Also, improve the logging in the cases where we do abort.
Bug: http://b/131867920
Test: treehugger
Change-Id: If8ec9f4614ce146e6dbd21cc77587ea81658199b
(cherry picked from commit 2916e148d9)
Replacing "ro.boot.vbmeta.devices_state" with
"ro.boot.vbmeta.device_state" to check if the device is locked.
Bug: 132224452
Test: tree hugger
Change-Id: If4f312730cc82ad5a5d5104a7aca8b9691cf6600
(cherry picked from commit 2badf73b99)
Children of processes that use SocketListener should not be able
to stop the SocketListener.
Test: builds, boots
Test: atest libsysutils_tests
Test: atest --test-mapping system/netd
Bug: 131268436
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I64898d9966f62004468b8e8a43b59be4a81a8cc4
Merged-In: I64898d9966f62004468b8e8a43b59be4a81a8cc4
(cherry picked from commit dae0195380)
The majority of libjsoncpp use is due to libprocessgroup. Static
linking reduces relocations required at runtime as well as compacts the
pages dirtied by relocations. On a 32-bit system, where this matters
the most, this reduces 8KB of dirty pages per libprocessgroup load.
Overall, the dirty page reduction on 32-bit cuttlefish is ~500KB.
Bug: 132275636
Test: Boot on cuttlefish. Calculate total amount of dirty memory used
for libprocessgroup and libjsoncpp.
Change-Id: I1135bb45a3764f96a4a3a47c98fbcdee3913c988
boot-debug.img is introduced to allow 'adb root' if the device is
unlocked, and it cannot be release signed. If /boot partition is chained
in AVB signing and boot-debug.img is used, avb_slot_verify() in
userspace will return AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED
and fs_mgr will refuse to boot. This CL treats the public key rejection
as non-fatal for chained vbmeta to continue booting, if the device is
unlocked.
Bug: 129508966
Test: can root with user load which /boot chained in AVB signing
Change-Id: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
Merged-In: Idfa8caffbb96f33702b1749afd2e2a59616ddba7
(cherry picked from commit 705fd7f52c)
We used to start update_verifier after mounting userdata (post-fs-data),
as part of zygote-start. This leads to issues in practice for security
updates, where an A/B device falls back into the old slot (for any
reason, which unrelates to this change) but failing to boot due to
upgraded key blob. It essentially breaks the fallback capability offered
by A/B OTA.
This CL mitigates the issue by starting update_verifier early, before
mounting userdata. This avoids the device from falling back to the old
slot with an already-upgraded key blob. update_verifier loses the
opportunity of verifying _all_ the updated blocks based on the info
that's stored in userdata. Instead it will only trigger the minimal
read to finish the work of marking a successful boot. This is a
trade-off in P to avoid putting the device in a bad state after
fallback, which will be improved in Q by better handling the fallback
path in vold.
Bug: 131176531
Test: Flash and boot crosshatch. Check the start of update_verifier and
it marks a successful boot.
Change-Id: I3f4c4333ff38772a9a93c9d027d497db11de1d63
In ART, some of the maps are /memfd:/jit-cache and it triggers the warning
about unreadable elf files. Do not set the elf from memory not file
flag in this case.
Bug: 131909548
Test: New unit tests pass.
Test: No warnings dumping stacks with this change done.
Change-Id: Ifba5e65da609525ded75430da173c614f6e4801e
(cherry picked from commit 98aaf4cf08)
For bringup devices that do not have right-sized partition, and if
/system is now root, check / to be sure.
Consider unshare blocks for ext4 as dead code, provide a strong
message to caller to provide all the dependencies to overlayfs.
Test: adb-remount-test.sh
Bug: 130327601
Change-Id: Iffa7c5f24d8f409e71f89fe9ece274d8c476f6fc
Merged-In: Iffa7c5f24d8f409e71f89fe9ece274d8c476f6fc
If the matching string contains a [, \ or *, then it is also checked
with a regex match. Exact match is always tried firsts. If we do
not find an exact string match, switch to iterate through the entire
list for regex strings to find a match.
