1 /*
2 * Copyright (C) 2008 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <ctype.h>
18 #include <dirent.h>
19 #include <errno.h>
20 #include <fcntl.h>
21 #include <inttypes.h>
22 #include <keyutils.h>
23 #include <libgen.h>
24 #include <paths.h>
25 #include <signal.h>
26 #include <stdarg.h>
27 #include <stdio.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <sys/epoll.h>
31 #include <sys/mount.h>
32 #include <sys/socket.h>
33 #include <sys/stat.h>
34 #include <sys/sysmacros.h>
35 #include <sys/types.h>
36 #include <sys/un.h>
37 #include <sys/wait.h>
38 #include <unistd.h>
39
40 #include <selinux/selinux.h>
41 #include <selinux/label.h>
42 #include <selinux/android.h>
43
44 #include <android-base/file.h>
45 #include <android-base/properties.h>
46 #include <android-base/stringprintf.h>
47 #include <android-base/strings.h>
48 #include <android-base/unique_fd.h>
49 #include <libavb/libavb.h>
50 #include <private/android_filesystem_config.h>
51
52 #include <fstream>
53 #include <memory>
54 #include <vector>
55
56 #include "action.h"
57 #include "bootchart.h"
58 #include "devices.h"
59 #include "import_parser.h"
60 #include "init.h"
61 #include "init_first_stage.h"
62 #include "init_parser.h"
63 #include "keychords.h"
64 #include "log.h"
65 #include "property_service.h"
66 #include "reboot.h"
67 #include "service.h"
68 #include "signal_handler.h"
69 #include "ueventd.h"
70 #include "util.h"
71 #include "watchdogd.h"
72
73 using android::base::GetProperty;
74 using android::base::StringPrintf;
75
76 struct selabel_handle *sehandle;
77 struct selabel_handle *sehandle_prop;
78
79 static int property_triggers_enabled = 0;
80
81 static char qemu[32];
82
83 std::string default_console = "/dev/console";
84 static time_t process_needs_restart_at;
85
86 const char *ENV[32];
87
88 static int epoll_fd = -1;
89
90 static std::unique_ptr<Timer> waiting_for_prop(nullptr);
91 static std::string wait_prop_name;
92 static std::string wait_prop_value;
93
register_epoll_handler(int fd,void (* fn)())94 void register_epoll_handler(int fd, void (*fn)()) {
95 epoll_event ev;
96 ev.events = EPOLLIN;
97 ev.data.ptr = reinterpret_cast<void*>(fn);
98 if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, fd, &ev) == -1) {
99 PLOG(ERROR) << "epoll_ctl failed";
100 }
101 }
102
103 /* add_environment - add "key=value" to the current environment */
add_environment(const char * key,const char * val)104 int add_environment(const char *key, const char *val)
105 {
106 size_t n;
107 size_t key_len = strlen(key);
108
109 /* The last environment entry is reserved to terminate the list */
110 for (n = 0; n < (arraysize(ENV) - 1); n++) {
111
112 /* Delete any existing entry for this key */
113 if (ENV[n] != NULL) {
114 size_t entry_key_len = strcspn(ENV[n], "=");
115 if ((entry_key_len == key_len) && (strncmp(ENV[n], key, entry_key_len) == 0)) {
116 free((char*)ENV[n]);
117 ENV[n] = NULL;
118 }
119 }
120
121 /* Add entry if a free slot is available */
122 if (ENV[n] == NULL) {
123 char* entry;
124 asprintf(&entry, "%s=%s", key, val);
125 ENV[n] = entry;
126 return 0;
127 }
128 }
129
130 LOG(ERROR) << "No env. room to store: '" << key << "':'" << val << "'";
131
132 return -1;
133 }
134
start_waiting_for_property(const char * name,const char * value)135 bool start_waiting_for_property(const char *name, const char *value)
136 {
137 if (waiting_for_prop) {
138 return false;
139 }
140 if (GetProperty(name, "") != value) {
141 // Current property value is not equal to expected value
142 wait_prop_name = name;
143 wait_prop_value = value;
144 waiting_for_prop.reset(new Timer());
145 } else {
146 LOG(INFO) << "start_waiting_for_property(\""
147 << name << "\", \"" << value << "\"): already set";
148 }
149 return true;
150 }
151
property_changed(const std::string & name,const std::string & value)152 void property_changed(const std::string& name, const std::string& value) {
153 // If the property is sys.powerctl, we bypass the event queue and immediately handle it.
154 // This is to ensure that init will always and immediately shutdown/reboot, regardless of
155 // if there are other pending events to process or if init is waiting on an exec service or
156 // waiting on a property.
