android_name_to_id() returns -1U on error, which causes a
crash when the following clang options are enabled:
-fsanitize=signed-integer-overflow,unsigned-integer-overflow
-ftrap-function=abort
-fsanitize-undefined-trap-on-error
Rather than returning a negative unsigned value (which doesn't
make a lot of sense, IMHO), return a positive unsigned value.
While we're here, add logging on decode_uid failures.
Bug: 21880301
Change-Id: I652e4c1daa07c7494cceca2b4e1656b9158f2604
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
(cherry picked from commit d62f0608d9)
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
Shamu boots, but hammerhead doesn't. Likely cause is this change.
This reverts commit 18ae44bf3d.
Bug: 21880301
Change-Id: I490816060209c15aa07c783d05fe5b141c7c9023
Usage: system/core/init/compare-bootcharts.py base_bootchart_dir
exp_bootchart_dir
For example, here is the output where the bootanimation is changed
from "d 0 0 part2" to "c 0 0 part2":
--
process: baseline experiment (delta)
- Unit is ms (a jiffy is 10 ms on the system)
------------------------------------
/init: 50 40 (-10)
/system/bin/surfaceflinger: 4320 4470 (+150)
/system/bin/bootanimation: 6980 6990 (+10)
zygote64: 10410 10640 (+230)
zygote: 10410 10640 (+230)
system_server: 15350 15150 (-200)
bootanimation ends at: 33790 31230 (-2560)
--
In this example bootanimation is finished (estimated) 2.56 seconds sooner.
Change-Id: I39d59897c8c53d7d662676813e884b9d58feec3c
d34e407aeb removed support for
running with SELinux completely disabled. SELinux must either be
in permissive or enforcing mode now.
Remove unnecessary calls to is_selinux_enabled(). It always returns
true now.
Change-Id: Ife3156b74b13b2e590afe4accf716fc7776567e5
This new property is used as a control verb for running a recursive
restorecon at the path contained in the property value.
Shifts both SELinux actions to occur before the actual property set
occurs, so setters can watch for completion.
Bug: 21121357
Change-Id: I3db3eb876ae66e144b3bfd648349b66a028511fd
* commit 'e0e565635a7c6c36a05282622c01203afbec5ca5':
init.rc: logd: Add logpersistd (nee logcatd)
init: change exec parsing to make SECLABEL optional
logcat: -f run in background
logcat: -f flag to continue
As 1s timeout can be requested, using second resolution time to check
for timeout prevent from being accurate on the actual time we wait.
Use available gettime_ns instead.
Bug: 21374269
Change-Id: I8be1b69e02beacc7196427f97855e036addf54d1
Signed-off-by: Thierry Strudel <tstrudel@google.com>
read_file() used to append a new line character to the end of the buffer it
returns, because parse_config() isn't able to cope with input that's not
'\n'-terminated. Fix read_file() to be less insane, and push the workarounds
into the parse_config() callers.
Longer term we should rewrite parse_config().
Bug: http://b/21079470
Change-Id: Ie9d9a7adcd33b66621726aef20c4b8cc51c08be7
(cherry picked from commit eaa3b4ec6f)
read_file() used to append a new line character to the end of the buffer it
returns, because parse_config() isn't able to cope with input that's not
'\n'-terminated. Fix read_file() to be less insane, and push the workarounds
into the parse_config() callers.
Longer term we should rewrite parse_config().
Change-Id: Ie9d9a7adcd33b66621726aef20c4b8cc51c08be7
Helped debug a problem where the N9 bootloader incorrectly
concatenated the various command lines.
Bug: http://b/20906691
Change-Id: I0580b06f4185129c7eedf0bdf74b5ce17f88bf9c
Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.
Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.
Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
Don't double mount /dev and its subdirectories anymore. Instead, the
first stage init is solely responsible for mounting it.
Don't have init prepare the property space. This is the responsibility
of the second stage init.
Don't have SELinux use the property space to determine how we should
be running. Instead, create a new function and extract the data we
need directly from /proc/cmdline. SELinux needs this information in
the first stage init process where the property service isn't available.
