| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
If ro.oem_unlock_supported is specified for the device and it supports
verified boot, export lock status in ro.boot.flash.locked.
Bug: 26039090
Change-Id: Ie7844aeb458c97944c72d46ea962b9cfb0a7875d
|
| |
|
|
| |
Change-Id: Idf9444fece4aa89c93e15640de59a91f6e758ccf
|
| |
|
|
|
|
|
|
| |
/property_contexts exists before selinux policies are loaded, so we must
restorecon before other processes can access it
Bug: 21852512
Change-Id: Ie983caac635eb928ab19eea996a5625f3673de39
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add the following mount options to the /proc filesystem:
hidepid=2,gid=3009
This change blocks /proc access unless you're in group 3009
(aka AID_READPROC).
Please see
https://github.com/torvalds/linux/blob/master/Documentation/filesystems/proc.txt
for documentation on the hidepid option.
hidepid=2 is preferred over hidepid=1 since it leaks less information
and doesn't generate SELinux ptrace denials when trying to access
/proc without being in the proper group.
Add AID_READPROC to processes which need to access /proc entries for
other UIDs.
Bug: 23310674
Change-Id: I22bb55ff7b80ff722945e224845215196f09dafa
|
| |/
|
|
|
|
|
| |
DTs have a standard "name" entry which is not to be
turned into an android property, so skip it.
Change-Id: I79f6638b4123358c8d80510c1666cf5d4561160e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When auditing setprop denials, it is often unclear of who the process is
in a multi-process domain. To help identify the invoker, log the pid, uid,
and gid of the caller.
Before:
avc: denied { set } for property=wifi.xxx ...
After:
avc: denied { set } for property=wifi.xxx pid=30691 uid=123 gid=345 ...
Change-Id: I5cdcb3d18fbd52e0987b5e1497b9f6620c6c742a
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Create a Parser class that uses multiple SectionParser interfaces to
handle parsing the different sections of an init rc.
Create an ActionParser and ServiceParser that implement SectionParser
and parse the sections corresponding to Action and Service
classes.
Remove the legacy keyword structure and replace it with std::map's
that map keyword -> (minimum args, maximum args, function pointer) for
Commands and Service Options.
Create an ImportParser that implements SectionParser and handles the
import 'section'.
Clean up the unsafe memory handling of the Action class by using
std::unique_ptr.
Change-Id: Ic5ea5510cb956dbc3f78745a35096ca7d6da7085
|
| |
|
|
| |
Change-Id: I363a5e4751ad83d2f4096882a6fbbeddca03acfe
|
| |
|
|
| |
Change-Id: Ie7a64e65de3a20d0c7f7d8efc0f7c1ba121d07fe
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This creates the concept of 'event_trigger' vs 'property_trigger'
Previously these were merged into one, such that 'on property:a=b &&
property:b=c' is triggered when properties a=b and b=c as expected,
however combinations such as 'on early-boot && boot' would trigger
during both early-boot and boot. Similarly, 'on early-boot &&
property:a=b' would trigger on both early-boot and again when property
a equals b.
The event trigger distinction ensures that the first example fails to
parse and the second example only triggers on early-boot if
property a equals b.
This coalesces Actions with the same triggers into a single Action object
Change-Id: I8f661d96e8a2d40236f252301bfe10979d663ea6
|
| |
|
|
|
|
|
|
| |
Support added so init scripts can now import directories.
BUG: 22721249
Change-Id: I02b566bfb50ea84469f1ea0c6ad205435a1df286
TEST: Tested importing a folder on arm64 emulator
|
| |
|
|
|
|
|
|
| |
It is only a temporary fix. I hope the code can be moved into a member
function of class Command.
Bug: 22654233
Change-Id: I38c24fb624e54986a953f44d398b3b80c3795d24
|
| |
|
|
|
|
|
|
| |
Also switch expand_props to std::string.
Bug: 22654233
Change-Id: I62910d4f74e2b1a5bd2b14aea440767a2a8462b7
|
| |
|
|
|
|
| |
Bug: 22654233
Change-Id: Id6091f58432f75e966b9871256049fbe17766c10
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When SELinux is in enforcing mode, any process executed by
init must have a domain transition defined. See
https://android-review.googlesource.com/108640 for details. This
prevents an executable spawned by init from remaining in init's
(very powerful) SELinux domain.
However, this is only enforced when SELinux is in enforcing mode.
During new device bringup, it's common to run an Android device
in globally permissive mode. In globally permissive mode, SELinux
denials are logged only, but otherwise ignored. If appropriate
SELinux domain transitions are not defined from init to init spawned
processes, this could cause misleading SELinux denials attributed
to init instead of the child process.
To help address these misleading denials, modify init to not spawn
processes unless a domain transition is defined. This essentially
enforces the rules in https://android-review.googlesource.com/108640
on both permissive and enforcing kernels.