This allows us to scale with details without consuming a large
number of enums, permitting details that we do not necessarily want
resolution on to propagate to TRON. The hierarchical nature of the
boot reason <reason>,<subreason>,<detail>... can cause scenarios
where the <detail> does not matter to TRON, but does matter to
bugreport collection.
Add a bootstat --boot_reason_enum function to expose and test the
kBootReasonMap matchihg algorithm.
Add a kBootReasonMap test that exhaustively tests all built-in
entries, and an example of one regex entry. New regex entries added
to bootstat.cpp will need a series of exact match examples added into
filter_kBootReasonMap() function.
Test: boot_reason_test.sh kBootReasonMap (or all tests)
Bug: 116838876
Bug: 128929506
Change-Id: I3f7b5de22f99195b7ce99672a212174365960b3f
Merged-In: I3f7b5de22f99195b7ce99672a212174365960b3f
After this change, all the noise from mkfs is suppressed:
$ adb remount
[libfs_mgr]superblock s_max_mnt_count:65535,/dev/block/by-name/system_b
[libfs_mgr]__mount(source=/dev/block/by-name/system_b,target=/mnt/scratch,type=ext4)=-1: Invalid argument
[libfs_mgr]__mount(source=/dev/block/by-name/system_b,target=/mnt/scratch,type=f2fs)=0: Success
Using overlayfs for /system
Using overlayfs for /vendor
Using overlayfs for /product
[libfs_mgr]__mount(source=overlay,target=/system,type=overlay,upperdir=/mnt/scratch/overlay/system/upper)=0
[libfs_mgr]__mount(source=overlay,target=/vendor,type=overlay,upperdir=/mnt/scratch/overlay/vendor/upper)=0
[libfs_mgr]__mount(source=overlay,target=/product,type=overlay,upperdir=/mnt/scratch/overlay/product/upper)=0
remount succeeded
Test: manual as above
Bug: 130739326
Change-Id: I7ed8842e42b74b6a487ce6324b28baf78f1f63bf
Merged-In: I7ed8842e42b74b6a487ce6324b28baf78f1f63bf
Before, if updatable processes crash 4 times in 4mins, a native
rollback will be attempted. This behavior does not detect
system_server early boot deadlocks because the system server requires
at least a min to detect a deadlock, and crash itself. The crashes
don't happen frequently enough for init to detect.
After, this cl, the old behavior exists and additionally, init detects
*any* 4 crashes of updatable processes before boot completed,
regardless of if they happen within 4mins or not.
Test: Manually tested by adding artificial sleep in system_server so
deadlock is triggered before boot. system_server crashes 4 times in
over 4mins and the ro.init.updatable_crashing prop is set to 1.
Bug: 129597207
Merged-In: Ie6fb5693ff4be105bcbe139c22850fb076e40260
Change-Id: Ie6fb5693ff4be105bcbe139c22850fb076e40260
Support `adb rescue wipe` command on the host side. This command runs
under the rescue mode and wipes data (and cache/metadata).
Bug: 131037235
Test: run adb rescue wipe
Change-Id: Ib3a3f2d564cc19d0446540d616cc21489ba558c2
(cherry picked from commit c2265c5343)
Create the anonymous namespace only from a non-empty library path.
This is a better heuristic than the current "first-come" one. It
allows creating classloaders that are not directly related to an
app's "main" classloader, that is, do not have any library path.
This is the case, for example, for shared libraries, including
preloaded ones.
Longer-term, the anonymous namespace creation should be made
explicit, so that the framework can have full control.
(cherry picked from commit b9df7d936c)
Bug: 130623656
Test: m
Test: manual
Merged-In: I8251363b372e365d10ae09d23df93d76388ac7f9
Change-Id: I8251363b372e365d10ae09d23df93d76388ac7f9
This is for Android Telemetry to be able to categorise the processes
that produce tombstones.