Change-Id: I5b4f3bec79463a7381a68f30bdda78b5cc122a96
SELinux provides it's own /dev/null character device at
/sys/fs/selinux/null. This character device is exactly the same
as /dev/null, including the same major/minor numbers, and can
be used wherever /dev/null is used.
Use /sys/fs/selinux/null instead of trying to create our own
/dev/__null__ device. This moves us one step closer to eliminating
all uses of mknod() by init.
/sys/fs/selinux/null is only available once the /sys/fs/selinux filesystem
is mounted. It's not available to the first stage init, so we
still have to fall back to mknod then.
Change-Id: Ic733767ea6220a130537de33cc478ae79578ce20
The first stage init mounts /proc and /sys, and then the second
stage init also mounts /proc and /sys on top of the existing mount.
Only mount these two directories once, in the first stage init.
Not yet fixed: the double mounting of /dev. Removing the double
mounting doesn't work right now because both init stages are trying
to create a property space, and if the double mount of /dev goes away,
the property service in the second stage init fails to work.
Change-Id: I13719027a47526d074390c2b1a605ad99fb43a8f
write_file() returned -errno on error, not -1. Callers who check for
-1 would falsely believe that the write was successful when it wasn't.
Fixup write_file so that it return -1 on error consistent
with other functions.
Change-Id: Ic51aaf8678d8d97b2606bd171f11b3b11f642e39
Not just because it's what the cool kids are doing --- it also lets us
simplify the inner loop and decouple it from whatever systems want to
be woken to perform some activity if there's data to be read on some fd.
Currently this is just used to clean up the existing signal handling,
keychord, and property service code.
Change-Id: I4d7541a2c4386957ad877df69e3be08b96a7dec5
All the code that was being delayed does is create a socket. We can
do that straight away, avoid the overhead, and simplify our main loop.
The keychord fd, on the other hand, seems a little tricky. It looks
like /dev/keychord isn't immediately available, at least not on N9;
we have to wait for ueventd to set us up the bomb.
Change-Id: I020e75b8e4b233497707f0a3cbbb6038b714161f
We can set it up earlier, and error reporting like this helped me find
the SELinux problem with the last change to this code.
Change-Id: If0f38bc5ff0465c4030e2d39d34f31f49b2d8487
This reverts commit b862bd00a4.
This change was fine but an earlier change it depended on was broken.
That change has been fixed and resubmitted.
Bug: http://b/19702273
Change-Id: I17e565721026e48e2a73526f729f2481d4d6edb5
This reverts commit 4217374611.
It turns out that the kernel passes any unrecognized arguments on to init,
and (at least) N6 and N9 have such arguments. My lazy check of argc was
thus insufficient to recognize what stage of init we were in, so we'd
skip to stage 2 and not set up SELinux. And apparently you can get a
very long way with SELinux off... We'll fix that in a later change.
Bug: 19702273
Change-Id: I43b3fb722fed35dd217cb529cbcac9a29aff4e4b
Certain platforms list their platform devices with a path other than
the current /devices or /devices/platform. Additionally, sometimes
these paths are a platform device themselves. An example are devices
with a path /devices/soc.0/... where /devices/soc.0 is also a platform
devices.
Instead of continuing to special case these path prefixes, we can
consider the entire path, given that no mmc or usb devices create
platform devices as subdevices, which they should not by their very
nature.
This keeps the symlinks for block devices named identically for
current platform devices and places them in /dev/block/<full path to
device> for devices in locations other than /devices or
/devices/platform, eg /dev/block/platform/soc.0/7824900.sdhci
This keeps the symlinks for character deviced named identically for
all cases.
Change-Id: Ifc8eedf1086db1826dbc8f7e96cdfcfa5da876b3
Fixes init deadlock when an exec command was called
in an on-init section.
The exec command handling relies on that the signal handler
mechanism is working to know when to continue executing
commands.
Change-Id: Ib0ce75ffad7cf3bf926c93d0506b2fe3e5a92630
Move fastboot's format logic into fs_mgr, to consolidate the knowledge
about how to do this (and when to wipe metadata).
Try to format these formattable paritions if they are wiped.
