Init now parses *.rc files from the APEXs when the apexd notifies the
mount event via apexd.status sysprop.
Bug: 117403679
Test: m apex.test; adb root; adb push <builtfile> /data/apex; adb reboot
adb root; adb shell setprop ctl.start apex.test; dmesg shows that init
tries to start the service which doesn't exist.
[ 47.979657] init: Could not ctl.start for 'apex.test': Cannot find '/apex/com.android.example.apex/bin/test': No such file or directory
Change-Id: I3f12355346eeb212eca4de85b6b73257283fa054
Using overlayfs, the system partition may provide files for older
version of vendor partitions by overlaying on the vendor partition.
Directories in /system/vendor_overlay will be overlaid on the
directories in /vendor to override existing files or provide new
files.
This feature works only if the kernel support overlayfs and has a
patch for override_creds. Otherwise, no-op.
Bug: 114679254
Test: Build and boot: nothing affected without overlayfs, or
vendor file is overrided with overlayfs
Change-Id: Iff3a308945299034123ba7bcb40dc787e102730e
Init is special.
It starts early and does not pick up the Android ASAN options provided
on the environment. Therefore we pull in /system/asan.options in
explicitly if it exists. We provide sane defaults that will allow the
system to boot otherwise.
Logging is complicated because it needs to go to the kernel log.
So use sanitizer functions to install log functions.
Bug: 117879229
Test: m && m SANITIZE_TARGET=address
Test: init boots with ASAN enabled
Change-Id: I72c033a1f86ba5d6b2e4f943e7a3acd0d399c8bf
The kernel opens /dev/console and uses that fd for stdin/stdout/stderr
if there is a serial console enabled and no initramfs, otherwise it
does not provide any fds for stdin/stdout/stderr. InitKernelLogging()
is used to close these existing fds if they exist and replace them
with /dev/null.
Currently, InitKernelLogging() is only called in second stage init,
which means that processes exec'ed from first stage init will inherit
the kernel provided fds if any are provided.
In the case that they are provided, the exec of second stage init
causes an SELinux denial as it does not have access to /dev/console.
In the case that they are not provided, exec of any further process is
potentially dangerous as the first fd's opened by that process will
take the stdin/stdout/stderr fileno's, which can cause issues if
printf(), etc is then used by that process.
Lastly, simply moving InitKernelLogging() to first stage init is not
enough, since first stage init still runs in kernel context and future
child processes will not have permissions to access kernel context
resources. Therefore, it must be done for a second time in second
stage init.
Bug: 117281017
Test: no audits when booting marlin.
Change-Id: If27edab5c32b27765e24c32fbed506ef625889de
Allow services to specify a custom restart period via the
restart_period service option. This will allow services to be run
periodically, such as a service that needs to run every hour.
Allow services to specify a timeout period via the timeout_period
service option. This will allow services to be killed after the
timeout expires if they are still running. This can be combined with
restart_period for creating period services.
Test: test app restarts every minute
Change-Id: Iad017820f9a602f9826104fb8cafc91bfb4b28d6
Device is considered to be unlocked if
androidboot.verifiedbootstate is "orange".
Test: adb shell getprop ro.boot.flash.locked
Change-Id: Id3aeec757908ea63a37e28ad880a6c71d53083ac
If there is no valid pre-compiled SEPolicy policy, init may call
secilc, which exists on the system partition. 1st stage init won't
always live on this partition, so we need to move this SELinux setup
to 2nd stage init, which always lives on the system partition, to
ensure that both secilc and its caller are updated together.
Bug: 114059212
Test: hikey boots, sailfish boots
Change-Id: Iaf7b4af4a5c2ace16755ec2e54510ab95c53f041
Allow init to use binder, but in a restricted way:
- No binder threadpool
- Other processes can't initiate calls to init
- No death recipients
This change adds libbinder/libutils and calls into ProcessState,
which also calls into the kernel driver and sets up state there.
No other binder calls are made, so that we can let this soak for
a while to see if there any bad side effects of just loading
these libraries and initializing the kernel driver.
This introduces about 120kB of additional memory usage (PSS),
mostly due to pulling in libbinder and libutils and the private
state they have.
We also don't include these libraries in the recovery version of
init, because space on the recovery partition is limited.
Bug: 112684055
Test: device still boots, /d/binder/proc/1 shows init state
Change-Id: I972b1eebdb16337f52e20d1f614e3a0dce0f06d2
Attempting to reduce the number of different spellings we have for
"product services" partition in the codebase.
Bug: 112431447
Test: m
Change-Id: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
Merged-In: I1a87d7e040a8b1f91f973ac7d90d6360b5b54f71
In the future, systems with dm-linear will require a ramdisk to set up
the mount for system. In this world, first stage init will be a part
of this ramdisk and handle setting up dm-linear, mounting the
necessary partitions, then pivoting to the system image, which will
become the root partition.
