With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
Basically, ro.product.cpu.abilist* are defined by
ro.vendor.cpu.abilist*. And they can be overried by
ro.odm.cpu.abilist* and ro.product.cpu.abilist*.
ro.system.cpu.abilist* are for fallback if others are no defined.
Bug: 176520383
Test: check the result by flashing aosp_arm64-userdebug on
Test: aosp_blueline-user and aosp_blueline-user hacked by
Test: 64-bits-only
Change-Id: I01ae01af099a4ec8fe3d4525edecc233a477ff60
* In 'ActivateFlattenedApexesFrom', the 'readdir' detects
the APEX folders in a random way that depends on filesystems,
built packages and order of the build chain
* In normal cases, this is not an issue, however when building
with Go configurations, we have a case where the package
'com.android.tethering.inprocess' is built along the
'com.android.tethering' overriden binary, and depending on
the 'readdir' output, the mounts break the Tethering service
Change-Id: I8ac4a0284d8d885f732c71e846933869cf16a0bd
Signed-off-by: Adrian DC <radian.dc@gmail.com>
The firmware_handler.HandleAbort and subcontext.RecoverAfterAbort
tests intentionally abort in the child process to ensure that
ueventd/init can recover if their child processes die. This generates
a tombstone which causes confusion. This change resets SIGABRT to
SIG_DFL right before the abort(), so that the child processes will
exit normally without generating a tombstone or writing a crash to
logcat.
Bug: 169771958
Bug: 175383788
Test: run the above tests and verify no stack traces are printed to
logcat and no tombstones are generated.
Change-Id: Ica09548d1c7a766bf5d9ff2e26c9fd558e85c7c1
This makes it easier to associate logs written during the test with the
test case that was running.
Test: atest CtsInitTestCases
Change-Id: I832f1c9ba8358341c934fdd91a65f5739bc98e37
This hasn't helped investigating the issue, and the issue itself isn't
a problem anymore, so we remove these logs.
Bug: 155203339
Test: reboot
Change-Id: I20e51d8fcad5572906a8d556bec8a8dee4522834
* changes:
Add /metadata to ramdisk.
Also create dirs under /first_stage_ramdisk for GKI.
Refactor the list of empty dirs in ramdisk in its own list.
Revert "Move e2fsck into /first_stage_ramdisk."
Vendors have an interest in importing ueventd files based on certain
property values. Instead of baking this logic in the ueventd binary,
add the import option from the init parser to the ueventd parser, to
allow vendors to expand as needed.
Test: imported files are parsed
Change-Id: I674987fd48f3218e4703528c6d905b1afb5fb366
Now that GKI may not be writeable, also create /metadata at build time
to avoid error log at boot time.
Note that this also creates /first_stage_ramdisk/metadata in GKI.
[ 1.891172] init: [libfs_mgr]check_fs():
mount(/dev/block/by-name/metadata,/metadata,ext4)=-1: No such
file or directory
Bug: 173425293
Test: boots
Change-Id: I62d23c382ed1ad165c1d6598b3df41bd92206733
If the device uses GKI and generic ramdisk, also create
empty directories under /first_stage_ramdisk so that they
won't have to be created at runtime. This allows generic
ramdisk to be not writable.
Test: boots
Bug: 173425293
Change-Id: If987cb1d4af9f9ee94a43a4523f9e1465b01b16a
This reverts commit 3337e782e6.
Reason for revert: e2fsck is moved into vendor ramdisk and installed
to / or /first_stage_ramdisk depending on the device, so there is no
need to move it.
Bug: 173425293
Change-Id: I1eb431e6b2a1e0ba7d0da0278d076b6682a0156d
Test: boots
If a `*` appears within (but not at the end) of a /dev or /sys path in
a ueventd.rc file, then that path is matched with fnmatch() using the
FNM_PATHNAME, which means `*` will not match `/`. That is not always
the intended behavior and this change creates the no_fnm_pathname
option, which will not use the FNM_PATHNAME flag and will have `*`
match `/`.
Bug: 172880724
Test: these unit tests
Change-Id: I85b813d89237dbf3af47564e5cbf6806df5d412f
Instead of operating on raw pointers, init now uses name of the
services as it's primary identifier. Only place that still uses
vector<Service*> is StopServices.
In addition, ServiceList::services() function is removed, which should
help avoiding similar bugs in the future.
Bug: 170315126
Bug: 174335499
Test: adb reboot
Test: atest CtsInitTestCases
Change-Id: I73ecd7a8c58c2ec3732934c595b7f7db814b7034
Merged-In: I73ecd7a8c58c2ec3732934c595b7f7db814b7034
Ignore-AOSP-First: fixing security vulnerability
(cherry picked from commit 8d6ae2dd8a)
Current implementation updates the permissions of sysfs
nodes of a device upon the following actions: "add",
"change" and "online".
But certain sysfs nodes (ex: wakeup capabilities under
power management) of devices are not present when the
device is added, but these are generally dependent on
the device driver and are added once the driver is bound.
This is particularly common in USB host stack.
If the bind action events are not parsed the ueventd
will not update the permissions of these nodes.
Hence, add the support for updating permissions on
bind action as well.
Bug: 174215510
Test: Verified permissions updated on bind action
Change-Id: Ic1a147e3993ef78dd6c539bbae652e8107207b87
Linkerconfig will be moved into Runtime APEX, so
/system/bin/linkerconfig would not be available before APEX is mounted.
Use bootstrap linkerconfig instead during early init.
Bug: 165769179
Test: Cuttlefish boot succeeded
Change-Id: Iae41f325bbd5f5194aaf4613141860f913dfbff1
Running snapuserd before early-init means ueventd is missing, which
means we can't use WaitForFile() when dm-user misc devices are created.
Fix this by starting the transition after early-init.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ice594cceb44981ae38deb82289d313c14726c36b
In first-stage init, libsnapshot needs to know how to wait for device
paths, since ueventd isn't running yet. We do this by passing a callback
wrapping BlockDevInitializer.
Bug: 173476209
Test: device boots into first-stage init after full VABC ota
Change-Id: I9a87f98824e65a9379cb0b99c001e28cccd9d205
There are sysfs nodes that don't take multiple inputs, adding a new
copy_per_line built-in command to copy from source file to destination
line by line.
Bug: 171740453
Test: boot and check file and log
Change-Id: I41b7a565829299d56b81d4509525dfa6a0a52444
create_directories return false with ec == 0 if directory
already exists. Do not abort in this case.
Bug: 173425293
Test: boots with pre-existing /first_stage_ramdisk/system/bin
Change-Id: I351837f0a5a56361ebc385b9a9da9658882a131d
Also includes new --out_<partition> flags for
system,system_ext,product,vendor,odm
to allow host_init_verifier to work with a collection of init rc files.
Test: host_init_verifier --out_system=... --out_vendor=...
where vendor contains an init rc file that overrides a service
present in system. Observe parse failure and non-zero exit.
Bug: 163089173
Change-Id: I520fef613e0036df8a7d47a98d47405eaa969110