If formatting fails, we will fall out to let recovery mode handle it.
Bug: 20082763
Change-Id: I397cc197550e78d932e8a154fd234695c46dbe7b
- Cleanup the code to get filesystem size in a block device
- Add support to reading size of squashfs in a block device
Change-Id: I3848a705ed4dc2fc9afad20331f0fdecfee545c5
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
Set the verity mode as the value for partition.%s.verified to make it
easier for userspace to determine in which mode dm-verity was started.
Change-Id: Icc635515f8a8ede941277aed196867351d8387cb
Make it clearer in dmesg when we're deliberately not doing
bootcharting, and explain in the documentation that the output
for init is quite misleading (and, as far as I can tell, not
within our power to fix).
Change-Id: I0b22a56f83521d64c6d176dc423c81f7ea86b23c
Also don't manually set FD_CLOEXEC on a socket that's always opened
with SOCK_CLOEXEC. (None of the other callers to the function do this.)
Also move locals to where they're first used to help prevent more of this
kind of breakage.
Change-Id: I1ba7cd9400f53508dffb51a2bbf9d491ae647f26
Also make important events in init's life NOTICE rather than INFO,
and ensure that NOTICE events actually make it to the kernel log.
Also fix the logging so that if you have a printf format string
error, the compiler now catches it.
Also give messages from init, ueventd, and watchdogd distinct tags.
(Previously they'd all call themselves "init", and dmesg doesn't
include pids, so you couldn't untangle them.)
Also include the tag in SELinux messages.
Bug: 19544788
Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
Neither of the built-in verity state commands accept arguments, so
set the number of required arguments to zero.
Change-Id: Id57fe671b6b82eaf1e43b8ed7ff9d1e502ada5bd
- Make sure compatible DT node is "android,firmware"
- Set ro.boot.* properties from firmware/android/ DT node
(cherry-pick of cbcbea27c70846a96f4bba2f7cb245f937de4d3f.)
Change-Id: If3d0716831516cb3d3fde1f75d57e2691d42d054
Add a command that updates dm-verity state and sets partition.%.verified
properties used by adb remount.
This is needed in init since fs_mgr cannot set properties:
I6a28cccb1ccce960841af20a4b20c32d424b5524
Change-Id: I0fdf5bc29c56690dcadff9d0eb216d3c68483538
- Clean up the paths for ro.revision and ro.hardware parsing
- Use ro.hardwre in ueventd instead of parsing the kernel command line
(cherry-pick of 38b340a52f8e864650db8bae1eb88d5c00485db0.)
Bug: 19366018
Change-Id: I018a293f3d46e736a8b65132b5b00b0f7c20edae
These were leftovers from the SELinux boolean support that
was originally merged. Since Android prohibits SELinux policy
booleans, we can just drop it.
Change-Id: I02f646a7d8db65e153702205b082b87a73f60d73
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Adding "setenforce 0" to init.rc isn't a supported way to turn off
SELinux, and doesn't work with AOSP SELinux policy. Remove the code
from init.
Change-Id: If8c8149560789c9a7ba518a0a100e6033bb68898
I've been deliberately vague about the name of the readme because I want to
come back and switch to markdown, but that probably won't happen today.
Change-Id: I60651703709bbfd499227f882eb949396e8f4f6c
Add a built-in command for loading verity state. If dm-verity
will be started in logging mode, trigger verity-logging.
Needs changes from
Ibb82953594d234f81ad21c40f524190b88e4ac8f
Change-Id: I5af4918f2f14fdd4d07f51c55837e08111fd3748
- KISS as all options are now passed to adb for better or worse
- runs bootchart and immediately displays the results
Bug: 19485335
Bug: 18390773
Change-Id: Id32930031371d0368e605810f0c998232a1d4f16
bootchart uses a file on the data partition to decide if it should collect
data for bootchart, but the data partition will be mounted by the mount_all
command in the "on fs" section, and it will be only added into the action
queue when command "trigger fs" is executed, but that's after the
bootchart_init action (late_init).
This change makes bootchart_init a builtin command of init,
and make it executed as the first command of "on post-fs" section
which will be triggered after the "on fs" section.