This also enables previous devices without system-as-root, to be
unified with system-as-root devices for all aspects of boot after the
pivot_root.
Bug: 79758715
Test: boot hikey
Test: boot sailfish, boot sailfish into recovery
Change-Id: Iefa88a3ec5994e7989aa9f26f2de0351ffa5468b
This is a baseline for splitting init first and second stage into
their own executables.
Bug: 79758715
Test: sailfish boots
Change-Id: I549ad4502893b3a5e4c2a9886f66850f6d31b619
We're moving past a world where static executables are needed,
including watchdogd, so treat this like any other executable and place
it in /system/bin.
Bug: 73660730
Test: watchdogd still runs
Change-Id: I1f7508fd55dce6e9ee72a6ab7a085011a76c0053
This CL is largely and adaptation of
Ie996def20e25dc1afe0c74af2096af844934b2dc
Bug: 80741439
Test: Successfully built product-services.img with one module in it, and
flashed on device. Also successfully built image with
/system/product-services and no dedicated /product-services partition.
Change-Id: I1046dfe19bf874da929c9131b76a1f85422fbb80
Merged-In: I1046dfe19bf874da929c9131b76a1f85422fbb80
In preparation for splitting first stage init from the rest of the
init executable, rename these files which are specifically involved in
first stage mount operations to a more appropriate name.
Test: builds
Change-Id: I8a2d4e8c7e1deea1bab45cc8e738727bc2ceb3e5
Clean up a few mistakes in logging initialization
1) Only init needs to clear stdout/stderr/stdin, so remove this from
ueventd, watchdogd, and subcontext init
2) Only init should reboot due to FATAL errors. This was true even
before this change due to getpid() checks, but there's no reason to
not just use the DefaultAborter for other processes.
3) It's probably a mistake for FATAL logs in init to try to gracefully
shutdown the system, so simply call RebootSystem() here.
4) Lastly, remove log.cpp since it's not actually shared code anymore
Test: build
Change-Id: Ic8c323393dc7ee98ed6bb9691361b51d0d915267
1. init creates /mnt/product used to mount product-specific rw partitions.
2. If a device tree fstab entry for early mount specifies a mount point
under /mnt/product e.g. /mnt/product/foo, init will create
/mnt/product/foo mount point.
Bug: 110808288
Test: change dt fstab entry to mount /mnt/product/foo; mount point is
created correctly, and partition is mounted in early mount.
Change-Id: I321e314992abe1084fd67a382c205f5c0c92bf3d
This functionality is useful for improving boottimes on the ARC++
project. Without this change, ro.serialno would be set to the empty
string when androidboot.serialno was unset in the kernel commandline.
Bug: 62039211
Test: boot with androidboot.serialno unset and ensure ro.serialno is
unset
Change-Id: Iaee339dfa3f0c871e5e9c1fc0534347f2b3e8a07
Init never checked the return values of the calls made during first
stage init (since of course they're not going to fail, right?). But
of course commands can fail and they might not necessarily be obvious
when they do, so let's make it obvious.
Since the kernel log isn't up until later, this creates a list of the
failures that can then be sent to the kernel log once it's ready
(pending of course failures in setting it up...)
Test: boot bullhead, don't see errors
Change-Id: I8c12c61fa12e4368346e8b0e1c0bb0844b5d0377
Drop all references to keychord_id and id and instead use keycodes_
as the id. The keycodes are a std::vector<int> with an unique
sorted-order emplacement method added in the parser. Solves the
academic issue with duplicate keychords and trigger all services
that match rather than first match only.
Test: init_tests
Bug: 64114943
Change-Id: I5582779d81458fda393004c551c0d3c03d9471e0
Move things around so that keychords.cpp is independent of service
and init and can be individually tested with few dependencies.
Permits also rolling out the keychords as a class in a future commit.
Improve parser checking.
Test: init_tests
Bug: 64114943
Change-Id: I82570bc6269ed478db784ec38a8bc916da2be2be
FindService can't be used w/ interfaces due
to the fact that multiple interfaces can be
added to any given interface.
Bug: 79418581
Test: boot device, manually use ctl commands
Change-Id: I7c152630462c9b7509473bc190f5b30460fcc2bc
Replace deprecated /dev/keychord driver with /dev/input/ interface.
Will restrict which nodes are active and relevant, and try to mask
out any unreferenced inputs with EVIOCSMASK if available.
Test: manual, boot, check registered chord works
Bug: 64114943
Change-Id: I2bbf84a6e472d720f02282e10d56795b75ac62d1
Changes to init's behavior during early mount:
1. Mounting of tmpfs on /mnt is moved from init stage to early mount.
2. init creates /mnt/vendor used to mount vendor partitions.
3. If a device tree fstab entry for early mount specifies a mount point
under /mnt/vendor e.g. /mnt/vendor/foo, init will create
/mnt/vendor/foo mount point.
