Previously, if init received too many SIGCHLD signals, then the write to
signal_write_fd could fail with EAGAIN. The handler tried to log the
EAGAIN error, and init deadlocked if the interrupted init process had
already acquired a logging-related lock.
Bug: b/77867680
Test: manual
Change-Id: Ief0b5e94d8517827a5a7d03773391ba3ba9447c4
Do not restrict vendor_init restrictions on vendor images that were
built before P, as they will not have the correct permissions.
Bug: 77732028
Test: test new devices and see vendor_init still works
Change-Id: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9
Bug: 75987246
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ifec879f07705a52501757b58b1562a97c668b8b0
Merged-In: Ifec879f07705a52501757b58b1562a97c668b8b0
(cherry picked from commit 65ce3b2cd8)
/proc/uptime internally uses whatever would be returned by
clock_gettime(CLOCK_BOOTTIME), so use android::base::boot_clock instead
which avoids parsing strings and rounding errors.
Bug: 77273909
Test: CtsBootStatsTestCases
Change-Id: Ic162eefcf226073949a18cca55db3c2324b98749
They are being used as action triggers in some devices including Pixels.
So vendor-init-actionable should be allowed for them.
Bug: 74266614
Test: building succeeded and tested on a Pixel with
PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I713c5c1a50053f8d64e1cecd1f7ab5dc18201da1
ro.board.platform and sys.boot_from_charger_mode are already
public-readable, but they should be used as action triggers as well for
some products including Android Go devices.
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I140a8f7ef3fa9823ceced94b00a413800518c240
Some partners are using ro.debuggable as action trigger to config a
product differently according to its value.
Bug: 75987246
Test: succeeded building and tested taimen
Change-Id: I4cc57e7b52e17fc89e585afa0a8a10925e47fac8
This reverts commit c9fec9d2be.
Looks like ext4 can't handle a system reboot happening in the middle
of an unmount. We'll have to find another way to handle this.
Bug: 74817735
Bug: 75310371
Test: reboot device
Change-Id: Ib4f7f7fd29988a31a99f146c40f6d987c1fef15e
It seems that these sync() calls may take a long time in some
occasions, so we add these logs to check.
Bug: 74817735
Test: tree hugger
Change-Id: Id3635f6c7a6618b20c7caf93b05e50cc50ef99de
Let's increase the receive buffer size for the NETLINK_KOBJECT_UEVENT
socket to 2MB. Unless a large number of uevents queue up, that memory is
not allocated anyways. The receive buffer size serves only as an upper
limit for the total amount of memory consumed by all skbs queued to a
specific socket.
We experienced situations where ueventd got blocked for multiple seconds
while writing to /dev/kmsg, and the receive buffer overflowed in the
meantime.
Test: compile
Bug: 72648767
Change-Id: Ice6d7b9c5ed9c83efbad6111086ce95ac6432561
The state of console can be used to set up a device for debugging.
Bug: 74266614
Test: succeeded building and tested with Pixels
Change-Id: I3691fa2819594a521e05dad150550ab309a78c68
FQName::FQName(string) could leave the FQName in an
invalid state, and so this constructor is being removed
and the mValid member is being removed.
Bug: 73774955
Test: boots + interface_start control messages received by init
Change-Id: I58d4a089c0a0f1c2cc5129c5e87321e7f6663b72
We should only allow vendor-init-settable properties to be set from
.prop files on /vendor and /odm.
Bug: 73905119
Test: test on walleye that disallowed properties are rejected
Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831
Currently we only report why a property set call has failed but drop
the context of what was trying to set the property. This change
adds information about why a property was trying to be set when it
fails.
It also unifies property_set() within init to go through the same
HandlePropertySet() function as normal processes do, removing unneeded
special cases.
Test: boot bullhead
Test: attempt to set invalid properties and see better error messages
Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.
Bug: 36970783
Test: run the parser on init files on host
Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
There is currently a timeout for reboot, however if the system gets
stuck, particularly during file system operations, there is no safety
mechanism that guarantees the system will still reboot.
