paths included
in rootdir/init.rc. Until they are cleaned up, reporting of these
failures is disabled.
2) Similarly, symlink is often used to create backwards compatible
symlinks. By their very nature, these calls are expected to fail
on newer systems that do already use the new path. Due to this,
failures of symlink due to EEXIST are not reported.
Bug: 38038887
Test: boot bullhead, only see true errors reported from builtins.
Change-Id: I316c13e3adc992cacc6d79ffee987adc8738fca0
Log Service failures via Result<T> such that their context can be
captured when interacting with services through builtin functions.
Test: boot bullhead
Change-Id: I4d99744d64008d4a06a404e3c9817182c6e177bc
Result<T> currently has two problems,
1) A failing Result<T> cannot be easily constructed from a Result<U>'s
error.
2) errno is lost when passing .error() through multiple Result<T>'s
This change fixes both problems having Result<T>::error() return a
ResultError class that contains the std::string error message and int
errno.
It additionally has ostream operators to continue to allow printing
the error string directly to an ostream and also to pass the errno
through to another Result<T> class via Error() creation.
Lastly, it provides a new constructor for Result<T> for ResultError,
such that a Result<T> can be constructed from Result<U>::error().
Test: boot bullhead, init unit tests
Change-Id: Id9614b727cdabd2f5498b0da0e598e9aff7d9ae0
Init keep its own copy of the environment that it uses for execve when
starting services. This is unnecessary however as libc already has
functions that mutate the environment and the environment that init
uses is clean for starting services. This change removes init's copy
of the environment and uses the libc functions instead.
This also makes small clean-up to the way the Service class stores
service specific environment variables.
Test: boot bullhead
Change-Id: I7c98a0b7aac9fa8f195ae33bd6a7515bb56faf78
Bug: 64848081
Test: built and successfully booted again
Merged-In: I93c899249bf2cc5ab8d880c0eaff471518e73121
Change-Id: I93c899249bf2cc5ab8d880c0eaff471518e73121
Currently, init attempts to set ro.boottime.<service> properties
whenever a service starts, however since these properties are ro. this
means that an error is printed whenever a service is restarted.
Since these properties are intended for reporting boottime, these
subsequent writes during restarts are erroneous and therefore this
change stops attempting to write them, thus silencing the error.
Test: boot bullhead, restart processes, observe no error print
Change-Id: I372f8d5c26590fc0661b92f632410e23e6418841
1) Check subsystems list before doing usb subsystem logic. This allows
developers to handle usb* subsystems in ueventd.rc files.
2) Fix a bug where each subsystem_ instance is not reinitialized, but
rather only the name_ member was set.
Test: boot bullhead
Test: check that multiple uevent_devname subsystems work when
specified in ueventd.rc
Change-Id: Ifcac04763afcaf72a3b14ef5f3a6cb89981b51a1
Test: boot bullhead
Test: Introduce LOG(FATAL) at various points of init and ensure that
it reboots to the bootloader successfully
Test: Introduce LOG(FATAL) during DoReboot() and ensure that it reboots
instead of recursing infinitely
Test: Ensure that fatal signals reboot to bootloader
Change-Id: I409005b6fab379df2d635e3e33d2df48a1a97df3
We currently throw out the return values from builtin functions and
occasionally log errors with no supporting context. This change uses
the newly introduced Result<T> class to communicate a successful result
or an error back to callers in order to print an error with clear
context when a builtin fails.
Example:
init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory
Test: boot bullhead
Merged-In: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
init tries to propagate error information up to build context before
logging errors. This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:
bool CalculateResult(const T& input, U* output, std::string* err)
bool CalculateAndUseResult(const T& input, std::string* err) {
U output;
std::string calculate_result_err;
if (!CalculateResult(input, &output, &calculate_result_err)) {
*err = "CalculateResult " + input + " failed: " +
calculate_result_err;
return false;
}
UseResult(output);
return true;
}
Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.
This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string. If the functional only returns success or a failure with
an error message, Result<Success> may be used. The classes Error and
ErrnoError are used to indicate a failed Result<T>.
