Default signature WriteStringToFile creates world-writeable files.
Set owner and group system and remove read/write for non-owner.
Bug: 37251463
Test: Manual: reboot, inspect
Change-Id: I6a29c678168dcae611b120dc52170f4eee7069a9
It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based. In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.
Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.
Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.
Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6
- umount operation is asynchronous except for root partition.
Returning from umount does not guarantee completion of
umount. Poll /proc/mounts to confirm completion of umount.
- Treat all devices mounting to /data as emulated devices. This is
future proof when fs other than sdcardfs is used.
- Drop quota sync from sync step. There is no differences in
frequencies of quota error.
- Run umount in reverse order from mounting order so that any
hidden dependency can be auto-resolved.
- Add dump of lsof and /proc/mounts when umount fails. lsof only runs
when selinux is toggled into permissive mode. The dump is enabled
only for non-user build.
- Keep logcat until vold shutdown in case vold has any error to report.
bug: 36551218
Test: python packages/services/Car/tools/bootanalyze/bootanalyze.py -r -c packages/services/Car/tools/bootanalyze/config.yaml -n 1000 -f -e 20 -w 30
Change-Id: I87b17b966d7004c205452d81460b02c6acf50d45
(cherry picked from commit 2ba5c8103d)
Bug: 36783775
Test: boot device with matching sha256 and non-matching and verify that
device boots and uses either precompiled or compiled policy as needed. Also
verify that mapping_sepolicy.cil has moved.
Change-Id: I9c3df2e7ed3f0eadd98e98529ebed360fec66dba
- Run shutdown animation during shutdown if surfaceflinger is
available / running.
- services necessary for animation should be added to animation
class.
- Keep debugging tools while non-critical services are terminated:
logd, adbd, tombstoned
bug: 36526187
Test: many reboots
(cherry picked from commit 7830d59500)
Change-Id: I83011e3f843e6b64c56c453a996db738f497877a
init used to block on installkey such that it was unable to
process property events. This lead to a deadlock by which
the Keymaster HAL would wait indefinitely for the
hwservicemanager.ready=true.
This fixes the issue by implementing the builtin in terms of
do_exec, which allows init to stay responsive to properties
while waiting for the child to terminate.
Bug: 36278706
Test: Add a 3s delay into hwservicemanager before it sets the property
hwservicemanager.ready and the device still boots.
(cherry picked from commit 9cc51728af)
Change-Id: Ia241059d95c610ab01a314969ba23c003333bbba
- Processes capturing SIGTERM signal will not terminate and
killProcessGroup will timeout after retry. This gives 200ms
of waiting per such process. Change it to retry only once as
SIGTERM will keep failing for such process.
bug: 36696408
Test: check time spent in SIGTERM for reboot
(cherry picked from commit 506cb020c8ab080a6765b8300c84d751557ef744)
Change-Id: If080ae3aa00f1614b25cc3f673eeb70c9713ef6e
- still it will take time to kill services, < 3 secs in tested device.
bug: 36678028
Test: reboot
(cherry picked from commit 56425ed87e1ad7c63437d67c3b17ed7e2ba8d340)
Change-Id: I75b5843b08cdcdbf67c4fe500aa0dd7302dd44d7
Slowly try to decouple property_service.cpp from the rest of init.
Test: Boot bullhead
Change-Id: I267ae0b057bca0bf657b97cb8bfbb18199282729
(cherry picked from commit ccf23537ee)
Exec services may also want to set other service flags such as
priority. Instead of expanding the exec syntax to handle this, create
a new command, exec_start, that will treat an existing service
definition as an exec service. The new exec_start command will start
the service then halt init from executing further commands until the
service has exited.
This change additionally encapsulates the waiting_for_exec logic into
ServiceManager and removes the ambiguous 'bool' return value from
Reap() which previously indicated if a Reaped service was an exec
service or not.
Bug: 36511808
Bug: 36102163
Test: Bullhead boots, services run with exec_start as they do exec.
Change-Id: I44f775cf1c1dd81d5c715f44fdc150c651a2c80a
(cherry picked from commit b27004aa05)
With system and vendor split, the files under them get labelled
differently as part of b/36527360. These files also include selinux
policy files if the policy is split. In order to consistently label
them, all sepolicy files on rootfs also are labelled with labels
matching to that of the ones in system and vendor. So, this now requires
init to explicitly label *all* selinux files in rootfs after
initializing selinux.
Test: Boot angler and ensure servicemananger continues to work (uses
/{plat,nonplat}_service_contexts).
Test: Sideloaded OTA to angler to ensure recovery continues to work.
Test: Launch and load a website in Chrome.
Test: Launch camera and take picture, record video.
Change-Id: I4134eae80b5b51f381b549eb18e604cf271f9eb5
Signed-off-by: Sandeep Patil <sspatil@google.com>
Add support of multiple class names in service, so that related services
can be grouped together. By doing this, we can start/stop some services
for special purpose. For example, early zygote, early boot animation
and etc.
Bug: 36535312
Test: marlin boots with defined classes
Change-Id: Ifeaaf034fd836816e24f3775bece53ea83faada6
- Use ro.build.shutdown_timeout to cover the total time for shutdown.
Limit wait time for termination only to half of shutdown_timeout
with max of 3 secs as process not terminating by that time
will not terminate anyway. It is better to move to the next
stage quickly. fsck time for user shutdown is excluded from timeout.
