One of the major aspects of treble is the compartmentalization of system
and vendor components, however init leaves a huge gap here, as vendor
init scripts run in the same context as system init scripts and thus can
access and modify the same properties, files, etc as the system can.
This change is meant to close that gap. It forks a separate 'subcontext'
init that runs in a different SELinux context with permissions that match
what vendors should have access to. Commands get sent over a socket to
this 'subcontext' init that then runs them in this SELinux context and
returns the result.
Note that not all commands run in the subcontext; some commands such as
those dealing with services only make sense in the context of the main
init process.
Bug: 62875318
Test: init unit tests, boot bullhead, boot sailfish
Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
I probably should have done this from the start... There's a shim to
convert my manually serialized format to protobuf, and since that has
not yet shipped, it'll be reverted in a short period of time.
Test: init unit tests
Test: upgrade from legacy and intermediate property formats successfully
Change-Id: Iad25f6c30d0b44d294230a53dd6876222d1c785b
This allows Android to cleanly shutdown when running in a PID namespace
in a way that does not rely on adbd running. This is useful to allow
Android to be running in a container and its lifetime managed by an
OCI-compliant tool.
Bug: 65415372
Test: `kill -TERM 1` as root is correctly dropped.
Test: `kill -TERM 1` from the init PID namespace causes init to cleanly shutdown.
Change-Id: Ia66ebdb436221919081bc4723337c0c7f1e53b09
We have seen that storing persistent properties in separate files
causes increased boot latency compared to if they were stored in a
single contiguous file.
This change creates a simple format for a contiguously stored property
file, and adds the support for arbitrary characters in the names of
persistent properties, which previously had been restricted. It has a
mechanism for converting older devices to the new format as well.
Bug: 64392887
Test: boot bullhead with new properties
Test: boot bullhead and verify old properties are converted to the new
property file
Test: corrupt property file and ensure that it gets recovered from memory
Test: new unit tests
Change-Id: I60d8201d655ce5c97b33faae81d5ca8dbbb21a14
Add a new service option, `rlimit` that allows a given rlimit to be
set for a specific service instead of globally.
Use the same parsing, now allowing text such as 'cpu' or 'rtprio'
instead of relying on the enum value for the `setrlimit` builtin
command as well.
Bug: 63882119
Bug: 64894637
Test: boot bullhead, run a test app that attempts to set its rtprio to
95, see that the priority set fails normally but passes when
`rlimit rtprio 99 99` is used as its service option.
See that this fails when `rlimit rtprio 50 50` is used as well.
Test: new unit tests
Change-Id: I4a13ca20e8529937d8b4bc11718ffaaf77523a52
init tries to propagate error information up to build context before
logging errors. This is a good thing, however too often init has the
overly verbose paradigm for error handling, below:
bool CalculateResult(const T& input, U* output, std::string* err)
bool CalculateAndUseResult(const T& input, std::string* err) {
U output;
std::string calculate_result_err;
if (!CalculateResult(input, &output, &calculate_result_err)) {
*err = "CalculateResult " + input + " failed: " +
calculate_result_err;
return false;
}
UseResult(output);
return true;
}
Even more common are functions that return only true/false but also
require passing a std::string* err in order to see the error message.
This change introduces a Result<T> that is use to either hold a
successful return value of type T or to hold an error message as a
std::string. If the functional only returns success or a failure with
an error message, Result<Success> may be used. The classes Error and
ErrnoError are used to indicate a failed Result<T>.
A successful Result<T> is constructed implicitly from any type that
can be implicitly converted to T or from the constructor arguments for
T. This allows you to return a type T directly from a function that
returns Result<T>.
Error and ErrnoError are used to construct a Result<T> has
failed. Each of these classes take an ostream as an input and are
implicitly cast to a Result<T> containing that failure. ErrnoError()
additionally appends ": " + strerror(errno) to the end of the failure
string to aid in interacting with C APIs.
The end result is that the above code snippet is turned into the much
clearer example below:
Result<U> CalculateResult(const T& input);
Result<Success> CalculateAndUseResult(const T& input) {
auto output = CalculateResult(input);
if (!output) {
return Error() << "CalculateResult " << input << " failed: "
<< output.error();
}
UseResult(*output);
return Success();
}
This change also makes this conversion for some of the util.cpp
functions that used the old paradigm.