This change does all of the optional reboot steps in a separate thread
and waits for this thread with a timeout, such that if the reboot
steps get hung, the system is guaranteed to still reboot.
This is specific to 'reboot'. Shutdown continues to run unbounded to
run fsck.
Bug: 72781711
Test: Reboot devices hitting and not hitting this timeout
Change-Id: Id5e1b3693bab00602177e28b9b662e1499c32961
It's currently not clear that init stops processes due to being sent a
control message nor who sent that message.
Bug: 73343913
Test: send control messages and see the logs
Change-Id: I9e9eff2001e649814107ea961b3b747a1f6da598
There is a race in the very_long_name_35166374 test of
property_service. The test first sends a size value that is beyond
the limit that init will handle, then sends a dummy data value.
However, init closes the socket upon seeing the faulty size, and if
this happens before the test sends the dummy data, the test will crash
due to SIGPIPE.
Since there is no reason to send the dummy data at all, this change no
longer sends it to prevent the crash. It also now checks explicitly
that init returns an error through the socket.
Bug: 73619375
Test: the unit test in question
Change-Id: I2565a69fa54910cee0e15fc798445e18c91156ec
mount operations should be done in vendor init context, but their
complexity currently limits this. Add a TODO to make this reason
clear to those viewing the code.
Bug: 72488820
Test: N/A
Change-Id: I8b6dd92aa79f31dc24603559ed6de0815facfcba
Previously, unless the process unblocks the signal by itself,
the signal was never delivered to the process. This caused at
least one CTS test failure.
Bug: 72453675
Test: 'kill -TERM app_pid' terminates the app process
Change-Id: I3977cac75e2673b52c5cf91d34d7a9c258c1a0e4
Don't use the FDE flow to support metadata encryption; just use the
vold service which directly mounts the volume.
Bug: 63927601
Test: Boot Taimen to SUW with and without metadata encryption.
Change-Id: Idf9c27a69872cd7a9e2fb76df09a91d8e5ef4896
ro.boot.* are from kernel cmdline, and kernel is usually owned by SoC
vendor or ODM.
So those properties should be allowed as action triggers of
vendor/odm init scripts.
Additionally the state of mediadrm (/system/bin/mediadrmserver) should
be used to operate the state of drm HAL.
So init.svc.mediadrm should be whitelisted as an action trigger as well.
Bug: 36796459
Test: tested with walleye
Change-Id: Ic9f68162c577cc190f193063988ad04e42478e6e
This CL will enable reading /product/build.prop and add product paths
into ld.config.txt.in.
Bug: 64195575
Test: tested with 'PRODUCT_PRODUCT_PROPERTIES := ro.product.abc=abc' on
sailfish
Change-Id: Ie996def20e25dc1afe0c74af2096af844934b2dc
vendor_init doesn't have permissions to read rootfs labeled files, but
needs to read /vendor_file_contexts to do restorecon correctly. This
file is a file_contexts file, so labeling it as such seems appropriate.
Test: bullhead + vendor_init doesn't hit this audit
Change-Id: I475e9735616c2426b9c7073700272f878ced2135
Finishing a TODO from vendor_init, check SELinux permissions before
setting properties in vendor_init.
Bug: 62875318
Test: N/A
Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19
These are halified. Instead launch blank_screen which
does the same task w/o init itself having binder
dependencies.
Bug: 70846424
Test: manual + reboot appears similar
Change-Id: If8b2a56cbc31077122ea81406721b06034e4498f
I'd be not doing this for a while since some of this code doesn't
compile on host and libinit previously did. But after realizing
the property_service.cpp (libinit) references symbols in init.cpp
(init) and seeing a new linker error crop up due to that, it's time to
make the fix.
My only hold out previously was that libinit compiled on host bionic
and some of init (builtins.cpp, etc) do not, however given that we
don't actually have host bionic support or host bionic init tests,
that isn't a good reason. We can and should mock out the libraries
that aren't available with host bionic when ready.
