A typo in the documentation for one, and a couple of signed/unsigned warnings
in the implementation of the other.
Change-Id: I8fb4b7448ac901c543dea7420aabcedf13ec1bd8
"&&" operator can now be used to test the validity
of two of more properties.
For example:
on property:test.a=1 && property:test.b=1
setprop test.c 1
The above stub sets the test.c to 1 only when
both test.a=1 and test.b=1
(cherry-pick of 162f7d797c67019a7a3f08c3b0f0ffc91d548ddc.)
Change-Id: I72c19f7aa92231372a416193618ee6c7fd368141
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
42a9349dc4 modified init's
builtin chmod, chown, and mkdir calls to avoid following
symlinks. This addressed a number of attacks we were seeing
at the time where poorly written init scripts were following
attacker supplied symlinks resulting in rooting vulnerabilities.
To avoid race conditions, the previous implementation only ran
fchown / fchmod on file descriptors opened with open(O_NOFOLLOW).
Unfortunately, unlike the normal "chown" or "chmod" calls, this
requires read or write access to the underlying file. This
isn't ideal, as opening some files may have side effects, or
init may not have permission to open certain files (such as when
SELinux is enabled).
Instead of using open(O_NOFOLLOW) + fchown(), use lchown() instead.
As before, the target of the symlink won't be modified by chown.
This also supports setting the ownership of symlinks.
Instead of using open(O_NOFOLLOW) + fchmod(), use
fchmodat(AT_SYMLINK_NOFOLLOW) instead. As before, the target of the
symlink won't be modified by chmod.
This change will continue to ensure that chown/chmod/mkdir doesn't
follow symlinks, without requiring init to open every file in
read-only or read-write mode.
This change depends on bionic commit I1eba0cdb2c509d9193ceecf28f13118188a3cfa7
Addresses the following mako/occam SELinux denial:
audit(1422770408.951:6): avc: denied { write } for pid=1 comm="init" name="smd7" dev="tmpfs" ino=7207 scontext=u:r:init:s0 tcontext=u:object_r:radio_device:s0 tclass=chr_file
Change-Id: I14fde956784d65c44e7aa91dd7eea9a004df3081
LOCAL_FORCE_STATIC_EXECUTABLE was not working properly for clang
because -Bstatic was ignored by clang. We can now enable clang
for init after the -static flag is added to link static executable
files in build/core/definitions.mk.
BUG: 18008984
Change-Id: I3f361b83c1e0b313914603dff33fd090cd3b116a
For build-system CFLAGS clean-up, fix unused variables.
Use a #define instead of static variable in a header file.
Change-Id: Id47bf38e51644b61a9f3ac1893a16553695f1aac
init doesn't start when built with clang.
Set LOCAL_CLANG:=false until this is analyzed and fixed.
Change-Id: I5a7944aef676ce88defe5c0449e712d9812fb5f3
Signed-off-by: Bernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
Change-Id: I76553d7f183236a78a0bc7b408e92559b98f732f
waitpid breaks whenever child status signals. Need to loop, continuing
on errno EINTR
Bug: 17515976
Change-Id: Ibb29056a38b3c90dc7904de8c6aedb5a362e511d
We originally included a warning to not invoke restorecon_recursive
with a path leading to a shell-writable or app-writable directory
due to concerns about the potential for mischief with symlinks during
the restorecon_recursive. However, this warning was never necessary for
calling restorecon_recursive during system initialization before an adb
shell or app can run, and we have further prohibited init from
reading/following symlinks that can be created by shell or apps in
policy, so this warning is superfluous. It also contradicts current
usage of restorecon_recursive in rootdir/init.rc, since it is called
there on /data.
Change-Id: I28a635e0b5991ced8adcef93e7a04f9d9e5634fd
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Need to not set this property) during mount, since it can't
be changed later (ro property)
Also no reason to start class main on encryption cycle - we'll
show surfaceflinger, which is enough UI for this short cycle.
Bug: 17041092
Change-Id: Ica5339c54e45716d0fe20e23c0ab857f388d23ed
Make sure to call _exit instead of exit to avoid triggering exit
handlers that may have existed in the parent process.
Print out a log message when forking to process firmware events fails.
Change-Id: I2436bdf85d9a8ea26b718e62023f1dac89864667
Ideally bootchart collects system data every BOOTCHART_POLLING_MS ms.
However, the current bootchart pacing logic would collect data every
time the main loop in init.c is executed. This results in:
1. Multiple data samples being taken consecutively or prematurely. In
many cases, these data samples have the same timestamp (in jiffies).
The off-line data processing tool would complain about dividing by
zero "interval" and bail out.
2. Because of the ineffective pacing, bootchart data collection would
terminate prematurely. The total duration of data collection is usually
much shorter than what the user specifies.
The fix is to check whether BOOTCHART_POLLING_MS ms has elapsed
before taking a new data sample. For this purpose, /proc/uptime
is used to get the time values, consistent with the precision of
bootchart timestamps.
Change-Id: I106bf91dbda01059b719df6c73b8bd1cd54a64f0
Signed-off-by: Bo (Andover) Zhang <zhang@broadcom.com>
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: Ifdd5dd1e95d7e064dde5c80b70198882d949a710
Move the unlink out of init.c and into init.rc, so that the file
will be removed after all the filesystems with firmware are up.
Change-Id: I7442df2042cc2788d0301f00e3c2fba7d6e0e1c7
The init process allows environment variables to be specified in
the rc script globally, via 'export', and for a specific process,
via the 'setenv' option.
However, the mechanism for assembling the environment simply
appended the new variable without checking whether it was already
defined, so it was not possible to overwrite an existing entry.
This patch fixes that behaviour.
Limitations and concerns:
The limit of a maximum number of 31 variables is unchanged.
Currently, most callers of "add_environment" do not check the return
value, but the function now logs the failure rather than failing
silently.
Change-Id: Ie9a68c37a0f55c5b40e904e695cd35514f67f480
Currently, the fixup code in fixup_sys_perms() scans through all
entries in uevent*.rc. If it finds a match, then it performs a fixup.
If there's no match in that file, no fixup is performed.
SELinux file labels are independently stored in /file_contexts,
with no relationship to the files in /ueventd.rc. Even when no
entries exist in ueventd.rc, we still want to fixup the SELinux
file label in /sys when a uevent message occurs.
Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