157 if (name == "sys.powerctl") HandlePowerctlMessage(value);
158
159 if (property_triggers_enabled)
160 ActionManager::GetInstance().QueuePropertyTrigger(name, value);
161 if (waiting_for_prop) {
162 if (wait_prop_name == name && wait_prop_value == value) {
163 wait_prop_name.clear();
164 wait_prop_value.clear();
165 LOG(INFO) << "Wait for property took " << *waiting_for_prop;
166 waiting_for_prop.reset();
167 }
168 }
169 }
170
restart_processes()171 static void restart_processes()
172 {
173 process_needs_restart_at = 0;
174 ServiceManager::GetInstance().ForEachServiceWithFlags(SVC_RESTARTING, [](Service* s) {
175 s->RestartIfNeeded(&process_needs_restart_at);
176 });
177 }
178
handle_control_message(const std::string & msg,const std::string & name)179 void handle_control_message(const std::string& msg, const std::string& name) {
180 Service* svc = ServiceManager::GetInstance().FindServiceByName(name);
181 if (svc == nullptr) {
182 LOG(ERROR) << "no such service '" << name << "'";
183 return;
184 }
185
186 if (msg == "start") {
187 svc->Start();
188 } else if (msg == "stop") {
189 svc->Stop();
190 } else if (msg == "restart") {
191 svc->Restart();
192 } else {
193 LOG(ERROR) << "unknown control msg '" << msg << "'";
194 }
195 }
196
wait_for_coldboot_done_action(const std::vector<std::string> & args)197 static int wait_for_coldboot_done_action(const std::vector<std::string>& args) {
198 Timer t;
199
200 LOG(VERBOSE) << "Waiting for " COLDBOOT_DONE "...";
201
202 // Historically we had a 1s timeout here because we weren't otherwise
203 // tracking boot time, and many OEMs made their sepolicy regular
204 // expressions too expensive (http://b/19899875).
205
206 // Now we're tracking boot time, just log the time taken to a system
207 // property. We still panic if it takes more than a minute though,
208 // because any build that slow isn't likely to boot at all, and we'd
209 // rather any test lab devices fail back to the bootloader.
210 if (wait_for_file(COLDBOOT_DONE, 60s) < 0) {
211 LOG(ERROR) << "Timed out waiting for " COLDBOOT_DONE;
212 panic();
213 }
214
215 property_set("ro.boottime.init.cold_boot_wait", std::to_string(t.duration_ms()).c_str());
216 return 0;
217 }
218
219 /*
220 * Writes 512 bytes of output from Hardware RNG (/dev/hw_random, backed
221 * by Linux kernel's hw_random framework) into Linux RNG's via /dev/urandom.
222 * Does nothing if Hardware RNG is not present.
223 *
224 * Since we don't yet trust the quality of Hardware RNG, these bytes are not
225 * mixed into the primary pool of Linux RNG and the entropy estimate is left
226 * unmodified.
227 *
228 * If the HW RNG device /dev/hw_random is present, we require that at least
229 * 512 bytes read from it are written into Linux RNG. QA is expected to catch
230 * devices/configurations where these I/O operations are blocking for a long
231 * time. We do not reboot or halt on failures, as this is a best-effort
232 * attempt.
233 */
mix_hwrng_into_linux_rng_action(const std::vector<std::string> & args)234 static int mix_hwrng_into_linux_rng_action(const std::vector<std::string>& args)
235 {
236 int result = -1;
237 int hwrandom_fd = -1;
238 int urandom_fd = -1;
239 char buf[512];
240 ssize_t chunk_size;
241 size_t total_bytes_written = 0;
242
243 hwrandom_fd = TEMP_FAILURE_RETRY(
244 open("/dev/hw_random", O_RDONLY | O_NOFOLLOW | O_CLOEXEC));
245 if (hwrandom_fd == -1) {
246 if (errno == ENOENT) {
247 LOG(ERROR) << "/dev/hw_random not found";
248 // It's not an error to not have a Hardware RNG.