- Change last detach to kill, sync, and umount. Last detach did not
work in many tests.
- add sync after emulated partitions umount as it can trigger
change in /data.
bug: 36551393
Test: many reboots
Change-Id: Ib75dc19af79b8326b02ccef6b16a8817ae7f8b0e
writepid takes a list of space delimited files. Make this clear in
the documentation, following the format for repeated fields used in
the rest of the file.
Test: N/A
Change-Id: I5bbe453fcb54f060d3cc5a82e9b38d3091a1ece3
Test: Test build/boot Marlin with split policy
Test: Test build/boot Bullhead with combined policy
Bug: 36138508
Change-Id: I84654d19c4d8e9fe9086fde742ee80cd043dfbe1
- If it is explicitly set to 0, active processes can block
umount completely. Safe to kill all processes and umount.
- also add additional sync after emulated partition umount
as that can change /data partition files
bug: 36004738
Test: many reboots
Change-Id: I6c9b07b6fdece44b9caec4e45ecf26a20d0eb96e
this will make the implementation more cleaner,
and has error message output when failed on some operations
also add the O_TRUNC flag explicitly for the open function
called in write_file.
And add more test on read_file and write_file functions
Test: manual with hikey
Change-Id: Ifc1086a20e85db6980b497b1150a8a7952e672d6
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
Currently, when we are waiting for an exec service or a property, if
there are either any services to be restarted or any more commands to
be run, we set the epoll_timeout to handle these events. However, we
don't actually restart and processes or execute any commands while
waiting, so this essentially turns this waiting into a spin loop,
particularly in the common case of having more commands to execute,
where epoll_timeout is set to 0.
The change only sets epoll_timeout if we're not waiting.
Note that the only way to stop waiting for an exec service or a
property is for a signal or property to be delivered to init, which
happens through the epoll fds, so it's safe to indefinitely wait for
epoll to return.
Test: Boot bullhead
Change-Id: Iae3b217eb28182038b464fd39df8e7d27b5e23ff
- Emergency shutdown just marks the fs as clean while leaving fs
in the middle of any state. Do not use it anymore.
- Changed android_reboot to set sys.powerctl property so that
all shutdown can be done by init.
- Normal reboot sequence changed to
1. Terminate processes (give time to clean up). And wait for
completion based on ro.build.shutdown_timeout.
Default value (when not set) is changed to 3 secs. If it is 0, do not
terminate processes.
2. Kill all remaining services except critical services for shutdown.
3. Shutdown vold using "vdc volume shutdown"
4. umount all emulated partitions. If it fails, just detach.
Wait in step 5 can handle it.
5. Try umounting R/W block devices for up to max timeout.
If it fails, try DETACH.
If umount fails to complete before reboot, it can be detected when
system reboots.
6. Reboot
- Log shutdown time and umount stat to log so that it can be collected after reboot
- To umount emulated partitions, all pending writes inside kernel should
be completed.
- To umount /data partition, all emulated partitions on top of /data should
be umounted and all pending writes should be completed.
- umount retry will only wait up to timeout. If there are too many pending
writes, reboot will discard them and e2fsck after reboot will fix any file system
issues.
bug: 36004738
bug: 32246772
Test: many reboots combining reboot from UI and adb reboot. Check last_kmsg and
fs_stat after reboot.
Change-Id: I6e74d6c68a21e76e08cc0438573d1586fd9aaee2
Currently, if init crashes, the kernel panics. During development, we
would like to catch this crash before the kernel panics and reboot
into bootloader. This will prevent boot looping bad configurations,
particularly desired in test labs where manual intervention would
otherwise be required to reset the devices.
Keep the existing behavior for user builds, as init crashes should be
rare for production builds and rebooting the device is the correct
behavior for end users.
Bug: 34147472
Test: Boot bullhead userdebug, force init to crash, check that the
device is in bootloader
Test: Boot bullhead user, force init to crash, check that the kernel
panics and the device reboots as it did previously
Change-Id: Iab3d45ed0d1f82ffaad2a0835d9ca537c0516421
Normally 'writepid' is used to add a process to a particular cpuset. However
certain systems with big/small cores might need to specify a default cpuset for
system processes which do not explicitly specify one. Add an option to use
'ro.cpuset.default' system property to specify default cpuset for system processes
which do not explicitly write to /dev/cpuset/... with 'writepid' option.
The cpuset name specified in ro.cpuset.default is just the cpuset name, e.g.
'/system-background', '/foreground', or simply '/' for the "root" cpuset.
Bug: 28550814
Test: `m -j32` succeeds for aosp_sailfish-eng. Phone boots successfully.
Also tested manually with debug trace messages on emulator with different
combinations of values for 'ro.cpuset.default'.
Change-Id: I501727fa5ee3f4bb7a938fa104b81a404b616633
read_file() does not close its fd if either stat() fails or the file
has group/world writable permissions.
Use unique_fd to ensure that all return paths close the fd and make
the same change to write_file() for consistency.
Replace PLOG() with LOG() after a simple if conditional, that does not
set errno.
Old:
init: skipping insecure file '/data/bootchart/header': No such device or address
New:
init: skipping insecure file '/data/bootchart/header'
Test: Cause an invalid file read and check the error log
Test: Ensure non-error read_file() and write_file() work
Change-Id: Ib15d94e38362e335d671d30b36aa5605254ec7ab
