Drop all references to keychord_id and id and instead use keycodes_
as the id. The keycodes are a std::vector<int> with an unique
sorted-order emplacement method added in the parser. Solves the
academic issue with duplicate keychords and trigger all services
that match rather than first match only.
Test: init_tests
Bug: 64114943
Change-Id: I5582779d81458fda393004c551c0d3c03d9471e0
Move things around so that keychords.cpp is independent of service
and init and can be individually tested with few dependencies.
Permits also rolling out the keychords as a class in a future commit.
Improve parser checking.
Test: init_tests
Bug: 64114943
Change-Id: I82570bc6269ed478db784ec38a8bc916da2be2be
Currently, permissions for ctl. property apply to each action verb, so
if a domain has permissions for controlling service 'foo', then it can
start, stop, and restart foo.
This change implements finer grainer permissions such that permission
can be given to strictly start a given service, but not stop or
restart it. This new permission scheme is mandatory for the new
control functions, sigstop_on, sigstop_off, interface_start,
interface_stop, interface_restart.
Bug: 78511553
Test: see appropriate successes and failures based on permissions
Merged-In: I6ce915ae39954a67eb6fe1795a93cf715c352ae4
Change-Id: I6ce915ae39954a67eb6fe1795a93cf715c352ae4
(cherry picked from commit 1debdcf1cf)
It's currently not clear that the error no indicating the
failure to invoke the library function. This change introduces
logs at the failing of socket connect, that could be clearly
get the true reason.
Test: Set system property with failed, and socket recv errno
log will show
Change-Id: I36bf66988811f953e679d1c5a468de0bf1ab0a05
Signed-off-by: Jinguang Dong <dongjinguang@huawei.com>
Add the ability to enter a network namespace when launching a service.
Typical usage of this would be something similar to the below:
on fs
exec ip netns add namespace_name
service vendor_something /vendor/...
capabilities <lower than root>
user not_root
enter_namespace net /mnt/.../namespace_name
Note changes to the `ip` tool are needed to create the namespace in
the correct directory.
Bug: 73334854
Test: not yet
Change-Id: Ifa91c873d36d69db399bb9c04ff2362518a0b07d
During uevent processing, some "by-name" symlinks will be created.
/dev/block/<type>/<device>/by-name/<partition>
<type> can be: platform, pci or vbd.
<device> might be: soc.0/f9824900.sdhci, soc.0/f9824900.sdhci, etc.
<partition> might be: system, vendor, system_a, system_b, etc.
e.g., on a non-A/B device:
/dev/block/platform/soc.0/f9824900.sdhci/by-name/system
/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
On a A/B device:
/dev/block/platform/soc/1da4000.ufshc/by-name/system_a
/dev/block/platform/soc/1da4000.ufshc/by-name/system_b
/dev/block/platform/soc/1da4000.ufshc/by-name/vendor_a
/dev/block/platform/soc/1da4000.ufshc/by-name/vendor_b
However, those symlinks are "device-specific".
This change adds the "generic" symlinks in ueventd, in addition to
the existing symlinks, when the possible "boot devices" are specified
in device tree. e.g.,
&firmware_android {
compatible = "android,firmware";
boot_devices ="soc/1da4000.ufshc,soc.0/f9824900.sdhci";
}
The following symlinks will then be created on the aforementioned non-A/B
and A/B devices, respectively.
/dev/block/by-name/system
/dev/block/by-name/vendor
/dev/block/by-name/system_a
/dev/block/by-name/system_b
/dev/block/by-name/vendor_a
/dev/block/by-name/vendor_b
Note that both <type> and <device> are skipped in the newly create symlinks.
It assumes there is no more than one devices with the same <partition>,
which is the assumption of current first stage mount flow.
Finally, when 'boot_devices' in DT is absent, it fallbacks to extract
'boot_devices' from fstab settings. e.g., using 'soc/1da4000.ufshc',
'soc.0/f9824900.sdhci' for a fstab with the following content:
/dev/block/platform/soc/1da4000.ufshc/by-name/system
/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor
Bug: 78613232
Test: adb shell ls /dev/block/by-name
Change-Id: Iec920b5a72409b6a2bdbeeb290f0a3acd2046b5d
The uevent.partition_num easily collides between partitions, for
example:
Both /dev/block/sda3 and /dev/block/sdd3 will generate the same symlink:
/dev/block/platform/soc/1da4000.ufshc/by-num/p3
This change remove those by-num symlinks as there seems no effective
user of it.
