First kill the process group before killing the cgroup to catch
the hopeful case that killing the cgroup becomes a no-op as all of its
processes have already been killed.
Do not report an error if kill fails due to ESRCH, as this happens
often when reaping processes due to the order in which we call
waitpid() and kill().
Do not call killProcessGroup in libprocessgroup if we have already
successfully killed and removed a process group.
Bug: 36661364
Bug: 36701253
Bug: 37540956
Test: Reboot bullhead
Test: Start and stop services
Test: Init unit tests
Change-Id: I172acf0f8e00189f910f865f4635a7b1782fc7e3
The exec_service documentation was difficult to read, clarify it.
Tests:
Run grip.py to verify that the markdown still works correctly.
Run aspell to verify spelling.
Change-Id: I29bdd456f3d3ea2a91c9d4772bd09a5a195f97a9
Signed-off-by: William Roberts <william.c.roberts@intel.com>
Files in the ramdisk by default have the rootfs label and must be
manually restoreconed.
Bug: 35219933
Change-Id: I2a749f128dc3a609907101ce703747f8990b4386
Invent keyutils.h to supply capability to set session keyring.
The keyring will hold things like the FBE encryption keys.
Test: gTest logd-unit-tests --gtest_filter=logd.statistics
Bug: 37751120
Bug: 36645158
Change-Id: Ieb44fa8f53dda6cf506a6243498c72d7f7f3cde7
Similar to what installkey used to do, init_user0 forks and
synchronously waits for vdc to return. This is dangerous to do in
init however as init also processes properties from a single thread.
I'm not aware of any specific issues that this is currently causing,
but it's a good preventative measure to match what installkey does and
use do_exec().
Test: Boot bullhead, see that init_user0 still happens
Change-Id: I853c61594fe3d97e91bbb2319ebddf2bbe80d457
It has been reported that fs_mgr failed to open /dev/device-mapper
during the first stage mount. It's because other uevent (e.g., i2c
charger device) happens to be sent at the same time we're triggering
the device-mapper uevent to be sent. Current implementation returns
COLDBOOT_STOP unconditionally so it will only process the first received
uevent, leaving device-mapper uevent unhandled when the race happens.
Fix this by only returning COLDBOOT_STOP when the received uevent->path
matches that of device mapper.
Bug: 37745254
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /vendor with vboot 1.0 on sailfish
Change-Id: I4a77093ec8f90a5ca981a088f34d082d0270533b
Init exposes a global 'sehandle' that ueventd references as part of
devices.cpp and util.cpp. This is particularly dangerous in
device_init() in which both uevent and init write to this global.
This change creates a separate local copy for devices.cpp and puts
restrictions on where init.h can be included to make sure the global
used by init is not reference by non-init code. Future changes to
init should remove this global.
Test: Boot bullhead
Change-Id: Ifefa9e1932e9d647d06cca2618f5c8e5a7a85460
Add unit test to ensure all POD types of Service are initialized.
Bug: 37855222
Test: Ensure bugreport is triggered via keychord properly.
Test: New unit tests
Change-Id: If2cfea15a74ab417a7b909a60c264cb8eb990de7
An forward declaration for a function that was removed in later
patchsets was merged anyway. Since it's not used anywhere, this CL
removes it.
Test: build bullhead
Change-Id: Ie7223f7d23305b71438cb063b64a574ce32f96bb
Reloading sepolicy has been removed from the system, so this support
code can also now be removed.
Bug: 26544104
Test: Boot bullhead
Change-Id: If9dbc9d540d9a69340c1dd6a483c1f8fe5feb287
- allows easier tracking of wait time from monitoring tools
- this change also reduces unnecessary log spam
- service exit log looks like this:
init: Service 'exec 4 (/system/bin/otapreopt_slot)' (pid 611) exited with status 0 waiting took 0.060771 seconds
bug: 37752410
Test: reboot and check log
Change-Id: I122902538697f33939eede548e39f155ec419e03
- Test data shows that most shutdown finishes in 6 secs.
- The original 10 secs is too long wih no shutdown animation
running in screen.
bug: 36657139
Test: check time with reboot
Change-Id: I9a805ddfde8156b066485902048d0cd01365c453
This got moved when refactoring the reboot commands.
Bug: 37540660
Test: verify bullhead's last_reboot_reason is correct
Change-Id: I3b86496fc469ca41645df7e7ba8bb51dd25b6b38
This line shows up immediately before starting a service for each
service without a 'seclabel' option, essentially becoming log spam.
We already log if we fail to compute the context as well.
Test: Boot bullhead
Change-Id: Ibe91fd2dd9f53a8ae2ca95ccea1636ecef2af224
Now that ueventd is using init's parser, we no longer need anything
other than the tokenizer from parser.cpp.
Test: Boot bullhead
Change-Id: I1f70f2c4479af576174bd74dd919d81817500216
Previously init_parser.cpp was made generic and capable of parsing any
number of differently named 'sections' or prefixed lines. We now use
these capabilities to do the parsing for ueventd.
Bug: 36250207
Bug: 33785894
Test: boot bullhead and ensure the right /dev nodes exist
with the right permissions set
Test: verify no boot time difference
Change-Id: I698ca962d414f8135af32f6c9cd778841b2b8b53
The previous check is incorrect because it compares the basename of
previous verity_loc with the full path of current verity_loc.
Changes it to compare the full device file path instead of just the basename
of verity_loc. This can catch the case of two different verity_loc
values with the same basename, e.g.,
- verify=/dev/block/platform/SOC.0/by-name/metadata
- verify=/dev/block/platform/SOC.1/by-name/metadata
Bug: 37413399
Bug: 37619597
Test: first stage mount /system and /vendor with the following fs_mgr_flags on bullhead
- wait,verify=/dev/block/platform/soc.0/f9824900.sdhci/by-name/metadataa
Test: first stage mount /system and /vendor with different verity_loc values
on bullhead, checks it bails out
Change-Id: I017c8bd9f0790d45e08e57df9a2878e4f62c5f9c
Add the ability to override the current section being parsed and
instead parse a line by itself if a given line starts with a specific
prefix.