249 result = 0;
250 } else {
251 PLOG(ERROR) << "Failed to open /dev/hw_random";
252 }
253 goto ret;
254 }
255
256 urandom_fd = TEMP_FAILURE_RETRY(
257 open("/dev/urandom", O_WRONLY | O_NOFOLLOW | O_CLOEXEC));
258 if (urandom_fd == -1) {
259 PLOG(ERROR) << "Failed to open /dev/urandom";
260 goto ret;
261 }
262
263 while (total_bytes_written < sizeof(buf)) {
264 chunk_size = TEMP_FAILURE_RETRY(
265 read(hwrandom_fd, buf, sizeof(buf) - total_bytes_written));
266 if (chunk_size == -1) {
267 PLOG(ERROR) << "Failed to read from /dev/hw_random";
268 goto ret;
269 } else if (chunk_size == 0) {
270 LOG(ERROR) << "Failed to read from /dev/hw_random: EOF";
271 goto ret;
272 }
273
274 chunk_size = TEMP_FAILURE_RETRY(write(urandom_fd, buf, chunk_size));
275 if (chunk_size == -1) {
276 PLOG(ERROR) << "Failed to write to /dev/urandom";
277 goto ret;
278 }
279 total_bytes_written += chunk_size;
280 }
281
282 LOG(INFO) << "Mixed " << total_bytes_written << " bytes from /dev/hw_random into /dev/urandom";
283 result = 0;
284
285 ret:
286 if (hwrandom_fd != -1) {
287 close(hwrandom_fd);
288 }
289 if (urandom_fd != -1) {
290 close(urandom_fd);
291 }
292 return result;
293 }
294
security_failure()295 static void security_failure() {
296 LOG(ERROR) << "Security failure...";
297 panic();
298 }
299
set_highest_available_option_value(std::string path,int min,int max)300 static bool set_highest_available_option_value(std::string path, int min, int max)
301 {
302 std::ifstream inf(path, std::fstream::in);
303 if (!inf) {
304 LOG(ERROR) << "Cannot open for reading: " << path;
305 return false;
306 }
307
308 int current = max;
309 while (current >= min) {
310 // try to write out new value
311 std::string str_val = std::to_string(current);
312 std::ofstream of(path, std::fstream::out);
313 if (!of) {
314 LOG(ERROR) << "Cannot open for writing: " << path;
315 return false;
316 }
317 of << str_val << std::endl;
318 of.close();
319
320 // check to make sure it was recorded
321 inf.seekg(0);
322 std::string str_rec;
323 inf >> str_rec;
324 if (str_val.compare(str_rec) == 0) {
325 break;
326 }
327 current--;
328 }
329 inf.close();
330
331 if (current < min) {
332 LOG(ERROR) << "Unable to set minimum option value " << min << " in " << path;
333 return false;
334 }
335 return true;
336 }
337
338 #define MMAP_RND_PATH "/proc/sys/vm/mmap_rnd_bits"
339 #define MMAP_RND_COMPAT_PATH "/proc/sys/vm/mmap_rnd_compat_bits"
340
341 /* __attribute__((unused)) due to lack of mips support: see mips block
342 * in set_mmap_rnd_bits_action */
set_mmap_rnd_bits_min(int start,int min,bool compat)343 static bool __attribute__((unused)) set_mmap_rnd_bits_min(int start, int min, bool compat) {
344 std::string path;
345 if (compat) {
346 path = MMAP_RND_COMPAT_PATH;
347 } else {
348 path = MMAP_RND_PATH;
349 }
350
351 return set_highest_available_option_value(path, min, start);
352 }
353
354 /*
355 * Set /proc/sys/vm/mmap_rnd_bits and potentially
356 * /proc/sys/vm/mmap_rnd_compat_bits to the maximum supported values.
357 * Returns -1 if unable to set these to an acceptable value.
358 *
359 * To support this sysctl, the following upstream commits are needed:
360 *
361 * d07e22597d1d mm: mmap: add new /proc tunable for mmap_base ASLR
362 * e0c25d958f78 arm: mm: support ARCH_MMAP_RND_BITS
363 * 8f0d3aa9de57 arm64: mm: support ARCH_MMAP_RND_BITS
364 * 9e08f57d684a x86: mm: support ARCH_MMAP_RND_BITS
365 * ec9ee4acd97c drivers: char: random: add get_random_long()
366 * 5ef11c35ce86 mm: ASLR: use get_random_long()
367 */
set_mmap_rnd_bits_action(const std::vector<std::string> & args)368 static int set_mmap_rnd_bits_action(const std::vector<std::string>& args)
369 {
370 int ret = -1;
371
372 /* values are arch-dependent */
373 #if defined(__aarch64__)
374 /* arm64 supports 18 - 33 bits depending on pagesize and VA_SIZE */
375 if (set_mmap_rnd_bits_min(33, 24, false)
376 && set_mmap_rnd_bits_min(16, 16, true)) {
377 ret = 0;
378 }
379 #elif defined(__x86_64__)
380 /* x86_64 supports 28 - 32 bits */
381 if (set_mmap_rnd_bits_min(32, 32, false)
382 && set_mmap_rnd_bits_min(16, 16, true)) {
383 ret = 0;
384 }
385 #elif defined(__arm__) || defined(__i386__)
386 /* check to see if we're running on 64-bit kernel */
387 bool h64 = !access(MMAP_RND_COMPAT_PATH, F_OK);
388 /* supported 32-bit architecture must have 16 bits set */
389 if (set_mmap_rnd_bits_min(16, 16, h64)) {
390 ret = 0;
391 }
392 #elif defined(__mips__) || defined(__mips64__)
393 // TODO: add mips support b/27788820
394 ret = 0;
395 #else
396 LOG(ERROR) << "Unknown architecture";
397 #endif
398
399 if (ret == -1) {
400 LOG(ERROR) << "Unable to set adequate mmap entropy value!";
401 security_failure();
402 }
403 return ret;
404 }
405
406 #define KPTR_RESTRICT_PATH "/proc/sys/kernel/kptr_restrict"
407 #define KPTR_RESTRICT_MINVALUE 2
408 #define KPTR_RESTRICT_MAXVALUE 4
409
410 /* Set kptr_restrict to the highest available level.