Bug: 78613232
Test: m init_tests && \
adb push $OUT/data/nativetest64/init_tests/init_tests /data/. && \
adb shell /data/init_tests
Change-Id: I8dfa8dc1a2f9fc9296aa30f33e905bf158b501de
This adds an API to fs_mgr for reading dm-linear tables out of device trees
and issuing device-mapper ioctls. The device tree code will be
implemented separately. The dm-linear structures in fs_mgr are organized
assuming we may want to pull them from sources other than DT (for
example, text files, binary blobs, or something hardcoded for testing).
File systems which are mounted from these logical partitions have
specific fstab requirements. The block device must be a partition name,
and if Verified Boot is used, that name must match the vbmeta partition name.
Second, the entry must have the "logical" fs_mgr flag. Example fstab
entry:
vendor /vendor ext4 ro wait,logical
Example fstab entry in device tree:
vendor {
compatible = "android,fstab";
dev = "vendor";
type = "ext4";
mnt_flags = "ro";
fs_mgr_flags = "wait,slotselect,avb,logical";
};
Bug: 78914864
Test: N/A
Change-Id: I4d8878ea8858f26310119616cadc3ee0dd08566c
Since event sources can come and go asynchronously because of delayed
driver instantiation due to initialization or firmware upload, USB
attched devices, kernel module loads, or test automation sources like
monkey, add in inotify on /dev/input/ to support these possibilities.
Test: manual, boot, check registered chord works
Bug: 64114943
Change-Id: Ie598bb6f5bf94b2034ab33cf3be7fa15d3467141
GetIntProperty() isn't used after
Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93, so it can be removed.
Test: build
Change-Id: I5736f553db1a615d51b8fe3cbf9b4aee89451076
FindService can't be used w/ interfaces due
to the fact that multiple interfaces can be
added to any given interface.
Bug: 79418581
Test: boot device, manually use ctl commands
Change-Id: I7c152630462c9b7509473bc190f5b30460fcc2bc
e.x.:
interface_start android.hardware.nfc@1.0/default
onrestart interface_restart android.hardware.nfc@1.0/default
Fixes: 79418581
Test: add this to a service, and killing that service, light is restarted
onrestart interface_restart android.hardware.light@2.0::ILight/default
Change-Id: Ia7ac9380f01038752325cfbe030df1dd4a5665e2
Replace deprecated /dev/keychord driver with /dev/input/ interface.
Will restrict which nodes are active and relevant, and try to mask
out any unreferenced inputs with EVIOCSMASK if available.
Test: manual, boot, check registered chord works
Bug: 64114943
Change-Id: I2bbf84a6e472d720f02282e10d56795b75ac62d1
This commit uses vendor sepolicy file version (defined in
`/vendor/etc/selinux/plat_sepolicy_vers.txt`) to determine whether the
source context should be set as `u:r:vendor_init:s0`.
Before this commit, the criterion was `ro.vndk.version` >= 28. However,
the check in `property_service.cpp` will always be true because
`ro.vndk.version` hasn't been loaded from `/vendor/default.prop`.
Furthermore, under some circumstances, `ro.vndk.version` may be
different from `plat_sepolicy_vers.txt` (e.g. O-MR1 vendor does not
define `ro.vndk.version`).
Bug: 78605339 # high-level bug to combine O-MR1 and P GSI
Bug: 79135481 # the usage of `ro.vndk.version` in init
Test: vts-tradefed run vts -m VtsTrebleVintfTest # tetheroffload
Change-Id: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93
In order to support dm-linear devices, we need an additional first-stage
step to ensure that required devices are created. This must happen before
setting up dm-verity or mounting any first-stage partitions.
This patch refactors FirstStageMount so that having a compatible fstab
is optional. This will let us use InitRequiredDevices on systems that
would not otherwise perform first-stage mounts.
Bug: 78914864
Test: non-AVB devices still boot
Change-Id: I11265375a9900d983da8cabcc77d32c503ded02e
Related AOSP changes:
1. https://android-review.googlesource.com/#/c/platform/system/core/+/405009/
2. https://android-review.googlesource.com/#/c/platform/system/core/+/532637/
The second CL raises a FATAL error when it detects fstab-dt has no content
during first-stage mount. However, with the first CL, the fstab-dt entry
might be "skipped" when bootloader sets the status property to a value
other than "ok"/"okay". (e.g., to skip mounting /vendor on upgrading
devices which have no vendor partition).
Use LOG(INFO) when there is nothing to mount here. The later stages
should trigger a FATAL error when some important files in those
partitions are not available, e.g., SEPolicy files.
Bug: 78441220
Test: boot a device
Change-Id: Iae2f47d455679298bdb067d96b771a30c1a82e6f
Changes to init's behavior during early mount:
1. Mounting of tmpfs on /mnt is moved from init stage to early mount.
2. init creates /mnt/vendor used to mount vendor partitions.
3. If a device tree fstab entry for early mount specifies a mount point
under /mnt/vendor e.g. /mnt/vendor/foo, init will create
/mnt/vendor/foo mount point.