Test: Boot bullhead
Change-Id: Idbbf2682b78996b41d05f3db655c8937a8c6ccda
The term 'trigger' should be used in 'Action' to indicate what causes
the 'Action' to be executed.
The term 'event' should be used in ActionManager's queue to indicate
a state change that is checked against the 'triggers' of an 'Action' to
see if it should execute.
Convert the previous Trigger class to std::variant, as the latter is
better suited for this use.
Change-Id: I2558367c8318b536aa69fcec93793f1c12857ef5
persist.sys.usb.config values can't be combined on build-time when
property files are split into each partition.
So we need to apply the same rule of
build/make/tools/post_process_props.py on runtime.
Test: building succeeded and tested on sailfish.
Bug: 37617113
Bug: 37648659
Change-Id: I78cdffee446d3ae6a89f138faed5f3149e4b507d
Fixes issue where attributes used exclusively in neverallow
rules were removed from policy.
Bug: 37357742
Test: Force on-device compile by removing precompiled policy.
Verify no increase in compile time.
Change-Id: I0d145fd311c2ddcb226a827f2a997f10c20a8379
Previously we set ro.boot.avb_version during the first stage mount in normal mode:
- https://android-review.googlesource.com/#/c/371774/
As the first stage mount is not performed in recovery mode, we need to set the
property separately in recovery mode.
Bug: 37414003
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead in normal mode
Test: first stage mount /system with without verity on bullhead in normal mode
Test: checks ro.boot.avb_version is 1.0 on bullhead in recovery mode
Test: first mount /vendor with with vboot 1.0 on sailfish in normal mode
Test: checks ro.boot.avb_version doesn't exist on sailfish in recovery mode
Change-Id: I262e75b8b557c4de7609b4049ccb01793644245e
Also renames "early mount" to "first stage mount" to prevent confusion
with "mount_all --early", which is run in the init second stage.
Also creates a base class: FirstStageMount and two derived classes:
FirstStageMountVBootV1 and FirstStageMountVBootV2 to replace/refactor
existing functions:
- early_mount() -> DoFirstStageMount() and FirstStageMount::DoFirstStageMount()
- vboot_1_0_early_partitions -> FirstStageMountVBootV1::GetRequiredDevices()
- vboot_2_0_early_partitions -> FirstStageMountVBootV2::GetRequiredDevices()
- vboot_1_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV1::SetUpDmVerity()
- vboot_2_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV2::SetUpDmVerity()
Bug: 37413399
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /system with without verity on bullhead
Test: first stage mount /vendor with with vboot 1.0 on sailfish
Change-Id: I6584bdf7d832c9fbc8740f97c9b8b94e68a90783
Start a init_tests.cpp file for end-to-end tests that parse small init script
segments and verify that they act as expected.
The first tests ensure that the execution order of event triggers
happens appropriately.
Test: Boot bullhead, run unit tests
Change-Id: Ic446c02605ab796fd41e0596ce1fd381aee80ce0
Remove the dependency on Action and Service from what should be a
generic Parser class.
Make ActionParser, ImportParser, and ServiceParser take a pointer to
their associated classes instead of accessing them through a
singleton.
Misc fixes to SectionParser Interface:
1) Make SectionParser::ParseLineSection() non-const as it always should
have been.
2) Use Rvalue references where appropriate
3) Remove extra std::string& filename in SectionParser::EndFile()
4) Only have SectionParser::ParseSection() as pure virtual
Document SectionParser.
Make ImportParser report the filename and line number of failed imports.
Make ServiceParser report the filename and line number of duplicated services.
Test: Boot bullhead
Change-Id: I86568a5b375fb4f27f4cb235ed1e37635f01d630
KillProcessGroup can return -1 without errno set, which produces error
messages like this:
init: Sending signal 15 to service 'vold' (pid 1806) process group...
init: failed to kill 2 processes for processgroup 1806
init: killProcessGroup(0, 1806, 15) failed: Success
Test: boot and reboot hikey.
Change-Id: I51f242da234daee84795a3fbdffe9ad1f4567140
Signed-off-by: William Roberts <william.c.roberts@intel.com>
- init will only keep animation related services as shutdown critical.
- external component like system server can start shutdown animation.
bug: 37500823
Test: reboot
Change-Id: Ief328306eba7e3b15402ae27e6236767095f508c
In the past, I had thought it didn't make sense to have multiple
Action classes with identical triggers within ActionManager::actions_,
and opted to instead combine these into a single action. In theory,
it should reduce memory overhead as only one copy of the triggers
needs to be stored.
In practice, this ends up not being a good idea.
Most importantly, given a file with the below three sections in this
same order:
on boot
setprop a b
on boot && property:true=true
setprop c d
on boot
setprop e f
Assuming that property 'true' == 'true', when the `boot` event
happens, the order of the setprop commands will actually be:
setprop a b
setprop e f
setprop c d
instead of the more intuitive order of:
setprop a b
setprop c d
setprop e f
This is a mistake and this CL fixes it. It also documents this order.
Secondly, with a given 'Action' now spanning multiple files, in order
to keep track of which file a command is run from, the 'Command'
itself needs to store this. Ironically to the original intention,
this increases total ram usage. This change now only stores the file
name in each 'Action' instead of each 'Command'. All in all this is a
negligible trade off of ram usage.
Thirdly, this requires a bunch of extra code and assumptions that
don't help anything else. In particular it forces to keep property triggers
sorted for easy comparison, which I'm using an std::map for currently,
but that is not the best data structure to contain them.