Test: build, unit tests, boot
Change-Id: Ie49362ddb637924efc272540a4f32b693643fcdc
This whitelist will be applied only when
ro.actionable_compatible_property.enabled is true.
Bug: 38146102
Test: tested on walleye with ro.actionable_compatible_property.enabled=true
Change-Id: Ifd7211396b53e50a06d79e7c67224e2b38ef7c9d
Properties right now can take any format, but that makes it hard to
specify an API for these properties as Treble intends to do.
Therefore this change introduces the idea of property types, described below.
1) 'string' this is the default type and allows any property to be set.
2) 'bool' this allows only boolean values (true|false|1|0)
3) 'int' and 'uint' these allow signed and unsigned integer values
respectively.
4) 'double' this allows floating point numbers with double precision.
5) 'size' this allows for strings matching [0-9]+[gkm].
6) 'enum' this allows only a specific set of space deliminated values
to be set, e.g. 'enum allow these strings' only allows one of 'allow',
'these', or 'strings' to be set.
Bug: 70858511
Test: unit tests, test that properties are only set if their type matches
Change-Id: I7a6b00fb43ec630d1f56c9e9a1f1b61d3914f603
Currently init expands properties in arguments only when those
commands are run in a subcontext. This creates a hole where
properties that should not be accessible from a given subcontext of
init can be accessed when running a command in the main init
executable (for example `start`).
This change creates a callback in subcontext init that simply expands
and returns arguments back to the main init process, to ensure that
only those properties that a subcontext can access get expanded.
Bug: 62875318
Test: boot bullhead, new unit tests
Change-Id: I2850009e70da877c08e4cc83350c727b0ea98796
Also fallbacks to nonplat_* if it doesn't exists.
Bug: 64240127
Bug: 70279378
Test: boot bullhead and sailfish
Change-Id: I372b42a3c559ae0f9602163699eaef4df148467b
There is a 2s timeout for system property set that currently
uses boot_clock as its clock source. If the system goes to sleep
during a property set, it may erroneously cause the timeout to
be reached as boot_clock increments during sleep. This patch
changes from boot_clock to steady_clock to ignore time spent
asleep when determining this timeout.
bug: 71497234
Test: 1. System service process try to set a system property
with timeout 2s
2. At the same time, the system go into sleep mode more
than 2s
3. System property set will be ok.
Change-Id: I808b9af16974a0f4de60a4ca30ae64d095a13422
We should have done this from the beginning. Thanks to Windows, we're not
going to be able to switch libbase over to std::string_view any time soon.
Bug: N/A
Test: ran tests
Change-Id: Iff2f56986e39de53f3ac484415378af17dacf26b
Instead of requiring each process to parse the property contexts files
in libc initialization, this change has property_service parse these
files one into a serialized trie, which the property code in libc can
then directly interpret for mapping property names to their associated
SELinux context.
Bug: 36001741
Test: boot bullhead, walleye, run unit tests
Change-Id: If67073d56e800b3ca667fb5322e6b993e7d810f6
ODM partition may contain firmware and we should allow
firmware loading from this partition
Test: firmware is loaded succesfully
Change-Id: I7d327bc79a04d1a2dee0fd47407eb53f9d391665
Signed-off-by: Alin Jerpelea <alin.jerpelea@sonymobile.com>
Init currently sets the SELinux context on a mkdir but not on
other operations. This patch modifies it to do so when creating
symlinks, writing to a file, or copying a file.
Test: Built, flashed, and booted. Added fake init entries and
verified that they received the proper SELinux context.
Change-Id: I836b570fef81d74f3b6c8e7ce0274e94ca7b12d3
The content of nonplat_declaration.cil in /vendor is a versioned public
sepolicy exported from ${AOSP}/system/sepolicy/public. Renames it to
better reflect the fact.
