Test: built and booted
Bug: 150040815
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Merged-In: If80758b3d7bf499d428880efa5ed555076bfc291
Change-Id: If80758b3d7bf499d428880efa5ed555076bfc291
On some devices we see a weird in which /metadata/apex will have a wrong
selinux label. This will effectively prevent such devices from getting
any apex updates. Since we haven't figured out a root cause for this
bug, it's safer to explicitly call restorecon on /metadata/apex to make
sure it's correct.
This change shouldn't affect a normal boot flow, since /metadata/apex
will already have a correct label and restorecon_recursive will be a
no-op.
Test: rm -Rf /metadata/apex && \
mkdir /metadata/apex &&
mkdir /metadata/apex/sessions
Bug: 149317789
Change-Id: I971ffe35c93bb79d9e71106c24515ec0ee70333a
Improve app startup performance before the new app is in the top-app
cpuset.
Test: boots, zygote64 in top-app stune group
Bug: 159201879
Change-Id: I3aad4b4b1d2f54db9e7ba86db8a655d8552bad0a
The FUSE filesystem is implemented by a Zygote child. If Zygote dies,
all of its children die along with it, including the FUSE daemon. The
FUSE filesystem is cleaned up automatically whenever the /dev/fuse file
descriptor of the FUSE daemon is closed. However, due to the way the
binder driver holds on to the 'struct files' of processes in the kernel,
the closing of FDs of all of Zygote's children is serialized.
That in turn means that, if a process has a file with dirty pages on
FUSE, and that FD is closed *before* the FUSE FD, the FUSE kernel driver
will happily issue a request to the FUSE daemon to serve that request.
But since the FUSE userspace daemon is already dead, it will never get
served. And because the closing of all FDs is serialized, we will never
close the FUSE fd to unblock this request.
Solve this particular case by manually aborting the FUSE filesystem when
Zygote restarts. Because we now explicitly close the FUSE fd, the FUSE
filesystem will be cleaned up, all outstanding requests to it will be
cancelled, and new ones will be skipped.
Bug: 153411204
Test: kill zygote manually
Change-Id: I2cb6c1a03cc1a932461ff33558894a428ff35180
Bug: 153849221
Test: build and try to capture the trace by perfetto and systrace
Change-Id: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
Merged-In: Ie8a13e12038bd66afcd264079a2c5f25daaa20ee
(cherry picked from commit 9d19a05422)
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Merged-In: I5278897413ca0e32aed9d1c7f82e48138bc51404
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
- Cherry pick of aosp/1228482
As of aosp/1224611, there is a new step in the preparation of APEXes
where init calls back into apexd after DE user data is unencrypted to
allow DE apex data to be snapshotted or restored.
aosp/1228581 introduces a new apexd.status value of "activated" that
is set once APEXes are activated but before this snapshot has occurred.
init may execute "perform_apex_config" once this has occurred, so this
CL changes init to wait for "activated" rather than "ready" before
doing this.
Bug: 148672144
Test: build & flash, check boot completes and check in logs that init
waits on the correct status value.
Merged-In: I339580bf593d3b09a5dff749ac2a5d1952bcb210
Change-Id: I71b62c9dd2f7951811606002f38612784d3d9086
This will allow Phonesky to read APEXes under /data/apex/active.
Test: adb shell su 10114 dd if=/data/apex/active/com.android.tzdata@300000000.apex of=/dev/null
Bug: 154635217
Change-Id: I5278897413ca0e32aed9d1c7f82e48138bc51404
This patch removed the old writeout policy tune which was never touched since
2009. In the meantime, most of Android devices are equipped with over 4GB DRAM
and very fast flash storages like UFS, which becomes more like desktop or
servers in 2009. So, it'd be worth to go back to use the default kernel configs.
Bug: 129751503
Change-Id: Idb58f5b01bbc4afd270cffba5b8912ea3565819f
Signed-off-by: Jaegeuk Kim <jaegeuk@google.com>
Also reordered the directories in alphabetical order
Test: m -j
Bug: 149838525
Merged-In: I1a918d189d8bcb394ec6f818d033dbf7e4518713
Change-Id: I4b10a01ed6b3285aec6d87765f225c41ec55be96
create new profiles to allowing thawing and freezing back the freezer
cgroup
Bug: 151225245
Test: Manually verified that using the SetTaskProfiles method on the
profiles thaws and freezes back the freezer cgroup.
Change-Id: I7f3e193ebe79b49c1f6ac52b6138ff4ec26fc570
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
Merged-In: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
There is a longstanding bug where file-based encryption causes spurious
SELinux denials of module_request because it uses the kernel's crypto
API, and the crypto API tries to autoload kernel modules.
While this sometimes indicate missing kconfig options, it can still
happen even if all needed kconfig options are enabled. This is because
a crypto algorithm can be a composition like "hmac(sha512)", and the
crypto API will first look for the full composition before it
instantiates it using the components like "hmac" and "sha512". But
often an implementation of the full composition doesn't exist.
However, as far as I can tell, Android doesn't actually use kernel
module autoloading at all. First, Android never changes
/proc/sys/kernel/modprobe from the default of "/sbin/modprobe", yet this
isn't where modprobe is located on Android. Android's SELinux policy
contains a neverallow rule that ensures that only init (not even
vendor_init) can write to this setting, so vendors can't be changing it.
Vendors could potentially be setting CONFIG_STATIC_USERMODEHELPER_PATH,
which overrides the path of all usermode helpers including modprobe.
But this is a relatively new kconfig option, available only in
android-4.14 and later. Also, for a vendor to actually do this they'd
also need to extend the SELinux policy with a domain_auto_trans rule to
allow their usermode helper to be executed by the kernel.
Android does increasingly use kernel modules, and GKI (Generic Kernel
Image) will require them. However, the modules are actually inserted by
userspace by 'init', not autoloaded.
It's possible to disable kernel module autoloading completely by setting
/proc/sys/kernel/modprobe to an empty string. So, let's do that.
This prevents lots of spurious SELinux denials, and allows removing
unnecessary rules to allow or dontaudit the module_request permission.
Note: when the kernel doesn't have CONFIG_ANDROID_BINDERFS enabled, this
change exposes a kernel bug that causes a WARNING in get_fs_type(). To
avoid this WARNING, a kernel fix should be applied too -- currently
under discussion upstream
(https://lkml.kernel.org/r/20200310223731.126894-1-ebiggers@kernel.org).
Bug: 130424539
Bug: 132409186
Bug: 144399145
Bug: 146477240
Bug: 148005188
Bug: 149542343
Test: Tested on cuttlefish and coral:
- Checked that /proc/sys/kernel/modprobe contains /sbin/modprobe
before this change, and the empty string after.
- Checked that if all SELinux rules for module_request are removed,
there are SELinux denials for module_request before this change
but none after.
- Ran lsmod both before and after and verified that the list is the
same, i.e. checked that this change doesn't break how Android
actually loads kernel modules.
Change-Id: I4132fe1a491e7b789311afcf693c1f6493fb9dc5