Bug: 64905218
Test: change dt fstab entry to mount persist to /mnt/vendor/persist;
mount point is created correctly, and partition is mounted in early
mount. See go/pag/1069774
Test: device boots with /mnt/vendor and previous contents of /mnt present,
and selinux label "mnt_vendor_file" is applied correctly.
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsAppSecurityHostTestCases
-t android.appsecurity.cts.PermissionsHostTest
Change-Id: I3739130739eadf508355c7f2531366fcaed74175
Merged-In: I3739130739eadf508355c7f2531366fcaed74175
(cherry picked from commit b511475664)
Previously, if init received too many SIGCHLD signals, then the write to
signal_write_fd could fail with EAGAIN. The handler tried to log the
EAGAIN error, and init deadlocked if the interrupted init process had
already acquired a logging-related lock.
Bug: b/77867680
Test: manual
Change-Id: Ief0b5e94d8517827a5a7d03773391ba3ba9447c4
It's currently not clear that init stops processes due to being sent a
control message nor who sent that message.
Bug: 73343913
Test: send control messages and see the logs
Change-Id: I9e9eff2001e649814107ea961b3b747a1f6da598
Previously, unless the process unblocks the signal by itself,
the signal was never delivered to the process. This caused at
least one CTS test failure.
Bug: 72453675
Test: 'kill -TERM app_pid' terminates the app process
Change-Id: I3977cac75e2673b52c5cf91d34d7a9c258c1a0e4
This CL will enable reading /product/build.prop and add product paths
into ld.config.txt.in.
Bug: 64195575
Test: tested with 'PRODUCT_PRODUCT_PROPERTIES := ro.product.abc=abc' on
sailfish
Change-Id: Ie996def20e25dc1afe0c74af2096af844934b2dc
I'd be not doing this for a while since some of this code doesn't
compile on host and libinit previously did. But after realizing
the property_service.cpp (libinit) references symbols in init.cpp
(init) and seeing a new linker error crop up due to that, it's time to
make the fix.
My only hold out previously was that libinit compiled on host bionic
and some of init (builtins.cpp, etc) do not, however given that we
don't actually have host bionic support or host bionic init tests,
that isn't a good reason. We can and should mock out the libraries
that aren't available with host bionic when ready.
Test: build, unit tests, boot
Change-Id: Ie49362ddb637924efc272540a4f32b693643fcdc
This associates every service with a list of HIDL services
it provides. If these are disabled, hwservicemanager will
request for the service to startup.
Bug: 64678982
Test: manual with the light service
Change-Id: Ibf8a6f1cd38312c91c798b74574fa792f23c2df4
One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.
This change is meant to close that gap. It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to. Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.
Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.
Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish
Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
Change HandleSigtermSignal() handler to report shutdown,container. Add
the new reason to bootstat. Remove log stutter as
HandlPowerctlMessage will also do a LOG(INFO) reporting
shutdown,container as reason.
Sending SIGTERM to init is to allow a host OS to ask an Android
Container instance to shutdown. The temptation is to report
shutdown,sigterm but that does not accurately describe the usage
scenario.
Test: compile
Bug: 63736262
Change-Id: I3c5798921bdbef5d2689ad22a2e8103741b570b4
Primarily, this fixes a bug where a forked child of property service
uses exit() instead of _exit, which has the unintended consequences of
running the global destructors of init proper, which leads to
unintended cleanup.
Secondly, this replaces the remaining calls of exit() that really
should be LOG(FATAL).
Test: boot sailfish
Change-Id: I779228e7d44a73186bc7685bb723c4b9278a0a2d
Builtin commands may set the sys.powerctl property, which causes
reboot to be immediately processed. Unfortunately, part of the reboot
processing involves clearing the action queue, so when this scenario
happens, ActionManager::ExecuteOneCommand() can abort due to its state
being unexpectedly changed.
Longer term, the real fix here is to split init and property service.
In this case, the property sets will be sent to property service and
the reboot will only be processed once property service responds back
to init that the property has been set. Since that will not happen
within the action queue, there will be no risk of failure.
Short term, this change sets a flag in init to shutdown the device
before the next action is run, which defers the shutdown enough to fix
the crash, but continues to prevent any further commands from running.
Bug: 65374456
Test: force bullhead into the repro case and observe that it no longer
repros
Change-Id: I89c73dad8d7912a845d694b095cab061b8dcc05e
This allows Android to cleanly shutdown when running in a PID namespace
in a way that does not rely on adbd running. This is useful to allow
Android to be running in a container and its lifetime managed by an
OCI-compliant tool.
Bug: 65415372
Test: `kill -TERM 1` as root is correctly dropped.
Test: `kill -TERM 1` from the init PID namespace causes init to cleanly shutdown.
Change-Id: Ia66ebdb436221919081bc4723337c0c7f1e53b09
Jiyong Park