Bug: 62114389
Test: boot bullhead, get/set properties with ':' via command line
Test: trigger an init trigger with a property containing a ':'
Change-Id: Ib51853a1ef9d4f79d510c8175c0d9684e2025e23
(cherry picked from commit 1369379e33)
- In some devices, some drivers still try to load firmware while shutting
down, and crashes the kernel. So keep ueventd to prevent such case.
bug: 38203024
Test: reboots
(cherry picked from commit 7264bee975)
Change-Id: Ifc725f906de01eba552c782b8ec0d7bd11d089d0
Current first stage mount for AVB requires specifying a common prefix of
by-name symlink for all AVB partitions. It limits all AVB partitions to be on
the same block device.
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "vbmeta,boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name" <-- *removing this*
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
For normal mount with AVB, it extracts the by-name prefix of /misc
partition and use it as the prefix for all other partitions:
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/misc ->
- /dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a
Fix this by adding an internal map in FsManagerAvbOps to record the mapping
from partition name to its by-name symlink:
ByNameSymlinkMap["vendor_a"] = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor_a"
Two overloaded factory methods are then provided for FsManagerAvbUniquePtr:
- FsManagerAvbUniquePtr Open(ByNameSymlinkMap&& by_name_symlink_map):
for first stage mount, where the by-name symlink map will be
constructed externally, from the uevents processed by init, before
invoking this factory method.
- FsManagerAvbUniquePtr Open(const fstab& fstab): for normal mount,
where the by-name symlink map will be constructed from the input fstab
internally.
Bug: 37552224
Test: first stage mount /vendor with vboot 1.0
Test: first stage mount /vendor with vboot 2.0 (AVB)
Test: normal mount /vendor with vboot 2.0 (AVB)
Change-Id: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
Merged-In: Id17e8566da87ea22b8923fcd6e47db8d45bc7d6a
(cherry picked from commit 20651f62d0)
This is required for init to get by-name symlinks in the first stage
mount with AVB.
Bug: 37552224
Test: first stage mount /vendor with vboot 2.0 (AVB)
Change-Id: Ib067753f651ecea4d4d26215da9294f1c607d95e
Merged-In: Ia0f290542eb1cffce5ae876dfedb453dde960253
(cherry pick from commit 4599627492)
Invent keyutils.h to supply capability to set session keyring.
The keyring will hold things like the FBE encryption keys.
Test: gTest logd-unit-tests --gtest_filter=logd.statistics (from master)
Bug: 37751120
Bug: 36645158
Change-Id: Ieb44fa8f53dda6cf506a6243498c72d7f7f3cde7
It has been reported that fs_mgr failed to open /dev/device-mapper
during the first stage mount. It's because other uevent (e.g., i2c
charger device) happens to be sent at the same time we're triggering
the device-mapper uevent to be sent. Current implementation returns
COLDBOOT_STOP unconditionally so it will only process the first received
uevent, leaving device-mapper uevent unhandled when the race happens.
Fix this by only returning COLDBOOT_STOP when the received uevent->path
matches that of device mapper.
Bug: 37745254
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /vendor with vboot 1.0 on sailfish
Change-Id: I4a77093ec8f90a5ca981a088f34d082d0270533b
Merged-In: I4a77093ec8f90a5ca981a088f34d082d0270533b
(cherry picked from commit ea5fca4cd0)
Add unit test to ensure all POD types of Service are initialized.
Bug: 37855222
Test: Ensure bugreport is triggered via keychord properly.
Test: New unit tests
Merged-In: If2cfea15a74ab417a7b909a60c264cb8eb990de7
Change-Id: If2cfea15a74ab417a7b909a60c264cb8eb990de7
(cherry picked from commit 7da548578c)
* changes:
init: fix first stage mount failure when two fstab entries have verity_loc
init: set ro.boot.avb_version in recovery mode
init: moving early mount logic into init_first_stage.cpp
- allows easier tracking of wait time from monitoring tools
- this change also reduces unnecessary log spam
- service exit log looks like this:
init: Service 'exec 4 (/system/bin/otapreopt_slot)' (pid 611) exited with status 0 waiting took 0.060771 seconds
bug: 37752410
Test: reboot and check log
(cherry picked from commit 4de31e1481)
Change-Id: Icb83a6a23b45ebd9b4c9d86ee37df8ee3d6e790a
This got moved when refactoring the reboot commands.
Bug: 37540660
Test: verify bullhead's last_reboot_reason is correct
Change-Id: I3b86496fc469ca41645df7e7ba8bb51dd25b6b38
(cherry picked from commit 47336cebc3)
- Test data shows that most shutdown finishes in 6 secs.