411 *
412 * Aborts if unable to set this to an acceptable value.
413 */
set_kptr_restrict_action(const std::vector<std::string> & args)414 static int set_kptr_restrict_action(const std::vector<std::string>& args)
415 {
416 std::string path = KPTR_RESTRICT_PATH;
417
418 if (!set_highest_available_option_value(path, KPTR_RESTRICT_MINVALUE, KPTR_RESTRICT_MAXVALUE)) {
419 LOG(ERROR) << "Unable to set adequate kptr_restrict value!";
420 security_failure();
421 }
422 return 0;
423 }
424
keychord_init_action(const std::vector<std::string> & args)425 static int keychord_init_action(const std::vector<std::string>& args)
426 {
427 keychord_init();
428 return 0;
429 }
430
console_init_action(const std::vector<std::string> & args)431 static int console_init_action(const std::vector<std::string>& args)
432 {
433 std::string console = GetProperty("ro.boot.console", "");
434 if (!console.empty()) {
435 default_console = "/dev/" + console;
436 }
437 return 0;
438 }
439
import_kernel_nv(const std::string & key,const std::string & value,bool for_emulator)440 static void import_kernel_nv(const std::string& key, const std::string& value, bool for_emulator) {
441 if (key.empty()) return;
442
443 if (for_emulator) {
444 // In the emulator, export any kernel option with the "ro.kernel." prefix.
445 property_set(StringPrintf("ro.kernel.%s", key.c_str()).c_str(), value.c_str());
446 return;
447 }
448
449 if (key == "qemu") {
450 strlcpy(qemu, value.c_str(), sizeof(qemu));
451 } else if (android::base::StartsWith(key, "androidboot.")) {
452 property_set(StringPrintf("ro.boot.%s", key.c_str() + 12).c_str(), value.c_str());
453 }
454 }
455
export_oem_lock_status()456 static void export_oem_lock_status() {
457 if (!android::base::GetBoolProperty("ro.oem_unlock_supported", false)) {
458 return;
459 }
460
461 std::string value = GetProperty("ro.boot.verifiedbootstate", "");
462
463 if (!value.empty()) {
464 property_set("ro.boot.flash.locked", value == "orange" ? "0" : "1");
465 }
466 }
467
export_kernel_boot_props()468 static void export_kernel_boot_props() {
469 struct {
470 const char *src_prop;
471 const char *dst_prop;
472 const char *default_value;
473 } prop_map[] = {
474 { "ro.boot.serialno", "ro.serialno", "", },
475 { "ro.boot.mode", "ro.bootmode", "unknown", },
476 { "ro.boot.baseband", "ro.baseband", "unknown", },
477 { "ro.boot.bootloader", "ro.bootloader", "unknown", },
478 { "ro.boot.hardware", "ro.hardware", "unknown", },
479 { "ro.boot.revision", "ro.revision", "0", },
480 };
481 for (size_t i = 0; i < arraysize(prop_map); i++) {
482 std::string value = GetProperty(prop_map[i].src_prop, "");
483 property_set(prop_map[i].dst_prop, (!value.empty()) ? value.c_str() : prop_map[i].default_value);
484 }
485 }
486
process_kernel_dt()487 static void process_kernel_dt() {
488 if (!is_android_dt_value_expected("compatible", "android,firmware")) {
489 return;
490 }
491
492 std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(kAndroidDtDir.c_str()), closedir);
493 if (!dir) return;
494
495 std::string dt_file;
496 struct dirent *dp;
497 while ((dp = readdir(dir.get())) != NULL) {
498 if (dp->d_type != DT_REG || !strcmp(dp->d_name, "compatible") || !strcmp(dp->d_name, "name")) {
499 continue;
500 }
501
502 std::string file_name = kAndroidDtDir + dp->d_name;
503
504 android::base::ReadFileToString(file_name, &dt_file);
505 std::replace(dt_file.begin(), dt_file.end(), ',', '.');
506
507 std::string property_name = StringPrintf("ro.boot.%s", dp->d_name);
508 property_set(property_name.c_str(), dt_file.c_str());
509 }
510 }
511
process_kernel_cmdline()512 static void process_kernel_cmdline() {
513 // The first pass does the common stuff, and finds if we are in qemu.