This change also refactors the bootchart code to all be in bootchart.cpp.
Change-Id: Ia74aa34ca5b785f51fcffdd383075a549b2a99d9
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
In the case of do_write (write to generic file) there
is really no relation to the PROP_VALUE_MAX limitation
of system properties. The current value, 92, is not so
much for writing to files so bump it a bit.
Ideally there should not be any low hard limit in this
case. Either expand_props should allocate the output
buffer or take the output fd and to streaming write.
Such a change is rather invasive though and at this
point in time it seems reasonable that one dont want
more than 256 character strings in the init files.
Change-Id: I846a282ae4e747e6171eef38b302b46287951451
This isn't particularly useful in and of itself, but it does introduce the
first (trivial) unit test, improves the documentation (including details
about how to debug init crashes), and made me aware of how unpleasant the
existing parser is.
I also fixed a bug in passing --- unless you thought the "peboot" and "pm"
commands were features...
Bug: 19217569
Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
Also switch the revision parsing over to sscanf as promised. I haven't
done the hardware parsing because I don't yet know whether we actually need
to keep the space-stripping code.
Change-Id: Ic33378345cd515cb08d00c543acf44eb72673396
A typo in the documentation for one, and a couple of signed/unsigned warnings
in the implementation of the other.
Change-Id: I8fb4b7448ac901c543dea7420aabcedf13ec1bd8
"&&" operator can now be used to test the validity
of two of more properties.
For example:
on property:test.a=1 && property:test.b=1
setprop test.c 1
The above stub sets the test.c to 1 only when
both test.a=1 and test.b=1
(cherry-pick of 162f7d797c67019a7a3f08c3b0f0ffc91d548ddc.)
Change-Id: I72c19f7aa92231372a416193618ee6c7fd368141
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
42a9349dc4 modified init's
builtin chmod, chown, and mkdir calls to avoid following
symlinks. This addressed a number of attacks we were seeing
at the time where poorly written init scripts were following
attacker supplied symlinks resulting in rooting vulnerabilities.
To avoid race conditions, the previous implementation only ran
fchown / fchmod on file descriptors opened with open(O_NOFOLLOW).
Unfortunately, unlike the normal "chown" or "chmod" calls, this
requires read or write access to the underlying file. This
isn't ideal, as opening some files may have side effects, or
init may not have permission to open certain files (such as when
SELinux is enabled).
Instead of using open(O_NOFOLLOW) + fchown(), use lchown() instead.
As before, the target of the symlink won't be modified by chown.
This also supports setting the ownership of symlinks.
Instead of using open(O_NOFOLLOW) + fchmod(), use
fchmodat(AT_SYMLINK_NOFOLLOW) instead. As before, the target of the
symlink won't be modified by chmod.
This change will continue to ensure that chown/chmod/mkdir doesn't
follow symlinks, without requiring init to open every file in
read-only or read-write mode.
This change depends on bionic commit I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
Addresses the following mako/occam SELinux denial:
audit(1422770408.951:6): avc: denied { write } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=7207 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
Change-Id: I14fde956784d65c44e7aa91dd7eea9a004df3081
LOCAL_FORCE_STATIC_EXECUTABLE was not working properly for clang
because -Bstatic was ignored by clang. We can now enable clang
for init after the -static flag is added to link static executable
files in build/core/definitions.mk.
BUG: 18008984
Change-Id: I3f361b83c1e0b313914603dff33fd090cd3b116a
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
(cherry picked from commit 07f3fee164)
Bug: 18885357
Change-Id: If6b01fe2b9bd5985f08f1278deb03b311d0170dc
For build-system CFLAGS clean-up, fix unused variables.
Use a #define instead of static variable in a header file.
Change-Id: Id47bf38e51644b61a9f3ac1893a16553695f1aac
init doesn't start when built with clang.
Set LOCAL_CLANG:=false until this is analyzed and fixed.
Change-Id: I5a7944aef676ce88defe5c0449e712d9812fb5f3
Signed-off-by: Bernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
Change-Id: I76553d7f183236a78a0bc7b408e92559b98f732f
Nick Kralevich