Bug: 64905218
Test: change dt fstab entry to mount persist to /mnt/vendor/persist;
mount point is created correctly, and partition is mounted in early
mount. See go/pag/1069774
Test: device boots with /mnt/vendor and previous contents of /mnt present,
and selinux label "mnt_vendor_file" is applied correctly.
Test: cts-tradefed run commandAndExit cts --skip-all-system-status-check
--primary-abi-only --skip-preconditions -m CtsAppSecurityHostTestCases
-t android.appsecurity.cts.PermissionsHostTest
Change-Id: I3739130739eadf508355c7f2531366fcaed74175
Merged-In: I3739130739eadf508355c7f2531366fcaed74175
(cherry picked from commit b511475664)
An earlier such change was reverted in commit e242a97db5.
Bug: 70487538
Test: ensure that angler can boot
Merged-In: Id5f57fce1c9b817a2650e0c848143d8a0d286bf0
Change-Id: Id5f57fce1c9b817a2650e0c848143d8a0d286bf0
Previously, if init received too many SIGCHLD signals, then the write to
signal_write_fd could fail with EAGAIN. The handler tried to log the
EAGAIN error, and init deadlocked if the interrupted init process had
already acquired a logging-related lock.
Bug: b/77867680
Test: manual
Change-Id: Ief0b5e94d8517827a5a7d03773391ba3ba9447c4
Do not restrict vendor_init restrictions on vendor images that were
built before P, as they will not have the correct permissions.
Bug: 77732028
Test: test new devices and see vendor_init still works
Change-Id: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9
Bug: 75987246
Bug: 73871799
Test: succeeded building and tested with taimen
Change-Id: Ifec879f07705a52501757b58b1562a97c668b8b0
Merged-In: Ifec879f07705a52501757b58b1562a97c668b8b0
(cherry picked from commit 65ce3b2cd8)
/proc/uptime internally uses whatever would be returned by
clock_gettime(CLOCK_BOOTTIME), so use android::base::boot_clock instead
which avoids parsing strings and rounding errors.
Bug: 77273909
Test: CtsBootStatsTestCases
Change-Id: Ic162eefcf226073949a18cca55db3c2324b98749
They are being used as action triggers in some devices including Pixels.
So vendor-init-actionable should be allowed for them.
Bug: 74266614
Test: building succeeded and tested on a Pixel with
PRODUCT_COMPATIBLE_PROPERTY=true
Change-Id: I713c5c1a50053f8d64e1cecd1f7ab5dc18201da1
ro.board.platform and sys.boot_from_charger_mode are already
public-readable, but they should be used as action triggers as well for
some products including Android Go devices.
Bug: 75987246
Test: succeeded building and tested with taimen
Change-Id: I140a8f7ef3fa9823ceced94b00a413800518c240
Some partners are using ro.debuggable as action trigger to config a
product differently according to its value.
Bug: 75987246
Test: succeeded building and tested taimen
Change-Id: I4cc57e7b52e17fc89e585afa0a8a10925e47fac8
This reverts commit c9fec9d2be.
Looks like ext4 can't handle a system reboot happening in the middle
of an unmount. We'll have to find another way to handle this.
Bug: 74817735
Bug: 75310371
Test: reboot device
Change-Id: Ib4f7f7fd29988a31a99f146c40f6d987c1fef15e
It seems that these sync() calls may take a long time in some
occasions, so we add these logs to check.
Bug: 74817735
Test: tree hugger
Change-Id: Id3635f6c7a6618b20c7caf93b05e50cc50ef99de
Let's increase the receive buffer size for the NETLINK_KOBJECT_UEVENT
socket to 2MB. Unless a large number of uevents queue up, that memory is
not allocated anyways. The receive buffer size serves only as an upper
limit for the total amount of memory consumed by all skbs queued to a
specific socket.
We experienced situations where ueventd got blocked for multiple seconds
while writing to /dev/kmsg, and the receive buffer overflowed in the
meantime.
Test: compile
Bug: 72648767
Change-Id: Ice6d7b9c5ed9c83efbad6111086ce95ac6432561
The state of console can be used to set up a device for debugging.
Bug: 74266614
Test: succeeded building and tested with Pixels
Change-Id: I3691fa2819594a521e05dad150550ab309a78c68
FQName::FQName(string) could leave the FQName in an
invalid state, and so this constructor is being removed
and the mValid member is being removed.
Bug: 73774955
Test: boots + interface_start control messages received by init
Change-Id: I58d4a089c0a0f1c2cc5129c5e87321e7f6663b72
We should only allow vendor-init-settable properties to be set from
.prop files on /vendor and /odm.