- The original 10 secs is too long wih no shutdown animation
running in screen.
bug: 36657139
Test: check time with reboot
(cherry picked from commit 7feab68238)
Change-Id: I2e0ec81baa7b6cdb1ff0163c16f643c2549d74ab
- init will only keep animation related services as shutdown critical.
- external component like system server can start shutdown animation.
bug: 37500823
Test: reboot
(cherry picked from commit e2b04b71ae)
Change-Id: I9a0432148887557b705d6b8bbe35f5fb1ffad5b9
The previous check is incorrect because it compares the basename of
previous verity_loc with the full path of current verity_loc.
Changes it to compare the full device file path instead of just the basename
of verity_loc. This can catch the case of two different verity_loc
values with the same basename, e.g.,
- verify=/dev/block/platform/SOC.0/by-name/metadata
- verify=/dev/block/platform/SOC.1/by-name/metadata
Bug: 37413399
Bug: 37619597
Test: first stage mount /system and /vendor with the following fs_mgr_flags on bullhead
- wait,verify=/dev/block/platform/soc.0/f9824900.sdhci/by-name/metadataa
Test: first stage mount /system and /vendor with different verity_loc values
on bullhead, checks it bails out
Change-Id: I017c8bd9f0790d45e08e57df9a2878e4f62c5f9c
Merged-In: I017c8bd9f0790d45e08e57df9a2878e4f62c5f9c
(cherry picked from commit 71881fffd6)
Previously we set ro.boot.avb_version during the first stage mount in normal mode:
- https://android-review.googlesource.com/#/c/371774/
As the first stage mount is not performed in recovery mode, we need to set the
property separately in recovery mode.
Bug: 37414003
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead in normal mode
Test: first stage mount /system without verity on bullhead in normal mode
Test: checks ro.boot.avb_version is 1.0 on bullhead in recovery mode
Test: first mount /vendor with with vboot 1.0 on sailfish in normal mode
Test: checks ro.boot.avb_version doesn't exist on sailfish in recovery mode
Change-Id: I262e75b8b557c4de7609b4049ccb01793644245e
Merged-In: I262e75b8b557c4de7609b4049ccb01793644245e
(cherry picked from commit fd18a452be)
Also renames "early mount" to "first stage mount" to prevent confusion
with "mount_all --early", which is run in the init second stage.
Also creates a base class: FirstStageMount and two derived classes:
FirstStageMountVBootV1 and FirstStageMountVBootV2 to replace/refactor
existing functions:
- early_mount() -> DoFirstStageMount() and FirstStageMount::DoFirstStageMount()
- vboot_1_0_early_partitions -> FirstStageMountVBootV1::GetRequiredDevices()
- vboot_2_0_early_partitions -> FirstStageMountVBootV2::GetRequiredDevices()
- vboot_1_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV1::SetUpDmVerity()
- vboot_2_0_mount_partitions ->
FirstStageMount::MountPartitions() and
FirstStageMountVBootV2::SetUpDmVerity()
Bug: 37413399
Test: first stage mount /vendor with vboot 2.0 (avb) on bullhead
Test: first stage mount /system with without verity on bullhead
Test: first stage mount /vendor with vboot 1.0 on sailfish
Change-Id: I6584bdf7d832c9fbc8740f97c9b8b94e68a90783
Merged-In: I6584bdf7d832c9fbc8740f97c9b8b94e68a90783
(cherry picked from commit d262017fef)
persist.sys.usb.config values can't be combined on build-time when
property files are split into each partition.
So we need to apply the same rule of
build/make/tools/post_process_props.py on runtime.
Test: building succeeded and tested on sailfish.
Bug: 37617113
Bug: 37648659
Merged-In: If1e4279f05d74eccf5ce23eef41a466b7d8e3bde
Merged-In: I1e5ad9da360bfb3cb4970e12a76522fd0a5126b8
Change-Id: I78cdffee446d3ae6a89f138faed5f3149e4b507d
(cherry picked from commit 0cf3a07e14)
Fixes issue where attributes used exclusively in neverallow
rules were removed from policy.
Bug: 37357742
Test: Force on-device compile by removing precompiled policy.
Verify no increase in compile time.
Change-Id: I0d145fd311c2ddcb226a827f2a997f10c20a8379
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Bug: 36726045
Bug: 36576280
Test: manual with hikey
Test: boot and init tests on bullhead
Test: cast with fugu, per b/36726045
Merged-In: If3c30a2fff58cfece2fcd27e69c30382146e6808
Change-Id: If3c30a2fff58cfece2fcd27e69c30382146e6808
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
(cherry picked from commit dbe88e7953)
The content parameter of write_file() previously took a char* that was
then converted to a std::string in WriteStringToFd(). One unfortunate
effect of this, is that it is impossible to write data that contains
'\0' within it, as the new string will only contain characters up
until the '\0'.