Lastly, I added the filename and line number to the 'processing
action' LOG(INFO) message.
Test: Boot bullhead, observe above changes
Test: Boot sailfish, observe no change in boot time
Change-Id: I3fbcac4ee677351314e33012c758145be82346e9
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Bug: 36726045
Bug: 36576280
Test: manual with hikey
Test: boot and init tests on bullhead
Test: cast with fugu, per b/36726045
Merged-In: If3c30a2fff58cfece2fcd27e69c30382146e6808
Change-Id: If3c30a2fff58cfece2fcd27e69c30382146e6808
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit dbe88e7953)
The content parameter of write_file() previously took a char* that was
then converted to a std::string in WriteStringToFd(). One unfortunate
effect of this, is that it is impossible to write data that contains
'\0' within it, as the new string will only contain characters up
until the '\0'.
This changes write_file() to take an std::string, such that
std::string::size() is used to determine the length of the string,
allowing it to contain null characters.
Also change the path parameter of read_file() and write_file() for
consistency.
Lastly, add a test for handling strings with '\0' in them.
Bug: 36726045
Bug: 36576280
Test: Boot bullhead, run unit tests
Change-Id: Idad60e4228ee2de741ab3ab6a4917065b5e63cd8
(cherry picked from commit 53089aa25c)
Currently if a process sets the sys.powerctl property, init adds this
property change into the event queue, just like any other property.
The actual logic to shutdown the device is not executed until init
gets to the action associated with the property change.
This is bad for multiple reasons, but explicitly causes deadlock in
the follow scenario:
A service is started with `exec` or `exec_start`
The same service sets sys.powerctl indicating to the system to
shutdown
The same service then waits infinitely
In this case, init doesn't process any further commands until the exec
service completes, including the command to reboot the device.
This change causes init to immediately handle sys.powerctl and reboot
the device regardless of the state of the event queue, wait for exec,
or wait for property conditions.
Bug: 37209359
Bug: 37415192
Test: Init reboots normally
Test: Update verifier can reboot the system
Change-Id: Iff2295aed970840f47e56c4bacc93001b791fa35
(cherry picked from commit 98ad32a967)
Currently if a process sets the sys.powerctl property, init adds this
property change into the event queue, just like any other property.
The actual logic to shutdown the device is not executed until init
gets to the action associated with the property change.
This is bad for multiple reasons, but explicitly causes deadlock in
the follow scenario:
A service is started with `exec` or `exec_start`
The same service sets sys.powerctl indicating to the system to
shutdown
The same service then waits infinitely
In this case, init doesn't process any further commands until the exec
service completes, including the command to reboot the device.
This change causes init to immediately handle sys.powerctl and reboot
the device regardless of the state of the event queue, wait for exec,
or wait for property conditions.
Bug: 37209359
Bug: 37415192
Test: Init reboots normally
Test: Update verifier can reboot the system
Change-Id: Iff2295aed970840f47e56c4bacc93001b791fa35
Create classes for dev and sys permissions and store these permissions
in std::vector instead of the C list.
Test: boot bullhead
Test: init unit tests
Change-Id: I874039a3db29b4c70149506da8e407123ab7eca2
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
Merged-In: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
(cherry picked from commit 1a898c25f9)
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
Also simplify this code a bit.
There's only one consumer that removes the /devices/platform prefix,
so have them handle it instead of storing two copies of the string.
Remove an unneeded search for '/' in get_character_device_symlinks()
as a / will always be the next character after a parent path, by
nature of FindPlatformDevice().
Test: boot bullhead
Test: init unit tests
Change-Id: I9d0482d137b1342ae7509ae993ff99198be814f0
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
Merged-In: I4328d66a8cb93f26e7960e620a0b2292d5f15900
(cherry picked from commit aaf70e77dc)
libavb requires verifying AVB metadata on all verified partitions at
once. For example, /vbmeta, /boot, /system and /vendor. We need to
invoke device_init() for those partitions even if we only want to early
mount some of them, like /vendor and /system.
This CL gets all AVB partitions and the early mount partitions from
device tree through "firmware/android/vbmeta" and "firmware/fstab",
respectively. The following is an example to early mount /vendor
partition on bullhead:
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name"
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
Bug: 33254008
Test: early mount /vendor with vboot 2.0 (AVB) on bullhead
Test: early mount /system without dm-verity on bullhead
Test: early mount /vendor with vboot 1.0 on sailfish
Change-Id: I89a1f77c97124f309346b33d9e700544b92ecf05
Merged-In: I89a1f77c97124f309346b33d9e700544b92ecf05
(cherry picked from commit 8bba52fc4b)
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
libavb requires verifying AVB metadata on all verified partitions at
once. For example, /vbmeta, /boot, /system and /vendor. We need to
invoke device_init() for those partitions even if we only want to early
mount some of them, like /vendor and /system.
This CL gets all AVB partitions and the early mount partitions from
device tree through "firmware/android/vbmeta" and "firmware/fstab",
respectively. The following is an example to early mount /vendor
partition on bullhead:
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name"
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
Bug: 33254008
Test: early mount /vendor with vboot 2.0 (AVB) on bullhead
Test: early mount /system without dm-verity on bullhead
Test: early mount /vendor with vboot 1.0 on sailfish
Change-Id: I89a1f77c97124f309346b33d9e700544b92ecf05
Default signature WriteStringToFile creates world-writeable files.
Set owner and group system and remove read/write for non-owner.
Bug: 37251463
Test: Manual: reboot, inspect
Change-Id: I6a29c678168dcae611b120dc52170f4eee7069a9
Default signature WriteStringToFile creates world-writeable files.
Set owner and group system and remove read/write for non-owner.