A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T. This allows you to return a type T directly from a function that
returns Result<T>.
Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure. ErrnoError()
additionally appends ": " + strerror(errno) to the end of the failure
string to aid in interacting with C APIs.
The end result is that the above code snippet is turned into the much
clearer example below:
Result<U> CalculateResult(const T& input);
Result<Success> CalculateAndUseResult(const T& input) {
auto output = CalculateResult(input);
if (!output) {
return Error() << "CalculateResult " << input << " failed: "
<< output.error();
}
UseResult(*output);
return Success();
}
This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.
Test: boot bullhead, init unit tests
Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp. It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.
It additionally cleans up sehandle and sehandle_prop. The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users. The latter is moved to
property_service.cpp as it is isolated to that file for its usage.
Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
(cherry picked from commit 9afb86b25d8675927cb37c86119a7ecf19f74819)
We currently throw out the return values from builtin functions and
occasionally log errors with no supporting context. This change uses
the newly introduced Result<T> class to communicate a successful result
or an error back to callers in order to print an error with clear
context when a builtin fails.
Example:
init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory
Test: boot bullhead
Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
init tries to propagate error information up to build context before
logging errors. This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:
bool CalculateResult(const T& input, U* output, std::string* err)
bool CalculateAndUseResult(const T& input, std::string* err) {
U output;
std::string calculate_result_err;
if (!CalculateResult(input, &output, &calculate_result_err)) {
*err = "CalculateResult " + input + " failed: " +
calculate_result_err;
return false;
}
UseResult(output);
return true;
}
Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.
This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string. If the functional only returns success or a failure with
an error message, Result<Success> may be used. The classes Error and
ErrnoError are used to indicate a failed Result<T>.
A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T. This allows you to return a type T directly from a function that
returns Result<T>.
Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure. ErrnoError()
additionally appends ": " + strerror(errno) to the end of the failure
string to aid in interacting with C APIs.
The end result is that the above code snippet is turned into the much
clearer example below:
Result<U> CalculateResult(const T& input);
Result<Success> CalculateAndUseResult(const T& input) {
auto output = CalculateResult(input);
if (!output) {
return Error() << "CalculateResult " << input << " failed: "
<< output.error();
}
UseResult(*output);
return Success();
}
This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.
Test: boot bullhead, init unit tests
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
We currently throw out the return values from builtin functions and
occasionally log errors with no supporting context. This change uses
the newly introduced Result<T> class to communicate a successful result
or an error back to callers in order to print an error with clear
context when a builtin fails.
Example:
init: Command 'write /sys/class/leds/vibrator/trigger transient' action=init (/init.rc:245) took 0ms and failed: Unable to write to file '/sys/class/leds/vibrator/trigger': open() failed: No such file or directory
Test: boot bullhead
Change-Id: Idc18f331d2d646629c6093c1e0f2996cf9b42aec
init tries to propagate error information up to build context before
logging errors. This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:
bool CalculateResult(const T& input, U* output, std::string* err)
bool CalculateAndUseResult(const T& input, std::string* err) {
U output;
std::string calculate_result_err;
if (!CalculateResult(input, &output, &calculate_result_err)) {
*err = "CalculateResult " + input + " failed: " +
calculate_result_err;
return false;
}
UseResult(output);
return true;
}
Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.
This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string. If the functional only returns success or a failure with
an error message, Result<Success> may be used. The classes Error and
ErrnoError are used to indicate a failed Result<T>.
A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T. This allows you to return a type T directly from a function that
returns Result<T>.
Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure. ErrnoError()
additionally appends ": " + strerror(errno) to the end of the failure
string to aid in interacting with C APIs.
The end result is that the above code snippet is turned into the much
clearer example below:
Result<U> CalculateResult(const T& input);
Result<Success> CalculateAndUseResult(const T& input) {
auto output = CalculateResult(input);
if (!output) {
return Error() << "CalculateResult " << input << " failed: "
<< output.error();
}
UseResult(*output);
return Success();
}
This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.