This changes write_file() to take an std::string, such that
std::string::size() is used to determine the length of the string,
allowing it to contain null characters.
Also change the path parameter of read_file() and write_file() for
consistency.
Lastly, add a test for handling strings with '\0' in them.
Bug: 36726045
Bug: 36576280
Test: Boot bullhead, run unit tests
Change-Id: Idad60e4228ee2de741ab3ab6a4917065b5e63cd8
(cherry picked from commit 53089aa25c)
Currently if a process sets the sys.powerctl property, init adds this
property change into the event queue, just like any other property.
The actual logic to shutdown the device is not executed until init
gets to the action associated with the property change.
This is bad for multiple reasons, but explicitly causes deadlock in
the follow scenario:
A service is started with `exec` or `exec_start`
The same service sets sys.powerctl indicating to the system to
shutdown
The same service then waits infinitely
In this case, init doesn't process any further commands until the exec
service completes, including the command to reboot the device.
This change causes init to immediately handle sys.powerctl and reboot
the device regardless of the state of the event queue, wait for exec,
or wait for property conditions.
Bug: 37209359
Bug: 37415192
Test: Init reboots normally
Test: Update verifier can reboot the system
Change-Id: Iff2295aed970840f47e56c4bacc93001b791fa35
(cherry picked from commit 98ad32a967)
Set ro.boot.avb_version to "AVB_VERSION_MAJOR.AVB_VERSION_MINOR".
During Treble OTA match, the major version must be the same as that in
the avb metadata on disk, while the minor version can be equal or
greater to that in the avb metadata on disk.
See how avb versioning work on the following link:
https://android-review.googlesource.com/#/c/342757/
Also renames AvbHashtreeDisabled() -> hashtree_disabled().
Bug: 35322304
Test: Early mount with AVB, checks [ro.boot.avb_version]: [1.0] exists.
Test: Not enable AVB, checks [ro.boot.avb_version] doesn't exists.
Change-Id: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
Merged-In: I5aaf476ca53c4fe817779518ba14b68ebcfdc6d6
(cherry picked from commit 1a898c25f9)
fs_mgr_update_verity_state() is invoked by 'verity_update_state' in
init.rc. It will then set property "partition.system.verified" and
"partition.vendor.verified" to verify_mode. We should support this for
AVB as well.
Also change the order of static libs in init to fix the build error
after this change:
system/extras/ext4_utils/ext4_crypt.cpp:69: error: undefined reference to 'property_get'
Bug: 35416769
Test: Mount /system and /vendor with vboot 2.0 (AVB), check the following properties exist.
- [partition.system.verified]: [2]
- [partition.vendor.verified]: [2]
Test: Mount /system and /vendor with vboot 1.0, check the following properties exist.
- [partition.system.verified]: [0]
- [partition.vendor.verified]: [0]
Change-Id: I4328d66a8cb93f26e7960e620a0b2292d5f15900
Merged-In: I4328d66a8cb93f26e7960e620a0b2292d5f15900
(cherry picked from commit aaf70e77dc)
libavb requires verifying AVB metadata on all verified partitions at
once. For example, /vbmeta, /boot, /system and /vendor. We need to
invoke device_init() for those partitions even if we only want to early
mount some of them, like /vendor and /system.
This CL gets all AVB partitions and the early mount partitions from
device tree through "firmware/android/vbmeta" and "firmware/fstab",
respectively. The following is an example to early mount /vendor
partition on bullhead:
firmware {
android {
compatible = "android,firmware";
vbmeta {
compatible = "android,vbmeta";
parts = "boot,system,vendor";
by_name_prefix="/dev/block/platform/soc.0/f9824900.sdhci/by-name"
};
fstab {
compatible = "android,fstab";
vendor {
compatible = "android,vendor";
dev = "/dev/block/platform/soc.0/f9824900.sdhci/by-name/vendor";
type = "ext4";
mnt_flags = "ro,barrier=1,inode_readahead_blks=8";
fsmgr_flags = "wait,avb";
};
};
};
};
Bug: 33254008
Test: early mount /vendor with vboot 2.0 (AVB) on bullhead
Test: early mount /system without dm-verity on bullhead
Test: early mount /vendor with vboot 1.0 on sailfish
Change-Id: I89a1f77c97124f309346b33d9e700544b92ecf05
Merged-In: I89a1f77c97124f309346b33d9e700544b92ecf05
(cherry picked from commit 8bba52fc4b)
Default signature WriteStringToFile creates world-writeable files.