514 // The second pass is only necessary for qemu to export all kernel params
515 // as properties.
516 import_kernel_cmdline(false, import_kernel_nv);
517 if (qemu[0]) import_kernel_cmdline(true, import_kernel_nv);
518 }
519
property_enable_triggers_action(const std::vector<std::string> & args)520 static int property_enable_triggers_action(const std::vector<std::string>& args)
521 {
522 /* Enable property triggers. */
523 property_triggers_enabled = 1;
524 return 0;
525 }
526
queue_property_triggers_action(const std::vector<std::string> & args)527 static int queue_property_triggers_action(const std::vector<std::string>& args)
528 {
529 ActionManager::GetInstance().QueueBuiltinAction(property_enable_triggers_action, "enable_property_trigger");
530 ActionManager::GetInstance().QueueAllPropertyTriggers();
531 return 0;
532 }
533
selinux_init_all_handles(void)534 static void selinux_init_all_handles(void)
535 {
536 sehandle = selinux_android_file_context_handle();
537 selinux_android_set_sehandle(sehandle);
538 sehandle_prop = selinux_android_prop_context_handle();
539 }
540
541 enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
542
selinux_status_from_cmdline()543 static selinux_enforcing_status selinux_status_from_cmdline() {
544 selinux_enforcing_status status = SELINUX_ENFORCING;
545
546 import_kernel_cmdline(false, [&](const std::string& key, const std::string& value, bool in_qemu) {
547 if (key == "androidboot.selinux" && value == "permissive") {
548 status = SELINUX_PERMISSIVE;
549 }
550 });
551
552 return status;
553 }
554
selinux_is_enforcing(void)555 static bool selinux_is_enforcing(void)
556 {
557 if (ALLOW_PERMISSIVE_SELINUX) {
558 return selinux_status_from_cmdline() == SELINUX_ENFORCING;
559 }
560 return true;
561 }
562
audit_callback(void * data,security_class_t,char * buf,size_t len)563 static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_t len) {
564
565 property_audit_data *d = reinterpret_cast<property_audit_data*>(data);
566
567 if (!d || !d->name || !d->cr) {
568 LOG(ERROR) << "audit_callback invoked with null data arguments!";
569 return 0;
570 }
571
572 snprintf(buf, len, "property=%s pid=%d uid=%d gid=%d", d->name,
573 d->cr->pid, d->cr->uid, d->cr->gid);
574 return 0;
575 }
576
577 /*
578 * Forks, executes the provided program in the child, and waits for the completion in the parent.
579 * Child's stderr is captured and logged using LOG(ERROR).
580 *
581 * Returns true if the child exited with status code 0, returns false otherwise.
582 */
fork_execve_and_wait_for_completion(const char * filename,char * const argv[],char * const envp[])583 static bool fork_execve_and_wait_for_completion(const char* filename, char* const argv[],
584 char* const envp[]) {
585 // Create a pipe used for redirecting child process's output.
586 // * pipe_fds[0] is the FD the parent will use for reading.
587 // * pipe_fds[1] is the FD the child will use for writing.
588 int pipe_fds[2];
589 if (pipe(pipe_fds) == -1) {
590 PLOG(ERROR) << "Failed to create pipe";
591 return false;
592 }
593
594 pid_t child_pid = fork();
595 if (child_pid == -1) {
596 PLOG(ERROR) << "Failed to fork for " << filename;
597 return false;
598 }
599
600 if (child_pid == 0) {
601 // fork succeeded -- this is executing in the child process
602
603 // Close the pipe FD not used by this process
604 TEMP_FAILURE_RETRY(close(pipe_fds[0]));
605
606 // Redirect stderr to the pipe FD provided by the parent
607 if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) {
608 PLOG(ERROR) << "Failed to redirect stderr of " << filename;
609 _exit(127);
610 return false;
611 }
612 TEMP_FAILURE_RETRY(close(pipe_fds[1]));
613
614 if (execve(filename, argv, envp) == -1) {
615 PLOG(ERROR) << "Failed to execve " << filename;
616 return false;
617 }
618 // Unreachable because execve will have succeeded and replaced this code
619 // with child process's code.
620 _exit(127);
621 return false;
622 } else {
623 // fork succeeded -- this is executing in the original/parent process
624
625 // Close the pipe FD not used by this process
626 TEMP_FAILURE_RETRY(close(pipe_fds[1]));
627
628 // Log the redirected output of the child process.
629 // It's unfortunate that there's no standard way to obtain an istream for a file descriptor.
630 // As a result, we're buffering all output and logging it in one go at the end of the
631 // invocation, instead of logging it as it comes in.