While I'm here, change some "freecon()" calls to "free()", with the
long term goal of deleting freecon() entirely.
Change-Id: I3ef3a372bb85df61a3f6234cb1113cc25fc6506a
|
| |
|
|
|
|
|
|
|
| |
This adds the "writepid" option that instructs init to write the child's
pid to the given filenames (such as /dev/cpuctl/bg_non_interactive/cgroup.procs
and/or /dev/cpuset/foreground/cgroup.procs).
Bug: http://b/21163745
Change-Id: I121bb22aa208bc99c4fb334eb552fdd5bcc47c1a
|
| |
|
|
|
|
|
|
|
|
|
| |
d34e407aeb5898f19d4f042b7558420bbb3a1817 removed support for
running with SELinux completely disabled. SELinux must either be
in permissive or enforcing mode now.
Remove unnecessary calls to is_selinux_enabled(). It always returns
true now.
Change-Id: Ife3156b74b13b2e590afe4accf716fc7776567e5
|
| |
|
|
|
|
| |
Allow SECLABEL to be - to denote default
Change-Id: I58cdc6c805dc6e50dc42b7e13e72d0eaf4864f11
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
5s was already a ridiculously long time to delay booting, and some OEMs are
trying to make it even more insane:
https://www.codeaurora.org/cgit/quic/la/platform/system/core/commit/?h=lp&id=fd23edd48272976d2fb333f377242173f92aa343
Let's at least ensure that Nexus and Android One devices don't take forever
to boot...
Bug: http://b/19899875
Change-Id: I9680c166a759360f34118e51cd0645e12b6bd5c8
|
| |
|
|
|
|
|
|
| |
Helped debug a problem where the N9 bootloader incorrectly
concatenated the various command lines.
Bug: http://b/20906691
Change-Id: I0580b06f4185129c7eedf0bdf74b5ce17f88bf9c
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove support for androidboot.selinux=disabled. Running with SELinux
disabled is not a supported configuration anymore. SELinux must be
in enforcing in shipping devices, but we also support permissive for
userdebug/eng builds.
Don't try security_setenforce() if we're already in enforcing mode.
A kernel compiled without CONFIG_SECURITY_SELINUX_DEVELOP does
not have a permissive mode, so the kernel will already be enforcing
once the policy is loaded.
Bug: 19702273
Change-Id: I07525a017ddb682020ec0d42e56a2702c053bdeb
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't double mount /dev and its subdirectories anymore. Instead, the
first stage init is solely responsible for mounting it.
Don't have init prepare the property space. This is the responsibility
of the second stage init.
Don't have SELinux use the property space to determine how we should
be running. Instead, create a new function and extract the data we
need directly from /proc/cmdline. SELinux needs this information in
the first stage init process where the property service isn't available.
Change-Id: I5b4f3bec79463a7381a68f30bdda78b5cc122a96
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The first stage init mounts /proc and /sys, and then the second
stage init also mounts /proc and /sys on top of the existing mount.
Only mount these two directories once, in the first stage init.
Not yet fixed: the double mounting of /dev. Removing the double
mounting doesn't work right now because both init stages are trying
to create a property space, and if the double mount of /dev goes away,
the property service in the second stage init fails to work.
Change-Id: I13719027a47526d074390c2b1a605ad99fb43a8f
|
| |/
|
|
|
|
|
|
|
| |
write_file() returned -errno on error, not -1. Callers who check for
-1 would falsely believe that the write was successful when it wasn't.
Fixup write_file so that it return -1 on error consistent
with other functions.
Change-Id: Ic51aaf8678d8d97b2606bd171f11b3b11f642e39
|
| |
|
|
|
|
|
| |
These directories are already present in the initial ramdisk, and
these mkdir calls are no-ops.
Change-Id: I528f9e96a3471de904845a2f9e09c1b6ff83a708
|
| |
|
|
|
|
|
|
|
|
|
| |
Not just because it's what the cool kids are doing --- it also lets us
simplify the inner loop and decouple it from whatever systems want to
be woken to perform some activity if there's data to be read on some fd.
Currently this is just used to clean up the existing signal handling,
keychord, and property service code.
Change-Id: I4d7541a2c4386957ad877df69e3be08b96a7dec5
|
| |
|
|
|
|
|
|
|
|
|
| |
All the code that was being delayed does is create a socket. We can
do that straight away, avoid the overhead, and simplify our main loop.
The keychord fd, on the other hand, seems a little tricky. It looks
like /dev/keychord isn't immediately available, at least not on N9;
we have to wait for ueventd to set us up the bomb.
Change-Id: I020e75b8e4b233497707f0a3cbbb6038b714161f
|
| |
|
|
|
|
|
| |
We can set it up earlier, and error reporting like this helped me find
the SELinux problem with the last change to this code.