Set owner and group system and remove read/write for non-owner.
Bug: 37251463
Test: Manual: reboot, inspect
Change-Id: I6a29c678168dcae611b120dc52170f4eee7069a9
It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based. In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.
Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.
Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.
Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6
- umount operation is asynchronous except for root partition.
Returning from umount does not guarantee completion of
umount. Poll /proc/mounts to confirm completion of umount.
- Treat all devices mounting to /data as emulated devices. This is
future proof when fs other than sdcardfs is used.
- Drop quota sync from sync step. There is no differences in
frequencies of quota error.
- Run umount in reverse order from mounting order so that any
hidden dependency can be auto-resolved.
- Add dump of lsof and /proc/mounts when umount fails. lsof only runs
when selinux is toggled into permissive mode. The dump is enabled
only for non-user build.
- Keep logcat until vold shutdown in case vold has any error to report.
bug: 36551218
Test: python packages/services/Car/tools/bootanalyze/bootanalyze.py -r -c packages/services/Car/tools/bootanalyze/config.yaml -n 1000 -f -e 20 -w 30
Change-Id: I87b17b966d7004c205452d81460b02c6acf50d45
(cherry picked from commit 2ba5c8103d)
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I9c3df2e7ed3f0eadd98e98529ebed360fec66dba
- Run shutdown animation during shutdown if surfaceflinger is
available / running.
- services necessary for animation should be added to animation
class.
- Keep debugging tools while non-critical services are terminated:
logd, adbd, tombstoned
bug: 36526187
Test: many reboots
(cherry picked from commit 7830d59500)
Change-Id: I83011e3f843e6b64c56c453a996db738f497877a
init used to block on installkey such that it was unable to
process property events. This lead to a deadlock by which
the Keymaster HAL would wait indefinitely for the
hwservicemanager.ready=true.
This fixes the issue by implementing the builtin in terms of
do_exec, which allows init to stay responsive to properties
while waiting for the child to terminate.
Bug: 36278706
Test: Add a 3s delay into hwservicemanager before it sets the property
hwservicemanager.ready and the device still boots.
(cherry picked from commit 9cc51728af)
Change-Id: Ia241059d95c610ab01a314969ba23c003333bbba
- Processes capturing SIGTERM signal will not terminate and
killProcessGroup will timeout after retry. This gives 200ms
of waiting per such process. Change it to retry only once as
SIGTERM will keep failing for such process.
bug: 36696408
Test: check time spent in SIGTERM for reboot
(cherry picked from commit 506cb020c8ab080a6765b8300c84d751557ef744)
Change-Id: If080ae3aa00f1614b25cc3f673eeb70c9713ef6e
- still it will take time to kill services, < 3 secs in tested device.
bug: 36678028
Test: reboot
(cherry picked from commit 56425ed87e1ad7c63437d67c3b17ed7e2ba8d340)
Change-Id: I75b5843b08cdcdbf67c4fe500aa0dd7302dd44d7
Slowly try to decouple property_service.cpp from the rest of init.
Test: Boot bullhead
Change-Id: I267ae0b057bca0bf657b97cb8bfbb18199282729
(cherry picked from commit ccf23537ee)
Exec services may also want to set other service flags such as
priority. Instead of expanding the exec syntax to handle this, create
a new command, exec_start, that will treat an existing service
definition as an exec service. The new exec_start command will start
the service then halt init from executing further commands until the
service has exited.
This change additionally encapsulates the waiting_for_exec logic into
ServiceManager and removes the ambiguous 'bool' return value from
Reap() which previously indicated if a Reaped service was an exec
service or not.
Bug: 36511808
Bug: 36102163
Test: Bullhead boots, services run with exec_start as they do exec.
Change-Id: I44f775cf1c1dd81d5c715f44fdc150c651a2c80a
(cherry picked from commit b27004aa05)
With system and vendor split, the files under them get labelled
differently as part of b/36527360. These files also include selinux
policy files if the policy is split. In order to consistently label
them, all sepolicy files on rootfs also are labelled with labels
matching to that of the ones in system and vendor. So, this now requires
init to explicitly label *all* selinux files in rootfs after
initializing selinux.
Test: Boot angler and ensure servicemananger continues to work (uses
/{plat,nonplat}_service_contexts).
Test: Sideloaded OTA to angler to ensure recovery continues to work.
Test: Launch and load a website in Chrome.
Test: Launch camera and take picture, record video.
Change-Id: I4134eae80b5b51f381b549eb18e604cf271f9eb5
Signed-off-by: Sandeep Patil <sspatil@google.com>