632 const int child_out_fd = pipe_fds[0];
633 std::string child_output;
634 if (!android::base::ReadFdToString(child_out_fd, &child_output)) {
635 PLOG(ERROR) << "Failed to capture full output of " << filename;
636 }
637 TEMP_FAILURE_RETRY(close(child_out_fd));
638 if (!child_output.empty()) {
639 // Log captured output, line by line, because LOG expects to be invoked for each line
640 std::istringstream in(child_output);
641 std::string line;
642 while (std::getline(in, line)) {
643 LOG(ERROR) << filename << ": " << line;
644 }
645 }
646
647 // Wait for child to terminate
648 int status;
649 if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) {
650 PLOG(ERROR) << "Failed to wait for " << filename;
651 return false;
652 }
653
654 if (WIFEXITED(status)) {
655 int status_code = WEXITSTATUS(status);
656 if (status_code == 0) {
657 return true;
658 } else {
659 LOG(ERROR) << filename << " exited with status " << status_code;
660 }
661 } else if (WIFSIGNALED(status)) {
662 LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status);
663 } else if (WIFSTOPPED(status)) {
664 LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status);
665 } else {
666 LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status;
667 }
668
669 return false;
670 }
671 }
672
read_first_line(const char * file,std::string * line)673 static bool read_first_line(const char* file, std::string* line) {
674 line->clear();
675
676 std::string contents;
677 if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) {
678 return false;
679 }
680 std::istringstream in(contents);
681 std::getline(in, *line);
682 return true;
683 }
684
selinux_find_precompiled_split_policy(std::string * file)685 static bool selinux_find_precompiled_split_policy(std::string* file) {
686 file->clear();
687
688 static constexpr const char precompiled_sepolicy[] = "/vendor/etc/selinux/precompiled_sepolicy";
689 if (access(precompiled_sepolicy, R_OK) == -1) {
690 return false;
691 }
692 std::string actual_plat_id;
693 if (!read_first_line("/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256",
694 &actual_plat_id)) {
695 PLOG(INFO) << "Failed to read "
696 "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256";
697 return false;
698 }
699 std::string precompiled_plat_id;
700 if (!read_first_line("/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256",
701 &precompiled_plat_id)) {
702 PLOG(INFO) << "Failed to read "
703 "/vendor/etc/selinux/"
704 "precompiled_sepolicy.plat_and_mapping.sha256";
705 return false;
706 }
707 if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) {
708 return false;
709 }
710
711 *file = precompiled_sepolicy;
712 return true;
713 }
714
selinux_get_vendor_mapping_version(std::string * plat_vers)715 static bool selinux_get_vendor_mapping_version(std::string* plat_vers) {
716 if (!read_first_line("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
717 PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
718 return false;
719 }
720 if (plat_vers->empty()) {
721 LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
722 return false;
723 }
724 return true;
725 }
726
727 static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
728
selinux_is_split_policy_device()729 static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; }
730
731 /*
732 * Loads SELinux policy split across platform/system and non-platform/vendor files.
733 *
734 * Returns true upon success, false otherwise (failure cause is logged).
735 */
selinux_load_split_policy()736 static bool selinux_load_split_policy() {
737 // IMPLEMENTATION NOTE: Split policy consists of three CIL files:
738 // * platform -- policy needed due to logic contained in the system image,
739 // * non-platform -- policy needed due to logic contained in the vendor image,
740 // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
741 // with newer versions of platform policy.
742 //
743 // secilc is invoked to compile the above three policy files into a single monolithic policy
744 // file. This file is then loaded into the kernel.
745
746 // Load precompiled policy from vendor image, if a matching policy is found there. The policy
747 // must match the platform policy on the system image.
748 std::string precompiled_sepolicy_file;
749 if (selinux_find_precompiled_split_policy(&precompiled_sepolicy_file)) {
750 android::base::unique_fd fd(
751 open(precompiled_sepolicy_file.c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
752 if (fd != -1) {
753 if (selinux_android_load_policy_from_fd(fd, precompiled_sepolicy_file.c_str()) < 0) {
754 LOG(ERROR) << "Failed to load SELinux policy from " << precompiled_sepolicy_file;
755 return false;
756 }
757 return true;
758 }
759 }
760 // No suitable precompiled policy could be loaded
761
762 LOG(INFO) << "Compiling SELinux policy";
763
764 // Determine the highest policy language version supported by the kernel
765 set_selinuxmnt("/sys/fs/selinux");
766 int max_policy_version = security_policyvers();
767 if (max_policy_version == -1) {
768 PLOG(ERROR) << "Failed to determine highest policy version supported by kernel";
769 return false;
770 }
771
772 // We store the output of the compilation on /dev because this is the most convenient tmpfs
773 // storage mount available this early in the boot sequence.