Change-Id: If0f38bc5ff0465c4030e2d39d34f31f49b2d8487
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Fixes init deadlock when an exec command was called
in an on-init section.
The exec command handling relies on that the signal handler
mechanism is working to know when to continue executing
commands.
Change-Id: Ib0ce75ffad7cf3bf926c93d0506b2fe3e5a92630
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit 4217374611ada50f33aee544f015f6f9dfbf7ced.
It turns out that the kernel passes any unrecognized arguments on to init,
and (at least) N6 and N9 have such arguments. My lazy check of argc was
thus insufficient to recognize what stage of init we were in, so we'd
skip to stage 2 and not set up SELinux. And apparently you can get a
very long way with SELinux off... We'll fix that in a later change.
Bug: 19702273
Change-Id: I43b3fb722fed35dd217cb529cbcac9a29aff4e4b
|
| | |
| |
| |
| |
| |
| |
| |
| | |
shamu isn't booting.
This reverts commit adf0d1bbfa4bc560c2106f14afa8258a11c48bf6.
Change-Id: I89d568838cebbe14cc4a8ae3843f0f1ac54987af
|
| |/
|
|
| |
Change-Id: I38adabe5789d671e3f7d21936071a758ec8cea8a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Also make important events in init's life NOTICE rather than INFO,
and ensure that NOTICE events actually make it to the kernel log.
Also fix the logging so that if you have a printf format string
error, the compiler now catches it.
Also give messages from init, ueventd, and watchdogd distinct tags.
(Previously they'd all call themselves "init", and dmesg doesn't
include pids, so you couldn't untangle them.)
Also include the tag in SELinux messages.
Bug: 19544788
Change-Id: Ica6daea065bfdb80155c52c0b06f346a7df208fe
|
| |
|
|
|
|
| |
In particular, ensure that all property_set failures are reported.
Change-Id: Iab94a28bcba2346868c0f39bcfe26e55a2c55562
|
| |
|
|
|
|
|
| |
Also remove some code marked "TODO: these are obsolete. We should delete
them".
Change-Id: I6255cee4cb6680bfcbc5b46366990309cba95037
|
| |
|
|
|
|
|
|
|
| |
- Make sure compatible DT node is "android,firmware"
- Set ro.boot.* properties from firmware/android/ DT node
(cherry-pick of cbcbea27c70846a96f4bba2f7cb245f937de4d3f.)
Change-Id: If3d0716831516cb3d3fde1f75d57e2691d42d054
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
- Clean up the paths for ro.revision and ro.hardware parsing
- Use ro.hardwre in ueventd instead of parsing the kernel command line
(cherry-pick of 38b340a52f8e864650db8bae1eb88d5c00485db0.)
Bug: 19366018
Change-Id: I018a293f3d46e736a8b65132b5b00b0f7c20edae
|
| | |
| |
| |
| | |
Change-Id: Ia880810bb2c9a976dceeb0ffdba0cb98e69e3c6d
|
| |/
|
|
|
| |
Bug: 19564110
Change-Id: I343b4a360b10319dca13ab01f2d411ff940e9052
|
| |
|
|
| |
Change-Id: I665756615eef74b05ef92f5865d910f29ead0695
|
| |
|
|
| |
Change-Id: I20329bc9b378479d745b498d6a00eca0872cd5ab
|
| |
|
|
|
| |
Bug: 19340053
Change-Id: Id0d866e6195ed4752b4be6081eeb2aab8b1dbe9a
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bootchart uses a file on the data partition to decide if it should collect
data for bootchart, but the data partition will be mounted by the mount_all
command in the "on fs" section, and it will be only added into the action
queue when command "trigger fs" is executed, but that's after the
bootchart_init action (late_init).
This change makes bootchart_init a builtin command of init,
and make it executed as the first command of "on post-fs" section
which will be triggered after the "on fs" section.
This change also refactors the bootchart code to all be in bootchart.cpp.
Change-Id: Ia74aa34ca5b785f51fcffdd383075a549b2a99d9
Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This isn't particularly useful in and of itself, but it does introduce the
first (trivial) unit test, improves the documentation (including details
about how to debug init crashes), and made me aware of how unpleasant the
existing parser is.
I also fixed a bug in passing --- unless you thought the "peboot" and "pm"
commands were features...
Bug: 19217569
Change-Id: I6ab76129a543ce3ed3dab52ef2c638009874c3de
|
| |
|
|
|
|
|
|
| |
Use regular 'if' to prevent bitrot.
Also remove remaining typedefs.
Change-Id: I2e6ca928e2db29b88b643cf990ff05cfb0be94a6
|
|
|
This is just the minimal change to keep it building.
Change-Id: I245c5b8413a1db114576c81462eb5737f5ffcef2
|