Bug: 37251463
Test: Manual: reboot, inspect
Change-Id: I6a29c678168dcae611b120dc52170f4eee7069a9
* changes:
ueventd: Fix up string handling in handle_*_device_event()
ueventd: convert mkdir_recursive() to std::string
ueventd: move subsystem logic from code to ueventd.rc
It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based. In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.
Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.
Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.
Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6
This was marked deprecated in 2014 and removed in 2015, let's remove
the uevent rule now too.
Test: see that logging still works on bullhead
Change-Id: Idaf3f49a1afe7046eba6c976628b9f1c8b3ec094
- umount operation is asynchronous except for root partition.
Returning from umount does not guarantee completion of
umount. Poll /proc/mounts to confirm completion of umount.
- Treat all devices mounting to /data as emulated devices. This is
future proof when fs other than sdcardfs is used.
- Drop quota sync from sync step. There is no differences in
frequencies of quota error.
- Run umount in reverse order from mounting order so that any
hidden dependency can be auto-resolved.
- Add dump of lsof and /proc/mounts when umount fails. lsof only runs
when selinux is toggled into permissive mode. The dump is enabled
only for non-user build.
- Keep logcat until vold shutdown in case vold has any error to report.
bug: 36551218
Test: python packages/services/Car/tools/bootanalyze/bootanalyze.py -r -c packages/services/Car/tools/bootanalyze/config.yaml -n 1000 -f -e 20 -w 30
Change-Id: I87b17b966d7004c205452d81460b02c6acf50d45
(cherry picked from commit 2ba5c8103d)
- umount operation is asynchronous except for root partition.
Returning from umount does not guarantee completion of
umount. Poll /proc/mounts to confirm completion of umount.
- Treat all devices mounting to /data as emulated devices. This is
future proof when fs other than sdcardfs is used.
- Drop quota sync from sync step. There is no differences in
frequencies of quota error.
- Run umount in reverse order from mounting order so that any
hidden dependency can be auto-resolved.
- Add dump of lsof and /proc/mounts when umount fails. lsof only runs
when selinux is toggled into permissive mode. The dump is enabled
only for non-user build.
- Keep logcat until vold shutdown in case vold has any error to report.
bug: 36551218
Test: python packages/services/Car/tools/bootanalyze/bootanalyze.py -r -c packages/services/Car/tools/bootanalyze/config.yaml -n 1000 -f -e 20 -w 30
Change-Id: I87b17b966d7004c205452d81460b02c6acf50d45
Additionally replace the associated C string parsing with C++ and write
unit tests.
Bug: 33785894
Bug: 36250207
Test: Boot bullhead + unit tests
Change-Id: Iee1f72d248bca3bd2e1227045628935b3dd6195a
Remove includes of "log.h" that really want <android-base/logging.h>
Fix header include order
Remove headers included in .cpp files that their associated .h already includes
Remove some unused headers
Test: boot bullhead
Change-Id: I2b415adfe86a5c8bbe4fb1ebc53c7b0ee2253824
Crashes that happen before tombstoned is running are extremely hard to
diagnose, because tombstones aren't written to disk, and the window of
opportunity to get logs via `adb logcat` is small (potentially
nonexistent).
Solve this by adding a world-writable /dev/kmsg_debug on userdebug
builds, and writing to it in addition to logcat when tombstoned hasn't
started yet.
Bug: http://b/36574794
Test: stop tombstoned; crasher; dmesg
Change-Id: Ib22c02a002afb602933155fb2c9b7a8abbe9ed38
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
(cherry-pick of commit: 39ffec779a)
Change-Id: I9c3df2e7ed3f0eadd98e98529ebed360fec66dba
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I9c3df2e7ed3f0eadd98e98529ebed360fec66dba
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Bug: 36726045
Test: manual with hikey
Test: boot and init tests on bullhead
Test: cast with fugu, per b/36726045
Merged-In: If3c30a2fff58cfece2fcd27e69c30382146e6808
Change-Id: If3c30a2fff58cfece2fcd27e69c30382146e6808
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Bug: 36726045
Test: manual with hikey
Test: boot and init tests on bullhead
Test: cast with fugu, per b/36726045
Change-Id: If3c30a2fff58cfece2fcd27e69c30382146e6808
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
The content parameter of write_file() previously took a char* that was
then converted to a std::string in WriteStringToFd(). One unfortunate
effect of this, is that it is impossible to write data that contains
'\0' within it, as the new string will only contain characters up
until the '\0'.
This changes write_file() to take an std::string, such that
std::string::size() is used to determine the length of the string,
allowing it to contain null characters.
Also change the path parameter of read_file() and write_file() for
consistency.
Lastly, add a test for handling strings with '\0' in them.
Bug: 36726045
Test: Boot bullhead, run unit tests
Change-Id: Idad60e4228ee2de741ab3ab6a4917065b5e63cd8
- Run shutdown animation during shutdown if surfaceflinger is
available / running.
- services necessary for animation should be added to animation
class.
- Keep debugging tools while non-critical services are terminated:
logd, adbd, tombstoned
bug: 36526187
Test: many reboots
(cherry picked from commit 7830d59500)
Change-Id: I83011e3f843e6b64c56c453a996db738f497877a
- Run shutdown animation during shutdown if surfaceflinger is
available / running.
- services necessary for animation should be added to animation
class.
- Keep debugging tools while non-critical services are terminated:
logd, adbd, tombstoned
bug: 36526187
Test: many reboots
Change-Id: I758f700a622c6005f3df9f29de2b55270055ad4d
init used to block on installkey such that it was unable to
process property events. This lead to a deadlock by which
the Keymaster HAL would wait indefinitely for the
hwservicemanager.ready=true.
This fixes the issue by implementing the builtin in terms of
do_exec, which allows init to stay responsive to properties
while waiting for the child to terminate.