774 char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
775 android::base::unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
776 if (compiled_sepolicy_fd < 0) {
777 PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy;
778 return false;
779 }
780
781 // Determine which mapping file to include
782 std::string vend_plat_vers;
783 if (!selinux_get_vendor_mapping_version(&vend_plat_vers)) {
784 return false;
785 }
786 std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
787 // clang-format off
788 const char* compile_args[] = {
789 "/system/bin/secilc",
790 plat_policy_cil_file,
791 "-M", "true", "-G", "-N",
792 // Target the highest policy language version supported by the kernel
793 "-c", std::to_string(max_policy_version).c_str(),
794 mapping_file.c_str(),
795 "/vendor/etc/selinux/nonplat_sepolicy.cil",
796 "-o", compiled_sepolicy,
797 // We don't care about file_contexts output by the compiler
798 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
799 nullptr};
800 // clang-format on
801
802 if (!fork_execve_and_wait_for_completion(compile_args[0], (char**)compile_args, (char**)ENV)) {
803 unlink(compiled_sepolicy);
804 return false;
805 }
806 unlink(compiled_sepolicy);
807
808 LOG(INFO) << "Loading compiled SELinux policy";
809 if (selinux_android_load_policy_from_fd(compiled_sepolicy_fd, compiled_sepolicy) < 0) {
810 LOG(ERROR) << "Failed to load SELinux policy from " << compiled_sepolicy;
811 return false;
812 }
813
814 return true;
815 }
816
817 /*
818 * Loads SELinux policy from a monolithic file.
819 *
820 * Returns true upon success, false otherwise (failure cause is logged).
821 */
selinux_load_monolithic_policy()822 static bool selinux_load_monolithic_policy() {
823 LOG(VERBOSE) << "Loading SELinux policy from monolithic file";
824 if (selinux_android_load_policy() < 0) {
825 PLOG(ERROR) << "Failed to load monolithic SELinux policy";
826 return false;
827 }
828 return true;
829 }
830
831 /*
832 * Loads SELinux policy into the kernel.
833 *
834 * Returns true upon success, false otherwise (failure cause is logged).
835 */
selinux_load_policy()836 static bool selinux_load_policy() {
837 return selinux_is_split_policy_device() ? selinux_load_split_policy()
838 : selinux_load_monolithic_policy();
839 }
840
selinux_initialize(bool in_kernel_domain)841 static void selinux_initialize(bool in_kernel_domain) {
842 Timer t;
843
844 selinux_callback cb;
845 cb.func_log = selinux_klog_callback;
846 selinux_set_callback(SELINUX_CB_LOG, cb);
847 cb.func_audit = audit_callback;
848 selinux_set_callback(SELINUX_CB_AUDIT, cb);
849
850 if (in_kernel_domain) {
851 LOG(INFO) << "Loading SELinux policy";
852 if (!selinux_load_policy()) {
853 panic();
854 }
855
856 bool kernel_enforcing = (security_getenforce() == 1);
857 bool is_enforcing = selinux_is_enforcing();
858 if (kernel_enforcing != is_enforcing) {
859 if (security_setenforce(is_enforcing)) {
860 PLOG(ERROR) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false");
861 security_failure();
862 }
863 }
864
865 if (!write_file("/sys/fs/selinux/checkreqprot", "0")) {
866 security_failure();
867 }
868
869 // init's first stage can't set properties, so pass the time to the second stage.
870 setenv("INIT_SELINUX_TOOK", std::to_string(t.duration_ms()).c_str(), 1);
871 } else {
872 selinux_init_all_handles();
873 }
874 }
875
876 // The files and directories that were created before initial sepolicy load
877 // need to have their security context restored to the proper value.
878 // This must happen before /dev is populated by ueventd.
selinux_restore_context()879 static void selinux_restore_context() {
880 LOG(INFO) << "Running restorecon...";
881 restorecon("/dev");
882 restorecon("/dev/kmsg");
883 restorecon("/dev/socket");
884 restorecon("/dev/random");
885 restorecon("/dev/urandom");
886 restorecon("/dev/__properties__");
887
888 restorecon("/file_contexts.bin");
889 restorecon("/plat_file_contexts");
890 restorecon("/nonplat_file_contexts");
891 restorecon("/plat_property_contexts");
892 restorecon("/nonplat_property_contexts");
893 restorecon("/plat_seapp_contexts");
894 restorecon("/nonplat_seapp_contexts");
895 restorecon("/plat_service_contexts");
896 restorecon("/nonplat_service_contexts");
897 restorecon("/plat_hwservice_contexts");
898 restorecon("/nonplat_hwservice_contexts");
899 restorecon("/sepolicy");
900 restorecon("/vndservice_contexts");
901
902 restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE);
903 restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
904 restorecon("/dev/device-mapper");
905 }
906
907 // Set the UDC controller for the ConfigFS USB Gadgets.