Bug: 64240127
Test: boot sailfish normally without odm
Test: boot another device having odm
Change-Id: I654f5bbde2f2d666a2a5c7ed8561ccd93c983a6e
This change explicitly drops all inheritable capabilities (and, by
extension, ambient capabilities) when there are no explicit capabilities
being set by a service and the user is changed. This prevents Android
running in a container from accidentally granting extra capabilities to
services.
Bug: 69320306
Test: aosp_sailfish still boots
Test: sailfish:/ $ grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Test: sailfish:/ $ grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000440000000
CapEff: 0000000440000000
CapBnd: 0000003fffffffff
CapAmb: 0000000000000000
Test: Android in Chrome OS still boots
Test: localhost ~ # grep Cap /proc/`pidof android.hardware.audio@2.0-service`/status
CapInh: 0000000000000000
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 000000006daefdff
CapAmb: 0000000000000000
Test: localhost ~ # grep Cap /proc/`pidof logd`/status
CapInh: 0000000000000000
CapPrm: 0000000040000000
CapEff: 0000000040000000
CapBnd: 000000006daefdff
CapAmb: 0000000000000000
Change-Id: I9218f2e27ff4fb4d91d50f9a98c0fdb4e272952c
For instance, on vendor.img:
service foo /vendor/bin/nfc
...
And then on odm.img:
service foo /odm/bin/super-nfc
override
Allows a service on ODM to override a HAL on vendor.
Bug: 69050941
Test: boot, init_tests
Change-Id: I4e908fb66e89fc6e021799fe1fa6603d3072d62a
This is paving the way to allow an "override" tag
in init services. This also means that errors for
part of a service definition in its section will
be shown in addition to the fact that the service
is duplicated.
Bug: 69050941
Test: boot, init_tests
Change-Id: Ic1ea8597789f45ead1083451b3e933db1524bdc9
Allow it to fail. When there is an error for a section ending,
print the error pointing to the line where the section starts.
Bug: 69050941
Test: boot, init_tests
Change-Id: I1d8ed25f4b74cc9ac24d38b8075751c7d606aea8
The client of FirstStageMount class should check the existence of fstab
in device-tree prior to using it. So raising a FATAL error inside
FirstStageMount when failed to parsing the fstab, in order to expose
more accurate error messages.
Also fixing a comment in fs_mgr, where it might happen in either
non-A/B or A/B.
Bug: 69102431
Test: boot sailfish
Change-Id: Ifb525beaa3423b118644778bfe0f84bff9465303
If there is a restart follow a stop/reset immediately or vice versa,
clear previous flag bits.
Test: manual - trigger restart after stop immediately to check if
service get started.
Change-Id: I4503177d7cb5ed054dbcf50cd8e09728415404d4
For a oneshot service, if start happens immediately after stop,
the service could be still in stopping status and then start
won't do anything. This fix this race condition.
Test: manual - see reproduce instructions in bug.
Bug: 68020256
Change-Id: I20202fa346f1949a8bda3d90deedc8b6a6d814d3
Fixed issues related to forking services into new PID + mount
namespaces.
Remounting rootfs recursively as slave when creating a service in new
PID + mount namespaces. This prevents the service from interfering with
mount points in the parent namespace.
Unmount then mount /proc instead of mounting it with MS_REMOUNT, since
MS_REMOUNT is not sufficient to update /proc to the state appropriate
for the new PID namespace. Note that the /proc mount options specified
here are not the same as those used in the default mount namespace. I
kept them consistent with those used in the code prior to this fix.
Test: Used custom sleepd service to test init 'namespace' keyword.
Tested on angler in oreo-dev - I had to add PID namespaces to the
kernel (commit ad82c662).
Change-Id: I859104525f82fef3400d5abbad465331fc3d732f
See https://lkml.org/lkml/2005/9/10/129 for details.
Bug: 20501816
Test: code compiles and boots with no obvious problems.
Change-Id: I5a9c470156d498852cfd81fbd59ddcf267309e73
Tom Cherry