Bug: 129933535
Test: atest debugerd_test:TombstoneTest
Change-Id: Ie635347c9839eb58bfd27739050bd68cbdbf98da
Merged-In: Ie635347c9839eb58bfd27739050bd68cbdbf98da
(cherry picked from commit e5b7913d2c5da92c37233fef15ab3109e37d9c90)
procrank's usage in its output shows 20x increase from
last year. This is because it is keeping the process
maps around until termination. Fix that by getting rid
of ProcMemInfo objects when done parsing /proc/<pid>/maps,pagemap.
Note that the total allocations do not change and have not necessarily
regressed from Pie.
Bug: 130672819
Test: adb shell procrank | grep 'procrank\|cmdline'
Change-Id: Ib7bf960ed1d053347fcfc0c8aee9019607a1eb01
Merged-In: Ib7bf960ed1d053347fcfc0c8aee9019607a1eb01
Signed-off-by: Sandeep Patil <sspatil@google.com>
This CL adds client support to recognize the rescue mode (which will be
served by recovery image). It also allows waiting for a device to enter
rescue mode. The support for the actual rescue commands will be added in
follow-up CLs.
Bug: 128415917
Test: `adb devices` recognizes devices under rescue mode.
Test: `adb wait-for-rescue` waits for device to be in rescue mode.
Change-Id: I367d7339fe68006aba09a1e3db6370d472296676
Merged-In: I367d7339fe68006aba09a1e3db6370d472296676
(cherry picked from commit 55d407ec4a)
On devices that use FDE and APEX at the same time, we need to bring up a
minimal framework to be able to mount the /data partition. During this
period, a tmpfs /data filesystem is created, which doesn't contain any
of the updated APEXEs. As a consequence, all those processes will be
using the APEXes from the /system partition.
This is obviously not desired, as APEXes in /system may be old and/or
contain security issues. Additionally, it would create a difference
between FBE and FDE devices at runtime.
Ideally, we restart all processes that have started after we created the
tmpfs /data. We can't (re)start based on class names alone, because some
classes (eg 'hal') contain services that are required to start apexd
itself and that shouldn't be killed (eg the graphics HAL).
To address this, keep track of which processes are started after /data
is mounted, with a new 'mark_post_data' keyword. Additionally, create
'class_reset_post_data', which resets all services in the class that
were created after the initial /data mount, and 'class_start_post_data',
which starts all services in the class that were started after /data was
mounted.
On a device with FBE, these keywords wouldn't be used; on a device with
FDE, we'd use them to bring down the right processes after the user has
entered the correct secret, and restart them.
Bug: 118485723
Test: manually verified process list
Change-Id: I16adb776dacf1dd1feeaff9e60639b99899905eb
The first stage init skips mounting the mount points defined in
skip_mount.cfg, but these mount points still return from
ReadDefaultFstab(). The behavior causes some error logic which
try to access the partition which had been skipped.
After applying the patch. ReadDefaultFstab() will not contain the
skipped mount points.
Bug: 128961335
Test: `fastboot delete-logical-partition product_a`
Test: `fastboot flash system aosp_arm64-userdebug`
Test: `fastboot -w reboot` and boot to home screen
Change-Id: I3156260b5d37647dbecf98ca90601a089bea5c46
Merged-In: I3156260b5d37647dbecf98ca90601a089bea5c46
(cherry picked from commit 77c28476f1)
The debug ramdisk can only be used if the device is unlocked.
When it's used, init will load adb_debug.prop and the userdebug
sepolicy from the debug ramdisk, to allow adb root on a user build.
Bug: 126493225
Test: 'make' and checks the file is installed
Change-Id: Id6962414197fc8f47f7c07818e8fb16107dc17a3
Merged-In: Id6962414197fc8f47f7c07818e8fb16107dc17a3
(cherry picked from commit 05f07d89a6)