Bug: 36278706
Test: Add a 3s delay into hwservicemanager before it sets the property
hwservicemanager.ready and the device still boots.
(cherry picked from commit 9cc51728af)
Change-Id: Ia241059d95c610ab01a314969ba23c003333bbba
Use this for bootstat and init. This replaces the custom uptime parser in
bootstat.
This is a reland of aosp/338325 with a stubbed implementation for Darwin.
This change also has clang_format fixes (automatic).
Bug: 34352037
Test: chrono_utils_test
Change-Id: I72a62a3ca1ccfc0a4ccc6294ff1776c263144686
- Processes capturing SIGTERM signal will not terminate and
killProcessGroup will timeout after retry. This gives 200ms
of waiting per such process. Change it to retry only once as
SIGTERM will keep failing for such process.
bug: 36696408
Test: check time spent in SIGTERM for reboot
(cherry picked from commit 506cb020c8ab080a6765b8300c84d751557ef744)
Change-Id: If080ae3aa00f1614b25cc3f673eeb70c9713ef6e
- still it will take time to kill services, < 3 secs in tested device.
bug: 36678028
Test: reboot
(cherry picked from commit 56425ed87e1ad7c63437d67c3b17ed7e2ba8d340)
Change-Id: I75b5843b08cdcdbf67c4fe500aa0dd7302dd44d7
init used to block on installkey such that it was unable to
process property events. This lead to a deadlock by which
the Keymaster HAL would wait indefinitely for the
hwservicemanager.ready=true.
This fixes the issue by implementing the builtin in terms of
do_exec, which allows init to stay responsive to properties
while waiting for the child to terminate.
Bug: 36278706
Test: Add a 3s delay into hwservicemanager before it sets the property
hwservicemanager.ready and the device still boots.
Change-Id: Iaefd31156ca01f3a44b4f85a8bf78beee8dfe224
- Processes capturing SIGTERM signal will not terminate and
killProcessGroup will timeout after retry. This gives 200ms
of waiting per such process. Change it to retry only once as
SIGTERM will keep failing for such process.
bug: 36696408
Test: check time spent in SIGTERM for reboot
Change-Id: I9b0843614598dd3f97a50b21352046297ed70b6b
Slowly try to decouple property_service.cpp from the rest of init.
Test: Boot bullhead
Change-Id: I267ae0b057bca0bf657b97cb8bfbb18199282729
(cherry picked from commit ccf23537ee)
Exec services may also want to set other service flags such as
priority. Instead of expanding the exec syntax to handle this, create
a new command, exec_start, that will treat an existing service
definition as an exec service. The new exec_start command will start
the service then halt init from executing further commands until the
service has exited.
This change additionally encapsulates the waiting_for_exec logic into
ServiceManager and removes the ambiguous 'bool' return value from
Reap() which previously indicated if a Reaped service was an exec
service or not.
Bug: 36511808
Bug: 36102163
Test: Bullhead boots, services run with exec_start as they do exec.
Change-Id: I44f775cf1c1dd81d5c715f44fdc150c651a2c80a
(cherry picked from commit b27004aa05)
With system and vendor split, the files under them get labelled
differently as part of b/36527360. These files also include selinux
policy files if the policy is split. In order to consistently label
them, all sepolicy files on rootfs also are labelled with labels
matching to that of the ones in system and vendor. So, this now requires
init to explicitly label *all* selinux files in rootfs after
initializing selinux.
Test: Boot angler and ensure servicemananger continues to work (uses
/{plat,nonplat}_service_contexts).
Test: Sideloaded OTA to angler to ensure recovery continues to work.
Test: Launch and load a website in Chrome.
Test: Launch camera and take picture, record video.
Change-Id: I4134eae80b5b51f381b549eb18e604cf271f9eb5
Signed-off-by: Sandeep Patil <sspatil@google.com>
Exec services may also want to set other service flags such as
priority. Instead of expanding the exec syntax to handle this, create
a new command, exec_start, that will treat an existing service
definition as an exec service. The new exec_start command will start
the service then halt init from executing further commands until the
service has exited.
This change additionally encapsulates the waiting_for_exec logic into
ServiceManager and removes the ambiguous 'bool' return value from
Reap() which previously indicated if a Reaped service was an exec
service or not.
Bug: 36511808
Bug: 36102163
Test: Bullhead boots, services run with exec_start as they do exec.
Change-Id: I44f775cf1c1dd81d5c715f44fdc150c651a2c80a
Add support of multiple class names in service, so that related services
can be grouped together. By doing this, we can start/stop some services
for special purpose. For example, early zygote, early boot animation
and etc.
Bug: 36535312
Test: marlin boots with defined classes
Change-Id: Ifeaaf034fd836816e24f3775bece53ea83faada6
- Use ro.build.shutdown_timeout to cover the total time for shutdown.
Limit wait time for termination only to half of shutdown_timeout
with max of 3 secs as process not terminating by that time
will not terminate anyway. It is better to move to the next
stage quickly. fsck time for user shutdown is excluded from timeout.
- Change last detach to kill, sync, and umount. Last detach did not
work in many tests.
- add sync after emulated partitions umount as it can trigger
change in /data.
bug: 36551393
Test: many reboots
Change-Id: Ib75dc19af79b8326b02ccef6b16a8817ae7f8b0e
writepid takes a list of space delimited files. Make this clear in
the documentation, following the format for repeated fields used in
the rest of the file.
Test: N/A
Change-Id: I5bbe453fcb54f060d3cc5a82e9b38d3091a1ece3
Test: Test build/boot Marlin with split policy
Test: Test build/boot Bullhead with combined policy
Bug: 36138508
Change-Id: I84654d19c4d8e9fe9086fde742ee80cd043dfbe1
- If it is explicitly set to 0, active processes can block
umount completely. Safe to kill all processes and umount.