Bug: 73905119
Test: test on walleye that disallowed properties are rejected
Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831
Currently we only report why a property set call has failed but drop
the context of what was trying to set the property. This change
adds information about why a property was trying to be set when it
fails.
It also unifies property_set() within init to go through the same
HandlePropertySet() function as normal processes do, removing unneeded
special cases.
Test: boot bullhead
Test: attempt to set invalid properties and see better error messages
Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d
Create a host side parser for init such that init rc files can be
verified for syntax correctness before being used on the device.
Bug: 36970783
Test: run the parser on init files on host
Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
There is currently a timeout for reboot, however if the system gets
stuck, particularly during file system operations, there is no safety
mechanism that guarantees the system will still reboot.
This change does all of the optional reboot steps in a separate thread
and waits for this thread with a timeout, such that if the reboot
steps get hung, the system is guaranteed to still reboot.
This is specific to 'reboot'. Shutdown continues to run unbounded to
run fsck.
Bug: 72781711
Test: Reboot devices hitting and not hitting this timeout
Change-Id: Id5e1b3693bab00602177e28b9b662e1499c32961
It's currently not clear that init stops processes due to being sent a
control message nor who sent that message.
Bug: 73343913
Test: send control messages and see the logs
Change-Id: I9e9eff2001e649814107ea961b3b747a1f6da598
There is a race in the very_long_name_35166374 test of
property_service. The test first sends a size value that is beyond
the limit that init will handle, then sends a dummy data value.
However, init closes the socket upon seeing the faulty size, and if
this happens before the test sends the dummy data, the test will crash
due to SIGPIPE.
Since there is no reason to send the dummy data at all, this change no
longer sends it to prevent the crash. It also now checks explicitly
that init returns an error through the socket.
Bug: 73619375
Test: the unit test in question
Change-Id: I2565a69fa54910cee0e15fc798445e18c91156ec
mount operations should be done in vendor init context, but their
complexity currently limits this. Add a TODO to make this reason
clear to those viewing the code.
Bug: 72488820
Test: N/A
Change-Id: I8b6dd92aa79f31dc24603559ed6de0815facfcba
Previously, unless the process unblocks the signal by itself,
the signal was never delivered to the process. This caused at
least one CTS test failure.
Bug: 72453675
Test: 'kill -TERM app_pid' terminates the app process
Change-Id: I3977cac75e2673b52c5cf91d34d7a9c258c1a0e4
Don't use the FDE flow to support metadata encryption; just use the
vold service which directly mounts the volume.
Bug: 63927601
Test: Boot Taimen to SUW with and without metadata encryption.
Change-Id: Idf9c27a69872cd7a9e2fb76df09a91d8e5ef4896
ro.boot.* are from kernel cmdline, and kernel is usually owned by SoC
vendor or ODM.
So those properties should be allowed as action triggers of
vendor/odm init scripts.
Additionally the state of mediadrm (/system/bin/mediadrmserver) should
be used to operate the state of drm HAL.
So init.svc.mediadrm should be whitelisted as an action trigger as well.
Bug: 36796459
Test: tested with walleye
Change-Id: Ic9f68162c577cc190f193063988ad04e42478e6e
This CL will enable reading /product/build.prop and add product paths
into ld.config.txt.in.
Bug: 64195575
Test: tested with 'PRODUCT_PRODUCT_PROPERTIES := ro.product.abc=abc' on
sailfish
Change-Id: Ie996def20e25dc1afe0c74af2096af844934b2dc
vendor_init doesn't have permissions to read rootfs labeled files, but
needs to read /vendor_file_contexts to do restorecon correctly. This
file is a file_contexts file, so labeling it as such seems appropriate.
Test: bullhead + vendor_init doesn't hit this audit
Change-Id: I475e9735616c2426b9c7073700272f878ced2135
Finishing a TODO from vendor_init, check SELinux permissions before
setting properties in vendor_init.
Bug: 62875318
Test: N/A
Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19
These are halified. Instead launch blank_screen which
does the same task w/o init itself having binder
dependencies.
Bug: 70846424
Test: manual + reboot appears similar
Change-Id: If8b2a56cbc31077122ea81406721b06034e4498f
I'd be not doing this for a while since some of this code doesn't
compile on host and libinit previously did. But after realizing
the property_service.cpp (libinit) references symbols in init.cpp
(init) and seeing a new linker error crop up due to that, it's time to
make the fix.
My only hold out previously was that libinit compiled on host bionic
and some of init (builtins.cpp, etc) do not, however given that we
don't actually have host bionic support or host bionic init tests,
that isn't a good reason. We can and should mock out the libraries
that aren't available with host bionic when ready.
Test: build, unit tests, boot
Change-Id: Ie49362ddb637924efc272540a4f32b693643fcdc
Treehugger Robot