Test: boot bullhead, init unit tests
Merged-In: I1e7d3a8820a79362245041251057fbeed2f7979b
Change-Id: I1e7d3a8820a79362245041251057fbeed2f7979b
This change splits out the selinux initialization and supporting
functionality into selinux.cpp and splits the security related
initialization of the rng, etc to security.cpp. It also provides
additional documentation for SEPolicy loading as this has been
requested by some teams.
It additionally cleans up sehandle and sehandle_prop. The former is
static within selinux.cpp and new wrapper functions are created around
selabel_lookup*() to better serve the users. The latter is moved to
property_service.cpp as it is isolated to that file for its usage.
Test: boot bullhead
Merged-In: Idc95d493cebc681fbe686b5160502f36af149f60
Change-Id: Idc95d493cebc681fbe686b5160502f36af149f60
service.cpp, which is part of libinit, references symbols in
property_service.cpp, which causes the linker to complain when linking
libinit.a in some situations.
Therefore, we move property_service.cpp to libinit.
Separately, this will make it easier to write tests for
property_service.cpp, which we will want to do in the future.
Test: build, init unit tests
Change-Id: If1cffa8510b97e9436efed3c8ea0724272383eba
The shared libselinux library does not export all of the symbols that
we use in init and the linker is now complaining about this, so let's
use the static libselinux library in init_tests to match init itself.
Test: build, init unit tests
Change-Id: I9011a959a7c49446b3529740e606140a4ee8c32d
* Remove the Parser singleton (Hooray!)
* Rename parser.* to tokenizer.* as this is actually a tokenizer
* Rename init_parser.* to parser.* as this is a generic parser
* Move contents of init_parser_test.cpp to service_test.cpp as this
actually is a test of the parsing in MakeExecOneshotService() and
nothing related to (init_)parser.cpp
Test: boot bullhead
Test: bool sailfish
Test: init unit tests
Change-Id: I4fe39e6483f58ebd3ce5ee715a45dbba0acf5d91
We've blown up twice in init due to the unsigned integer overflow
sanitizer despite the overflows in question being both defined and
intentional.
Test: boot
Change-Id: I08effe3202ac1367d858982ff5478b3a088bab37
init calls fs_mgr to format ext4 partitions. This requires
e2fsdroid and mke2fs in /system/bin/
Bug: 35219933
Change-Id: Ia32fe438cd9b9332f8e18e0cbe7f61bd050adcb1
(cherry picked from commit 041f849548)
setegid() and setfscreatecon() on Android both operate on a per-thread
basis, not a per-process basis.
Ueventd may take advantage of this in the future, so this CL
introduces tests that ensure that this functionality remains
consistent.
Bug: 63441941
Test: newly added unit tests
Change-Id: I8b1c62cc322b6fe44b748550a4cea8658d9efd88
devices.cpp handles too many things for creating one class. This
change breaks it up into various files and classes.
* Parsing is moved to ueventd_parser.cpp
* Reading from the uevent socket and Cold booting is moved to a
UeventListener class, in uevent_listener.cpp
* Firmware handling is moved to firmware_handler.cpp
* The remaining contents form a DeviceHandler class within devices.cpp
Bug: 33785894
Test: boot bullhead x40, observe no major differences in /dev and /sys
Test: boot sailfish x40, observe no major differences in /dev and /sys
Test: init unit tests
Change-Id: I846a2e5995fbb344c7a8e349065c18a934fa6aba
Move libinit, init_tests, and test_service to Android.bp
Leave init in Android.mk as it has unfulfilled dependencies, but
create a comment in Android.bp for future use.
Remove libinit_parser and init_parser_tests as that code was never
used in init.
Bug: 36970783
Bug: 37512442
Test: Build, boot bullhead, init unit tests
Change-Id: Id81cd10ea09453a5fd762ba9189276aad79d5444
Tom Cherry
Luis Hector Chavez
Dmitry Shmidt
Jin Qian
Chih-Hung Hsieh