- also add additional sync after emulated partition umount
as that can change /data partition files
bug: 36004738
Test: many reboots
Change-Id: I6c9b07b6fdece44b9caec4e45ecf26a20d0eb96e
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Test: manual with hikey
Change-Id: Ifc1086a20e85db6980b497b1150a8a7952e672d6
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Currently, when we are waiting for an exec service or a property, if
there are either any services to be restarted or any more commands to
be run, we set the epoll_timeout to handle these events. However, we
don't actually restart and processes or execute any commands while
waiting, so this essentially turns this waiting into a spin loop,
particularly in the common case of having more commands to execute,
where epoll_timeout is set to 0.
The change only sets epoll_timeout if we're not waiting.
Note that the only way to stop waiting for an exec service or a
property is for a signal or property to be delivered to init, which
happens through the epoll fds, so it's safe to indefinitely wait for
epoll to return.
Test: Boot bullhead
Change-Id: Iae3b217eb28182038b464fd39df8e7d27b5e23ff
- Emergency shutdown just marks the fs as clean while leaving fs
in the middle of any state. Do not use it anymore.
- Changed android_reboot to set sys.powerctl property so that
all shutdown can be done by init.
- Normal reboot sequence changed to
1. Terminate processes (give time to clean up). And wait for
completion based on ro.build.shutdown_timeout.
Default value (when not set) is changed to 3 secs. If it is 0, do not
terminate processes.
2. Kill all remaining services except critical services for shutdown.
3. Shutdown vold using "vdc volume shutdown"
4. umount all emulated partitions. If it fails, just detach.
Wait in step 5 can handle it.
5. Try umounting R/W block devices for up to max timeout.
If it fails, try DETACH.
If umount fails to complete before reboot, it can be detected when
system reboots.
6. Reboot
- Log shutdown time and umount stat to log so that it can be collected after reboot
- To umount emulated partitions, all pending writes inside kernel should
be completed.
- To umount /data partition, all emulated partitions on top of /data should
be umounted and all pending writes should be completed.
- umount retry will only wait up to timeout. If there are too many pending
writes, reboot will discard them and e2fsck after reboot will fix any file system
issues.
bug: 36004738
bug: 32246772
Test: many reboots combining reboot from UI and adb reboot. Check last_kmsg and
fs_stat after reboot.
Change-Id: I6e74d6c68a21e76e08cc0438573d1586fd9aaee2
Currently, if init crashes, the kernel panics. During development, we
would like to catch this crash before the kernel panics and reboot
into bootloader. This will prevent boot looping bad configurations,
particularly desired in test labs where manual intervention would
otherwise be required to reset the devices.
Keep the existing behavior for user builds, as init crashes should be
rare for production builds and rebooting the device is the correct
behavior for end users.
Bug: 34147472
Test: Boot bullhead userdebug, force init to crash, check that the
device is in bootloader
Test: Boot bullhead user, force init to crash, check that the kernel
panics and the device reboots as it did previously
Change-Id: Iab3d45ed0d1f82ffaad2a0835d9ca537c0516421
Normally 'writepid' is used to add a process to a particular cpuset. However
certain systems with big/small cores might need to specify a default cpuset for
system processes which do not explicitly specify one. Add an option to use
'ro.cpuset.default' system property to specify default cpuset for system processes
which do not explicitly write to /dev/cpuset/... with 'writepid' option.
The cpuset name specified in ro.cpuset.default is just the cpuset name, e.g.
'/system-background', '/foreground', or simply '/' for the "root" cpuset.
Bug: 28550814
Test: `m -j32` succeeds for aosp_sailfish-eng. Phone boots successfully.
Also tested manually with debug trace messages on emulator with different
combinations of values for 'ro.cpuset.default'.
Change-Id: I501727fa5ee3f4bb7a938fa104b81a404b616633
read_file() does not close its fd if either stat() fails or the file
has group/world writable permissions.
Use unique_fd to ensure that all return paths close the fd and make
the same change to write_file() for consistency.
Replace PLOG() with LOG() after a simple if conditional, that does not
set errno.
Old:
init: skipping insecure file '/data/bootchart/header': No such device or address
New:
init: skipping insecure file '/data/bootchart/header'
Test: Cause an invalid file read and check the error log
Test: Ensure non-error read_file() and write_file() work
Change-Id: Ib15d94e38362e335d671d30b36aa5605254ec7ab
A recent change to the is_first_stage conditionals created a unneeded
else { } block as both the code in the else { } block and any code
that runs after it are both in the second stage of init. A first step
to clean this up is to remove this else block.
Secondly, given the above confusion, it makes sense to simplify the two
if (is_first_stage) conditions into one, which only now requires
duplicating one line to initialize logging and the actual "init
first/second stage started!" logs.
Lastly, there are a few commands ran at the beginning of both init
stages that do not need to be,
* boot_clock::time_point start_time = boot_clock::now();
This is only used in the first stage so keep it there
* umask(0);
umasks are preserved across execve() so it only needs to be set in the
first stage
* chmod("/proc/cmdline", 0440);
This needs to be moved until after /proc is mounted in the first
stage, but otherwise only needs to be done once
Test: Boot bullhead, check umask, check cmdline permissions, check
boot time property
Change-Id: Idb7df1d4330960ce282d9609f5c62281ee2638b9
Use a symlink to .clang-format-4 from the parent directory now that we
have it, instead of the custom .clang-format in this directory.
The changes between these files are,
Old:
ConstructorInitializerAllOnOneLineOrOnePerLine: false
TabWidth: 8
New:
ConstructorInitializerAllOnOneLineOrOnePerLine: true
TabWidth: 4
There is no reason to keep a custom .clang-format for these two
changes, and setting ConstructorInitializerAllOnOneLineOrOnePerLine to
true will be beneficial.