Test: boot bullhead, init unit tests
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp. It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.
It additionally cleans up sehandle and sehandle_prop. The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users. The latter is moved to
property_service.cpp as it is isolated to that file for its usage.
Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp. It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.
It additionally cleans up sehandle and sehandle_prop. The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users. The latter is moved to
property_service.cpp as it is isolated to that file for its usage.
Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
(cherry picked from commit 9afb86b25d8675927cb37c86119a7ecf19f74819)
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp. It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.
It additionally cleans up sehandle and sehandle_prop. The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users. The latter is moved to
property_service.cpp as it is isolated to that file for its usage.
Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
(cherry picked from commit 9afb86b25d8675927cb37c86119a7ecf19f74819)
Crashes that happen before tombstoned is running are extremely hard to
diagnose, because tombstones aren't written to disk, and the window of
opportunity to get logs via `adb logcat` is small (potentially
nonexistent).
Solve this by adding a world-writable /dev/kmsg_debug on userdebug
builds, and writing to it in addition to logcat when tombstoned hasn't
started yet.
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: I46ba2dd67c188be74bd931f8a5536b6342d537f2
Inspired by ag/2659809/, this CL add readahead built-in command in init
to let files be prefetched into pagecache for faster reading.
Readahead happens in background but due to filesystem limitation it
might take small amount of time in it reading the filesystem metadata
needed to locate the requested blocks. So the command is executed in a
forked process to not block init execution.
Bug: 62413151
Test: boottime, dumpcache
Change-Id: I56c86e2ebc20efda4aa509e6efb736bd1d92baa5
service.cpp, which is part of libinit, references symbols in
property_service.cpp, which causes the linker to complain when linking
libinit.a in some situations.
Therefore, we move property_service.cpp to libinit.
Separately, this will make it easier to write tests for
property_service.cpp, which we will want to do in the future.
Test: build, init unit tests
Change-Id: If1cffa8510b97e9436efed3c8ea0724272383eba
The shared libselinux library does not export all of the symbols that
we use in init and the linker is now complaining about this, so let's
use the static libselinux library in init_tests to match init itself.
Test: build, init unit tests
Change-Id: I9011a959a7c49446b3529740e606140a4ee8c32d
selabel_lookup() must be threadsafe, but had failed in the past.
Bug: 63861738
Test: this newly added test
Change-Id: I78bdb8e555433e8217ac6d4be112ba91de9f03bb
* changes:
init: rename ServiceManager to ServiceList and clean it up
init: move reaping from ServiceManager to signal_handler.cpp
init: move exec operations out of ServiceManager
ServiceManager is essentially just a list now that the rest of its
functionality has been moved elsewhere, so the class is renamed
appropriately.
The ServiceList::Find* functions have been cleaned up into a single
smaller interface.
The ServiceList::ForEach functions have been removed in favor of
ServiceList itself being directly iterable.
Test: boot bullhead
Change-Id: Ibd57c103338f03b83d81e8b48ea0e46cd48fd8f0
signal_handler.cpp itself needs to be cleaned up, but this is a step
to clean up ServiceManager.
Test: boot bullhead
Change-Id: I81f1e8ac4d09692cfb364bc702cbd3deb61aa55a
These can be implemented without ServiceManager, so we remove them and
make ServiceManager slightly less of a God class.
Test: boot bullhead
Test: init unit tests
Change-Id: Ia6e546fe5292255412245256f7d230af4ece135f
The time data types associated with restarting processes halfway moved
to std::chrono and halfway didn't. In this intermediate state, the
times would get converted from nanoseconds to seconds then to
milliseconds. The precision lost when converting to seconds would
cause the main loop of init to spin whenever a process was within a
second of being restarted.
This patch cleans up this logic and uses nanoseconds and milliseconds
explicitly, with a ceiling to milliseconds to prevent unneeded
spinning.
Test: boot bullhead, kill processes, see that they restart sanely.
Change-Id: I0b017ba0e50c09704b0c5cdfcde1dba461804593
Jaekyun Seok