Test: Run clang-format and see that its output is sane
Change-Id: I5b357949eb02a60577cf57a783c0a80997b24e75
Fix two formatting issues in Action::DumpState(),
Old:
on ro.crypto.state=encrypted ro.crypto.type=file zygote-start
New:
on ro.crypto.state=encrypted && ro.crypto.type=file && zygote-start
Old:
on boot
%sifup lo
%shostname localhost
%sdomainname localdomain
%swrite /proc/sys/vm/overcommit_memory 1
New:
on boot
ifup lo
hostname localhost
domainname localdomain
write /proc/sys/vm/overcommit_memory 1
Also, now that we're importing many small rc files, it no longer makes
sense to call Parser::DumpState() after each import. Therefore, move
the conditional to call Parser::DumpState() to after /init.rc and its
imports are parsed and after the late imports are parsed.
Test: Boot bullhead with DumpState() enabled and check the output
Change-Id: I0b81305b8938aa1a7133d7dd2055f34f47609cf9
* changes:
init: replacing fs_mgr_read_fstab() with fs_mgr_read_fstab_default()
fs_mgr: support reading fstab file from /odm or /vendor partition
fs_mgr: add fs_mgr_read_fstab_with_dt() API
This change makes init's SELinux policy compilation step target the
highest SELinux policy language version supported by the kernel.
Prior to this change the version was simply hard-coded in init.
P. S. clang-format (part of presubmit for this change) is being
counter-productive trying to format the section with secilc
parameters. The resulting layout is harder to read. This commit thus
disables clang-format for this section of code and formats the code
for improved readability.
Test: Remove precompiled policy, device boots up, no new denials.
Added log statement to print out the policy version passed
into secilc -- it printed 30, as expected.
Bug: 31363362
Change-Id: I151017b5211712861bafb662525e794a44026dd2
The original default /fstab.{ro.hardware} might be moved to
/vendor/etc/. or /odm/etc/. Use the new API to get the default
fstab instead of using the hard-coded /fstab.{ro.hardware}.
Bug: 35811655
Test: boot marlin with /vendor/etc/fstab.marlin
Change-Id: I8a9c70eda7f68b174ec355910d0fa1eb18a46e21
Build file_contexts.bin on legacy builds.
Test: Marlin and Bullhead build and boot with no new denials.
Test: Marlin and Bullhead recovery boots with no new denials.
Test: Bullhead boots with file_contexts.bin in /
Test: Marlin boot with /system/etc/selinux/plat_file_contexts and
/vendor/etc/selinux/nonplat_file_contexts.
Bug: 36002414
Change-Id: I66f138fc3ad808df0480e0467cee03fd40177f31
NOTE: This change affects only devices which use SELinux kernel policy
split over system and vendor directories/partitions.
Prior to this change, init compiled sepolicy from *.cil files on every
boot, thus slowing boot down by about 400 ms. This change enables init
to skip the step compilation and thus avoid spending the 400 ms. The
skipping occurs only if the device's vendor partition includes an
acceptable precompiled policy file. If no acceptable policy is found,
the compilation step takes place same as before.
Because such devices support updating system and vendor partitions
independently of each other, the vendor partition's precompiled policy
is only used if it was compiled against the system partition's policy.
The exact mechanism is that both partitions include a file containing
the SHA-256 digest of the system partition's policy
(plat_sepolicy.cil) and the precompiled policy is considered usable
only if the two digests are identical.
Test: Device with monolithic policy boots up just fine
Test: Device with split policy and with matching precompiled policy
boots up just fine and getprop ro.boottime.init.selinux returns
a number below 100 ms. No "Compiling SELinux policy" message in
dmesg.
Test: Device with split policy and with non-matching precompiled
policy boots up just fine and getpropr ro.boottime.init.selinux
returns a number above 400 ms. There is a "Compiling SELinux
policy" message in dmesg. The non-matching policy was obtained
by adding an allow rule to system/sepolicy, building a new
system image using make systemimage and then flashing it onto
the device.
Bug: 31363362
Change-Id: Ic2e81a83051689b5cd5ef1299ba6aaa1b1df1bdc
This patch makes ueventd create by-name symlinks for virtual block
devices when Android is running as a Xen guest OS.
The symlinks will be created under /dev/block/vbd/. For example:
/dev/block/vbd/768/by-name/
Change-Id: Id45da560d13f641d7c8419511c154de9ae8a4ec9
Test: manual
Signed-off-by: Jeremy Compostella <jeremy.compostella@intel.com>
This makes init log stderr of secilc invoked to compile SELinux
policy. Having an explanation for why secilc failed is very useful for
debugging boot issues.
Test: Device with PRODUCT_FULL_TREBLE boots up just fine
Test: Modified init.cpp to reference non-existent .cil file on a device
with PRODUCT_FULL_TREBLE and confirmed that dmesg now contains the
error message from secilc saying that the file was not found.
Bug: 31363362
Change-Id: I6a3b3576daf0d6fd09e2c79bc43ae63850f44a00
- three properties: .early, .default, .late
- for tracking critical early boot times
bug: 35949600
Test: manual, getprop after boot
Change-Id: I851891518428e6e21cb43a2a6f982ab7db281d4c
The three CIL files comprising split sepolicy are being moved from the
root directory to system and vendor directories based on whether the
file is for platform/system policy or non-platform/vendor policy.
Test: Device boots, no additional SELinux denials. This test was run
for a device which has split policy and for a device which has
monolithic policy.
Bug: 31363362
Change-Id: Ica49f0beae56be0f1cea7117e48bf2f6af8b848b
This makes the build system include split SELinux policy (three CIL
files and the secilc compiler needed to compile them) if
PRODUCT_FULL_TREBLE is set to true. Otherwise, the monolitic SELinux
policy is included.
Split policy currently adds around 400 ms to boot time (measured on
marlin/sailfish and bullhead) because the policy needs to be compiled
during boot. This is the main reason why we include split policy only
on devices which require it.
Test: Device boots, no additional SELinux denials. This test is
performed on a device with PRODUCT_FULL_TREBLE set to true, and
on a device with PRODUCT_FULL_TREBLE set to false.
Test: Device with PRODUCT_FULL_TREBLE set to true contains secilc and
the three *.cil files, but does not contain the sepolicy file.
Device with PRODUCT_FULL_TREBLE set to false contains sepolicy
file but does not contain the secilc file or any *.cil files.
Bug: 31363362
Change-Id: I419aa35bad6efbc7f936bddbdc776de5633846fc
- for security reason, only notify ready state instead of
passing time info to hidl clients
Bug: 35178781
Bug: 34274385
Test: reboot
Change-Id: I2d64bd6da81139945bd0224079af9376f1d90da7
This modifies init's loading of SELinux policy into the kernel to
load the split (platform/system vs non-platform/vendor) policy if it's
present. If the split policy is not present, the usual monolithic
policy is loaded into the kernel, same as before.
Split policy is loaded by first compiling it from CIL form using
secilc compiler into the conventional monolithic/compiled form which
is then loaded into the kernel.
The build system has not yet been modified to place split policy onto
devices. Thus, this commit currently has no effect. For testing split
policy, build plat_sepolicy.cil, nonplat_sepolicy.cil, and
mapping_sepolicy.cil, and place them into the root directory of the
device.
The following tests were performed for a device with monolithic policy
and for the same device with split policy.
Test: Device boots, no new denials
Test: Play Movies plays back movies
Test: Load ip6.me im Chrome
Bug: 31363362
Change-Id: I9a75a48ac88f3392abc36669f91b0803e88cd147
We don't need early mount in recovery mode for security considerations,
e.g., users should explicitly select 'mount /system' from the recovery
menu. This CL checks the existence of file "/sbin/recovery" and skip
early mount when it is found.
Bug: 35853576
Test: early mount /vendor without dm-verity on sailfish
Test: early mount not happen in recovery mode on sailfish
Change-Id: I69cc96f6fd0de6ce493082921738a958dd571115
- allows components relying on persisted props to wait for this property.
bug: 35178781
Test: reboots
Change-Id: I06cbf2a6b375654fcc277a2699fceeb23846a241
Current early mount has some hard-coded paths that are not easy to extend
when we switch verified boot to AVB (external/avb/libavb). This CL uses some
C++ containers to replace those fixed paths.
Bug: 33254008
Test: early mount /vendor with dm-verity on sailfish
Test: early mount /vendor without dm-verity on sailfish
Test: early mount /vendor with dm-verity on bullhead
Change-Id: I32a22fe486d7649e33bb23c9018ddc0428df6069
Treblization requires to locate partner-specific modules in its own
partition. So their own init.rc file could be located in /odm or
/vendor.
This CL is to support those locations for the init.rc.
Additionally thic CL modified import parser to support importing a
relative path.
Test: building succeeded and tested on sailfish with enabling early
mount.
Bug: 35269867
Change-Id: I1bce924a32c8a2b53fb5d981d35d758cf9ddd9a6
With init parsing fstab fragments from kernel separately, the fs_mgr
would completely miss the device tree entries. That leads to things like
'adb remount' to go through without warning for verity even if /system
is verified. This happens because 'verity_update_state' completely
misses the partitions passed to android through the device tree.
solution is to teach fs_mgr about device tree fstab entries and add 2
new public APIs.
1. fs_mgr_read_fstab_dt() - reads device tree and returns fstab
generated from it.
2. fs_mgr_read_fstab_default() - reads both device tree fstab and
/fstab.{ro.hardware} and returns the combined table.
This also reduces the hardcoded /fstab.{ro.hardware} occurence only to
fs_mgr and for eveyone who wants to read the "default" fstab must be
changed to call fs_mgr_read_fstab_default() instead. e.g. adb.
b/27805372
Test: Angler was used since it has 2 early mounted partitions instead of
one. 1 verified and 1 unverified.
- Boot angler successfully without early mount
- Boot angler successfully with /vendor early mount and test if 'adb
remount' warns us about verity
- Boot angler successfully with both /system and /vendor early mounted
and ensure 'adb remount' warns us about verity.
- check partitions.system.verified status after /system early mount ot
ensure it is set to VERITY_MODE_DEFAULT.
- 'adb disable-verity' with early mounted /system doesn't work due to
missing changes in adb
TODO:
change adb to use the new fs_mgr_read_fstab_default() API
Change-Id: I82038d87c7a44488e938acce2cc1082c08f6f73a
Signed-off-by: Sandeep Patil <sspatil@google.com>
The clang static analyzer is complaining that we are not checking the
setegid() return value, so let's add these checks. We should never
fail to return to AID_ROOT, so fail hard in this case.
Bug: 26962034
Test: Boot bullhead
Test: export WITH_STATIC_ANALYZER=1 and run 'mm' in the project directory
Change-Id: I62e95b045c5734305c71502871b6cf17f152edbc
* changes:
fs_mgr: add a generic fs_mgr_get_boot_config internal API
init: early_mount: create device node for verity metadata partition
init: early_mount: disallow partitions to be verified at boot
init: early_mount: add support to mount verity enabled partitions early
fs_mgr: make fs_mgr_setup_verity public API
fs_mgr: fix the fs_mgr_setup_verity param name
init: refactor to allow successive device_init calls
fs_mgr: add fs_mgr_do_mount_one() API
Treehugger Robot