908 // Read the UDC controller in use from "/sys/class/udc".
909 // In case of multiple UDC controllers select the first one.
set_usb_controller()910 static void set_usb_controller() {
911 std::unique_ptr<DIR, decltype(&closedir)>dir(opendir("/sys/class/udc"), closedir);
912 if (!dir) return;
913
914 dirent* dp;
915 while ((dp = readdir(dir.get())) != nullptr) {
916 if (dp->d_name[0] == '.') continue;
917
918 property_set("sys.usb.controller", dp->d_name);
919 break;
920 }
921 }
922
install_reboot_signal_handlers()923 static void install_reboot_signal_handlers() {
924 // Instead of panic'ing the kernel as is the default behavior when init crashes,
925 // we prefer to reboot to bootloader on development builds, as this will prevent
926 // boot looping bad configurations and allow both developers and test farms to easily
927 // recover.
928 struct sigaction action;
929 memset(&action, 0, sizeof(action));
930 sigfillset(&action.sa_mask);
931 action.sa_handler = [](int) {
932 // panic() reboots to bootloader
933 panic();
934 };
935 action.sa_flags = SA_RESTART;
936 sigaction(SIGABRT, &action, nullptr);
937 sigaction(SIGBUS, &action, nullptr);
938 sigaction(SIGFPE, &action, nullptr);
939 sigaction(SIGILL, &action, nullptr);
940 sigaction(SIGSEGV, &action, nullptr);
941 #if defined(SIGSTKFLT)
942 sigaction(SIGSTKFLT, &action, nullptr);
943 #endif
944 sigaction(SIGSYS, &action, nullptr);
945 sigaction(SIGTRAP, &action, nullptr);
946 }
947
main(int argc,char ** argv)948 int main(int argc, char** argv) {
949 if (!strcmp(basename(argv[0]), "ueventd")) {
950 return ueventd_main(argc, argv);
951 }
952
953 if (!strcmp(basename(argv[0]), "watchdogd")) {
954 return watchdogd_main(argc, argv);
955 }
956
957 if (REBOOT_BOOTLOADER_ON_PANIC) {
958 install_reboot_signal_handlers();
959 }
960
961 add_environment("PATH", _PATH_DEFPATH);
962
963 bool is_first_stage = (getenv("INIT_SECOND_STAGE") == nullptr);
964
965 if (is_first_stage) {
966 boot_clock::time_point start_time = boot_clock::now();
967
968 // Clear the umask.
969 umask(0);
970
971 // Get the basic filesystem setup we need put together in the initramdisk
972 // on / and then we'll let the rc file figure out the rest.
973 mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755");
974 mkdir("/dev/pts", 0755);
975 mkdir("/dev/socket", 0755);
976 mount("devpts", "/dev/pts", "devpts", 0, NULL);
977 #define MAKE_STR(x) __STRING(x)
978 mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC));
979 // Don't expose the raw commandline to unprivileged processes.
980 chmod("/proc/cmdline", 0440);
981 gid_t groups[] = { AID_READPROC };
982 setgroups(arraysize(groups), groups);
983 mount("sysfs", "/sys", "sysfs", 0, NULL);
984 mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL);
985 mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11));
986 mknod("/dev/random", S_IFCHR | 0666, makedev(1, 8));
987 mknod("/dev/urandom", S_IFCHR | 0666, makedev(1, 9));
988
989 // Now that tmpfs is mounted on /dev and we have /dev/kmsg, we can actually
990 // talk to the outside world...
991 InitKernelLogging(argv);
992
993 LOG(INFO) << "init first stage started!";
994
995 if (!DoFirstStageMount()) {
996 LOG(ERROR) << "Failed to mount required partitions early ...";
997 panic();
998 }
999
1000 SetInitAvbVersionInRecovery();
1001
1002 // Set up SELinux, loading the SELinux policy.
1003 selinux_initialize(true);
1004
1005 // We're in the kernel domain, so re-exec init to transition to the init domain now
1006 // that the SELinux policy has been loaded.
1007 if (restorecon("/init") == -1) {
1008 PLOG(ERROR) << "restorecon failed";
1009 security_failure();
1010 }
1011
1012 setenv("INIT_SECOND_STAGE", "true", 1);
1013
1014 static constexpr uint32_t kNanosecondsPerMillisecond = 1e6;
1015 uint64_t start_ms = start_time.time_since_epoch().count() / kNanosecondsPerMillisecond;
1016 setenv("INIT_STARTED_AT", StringPrintf("%" PRIu64, start_ms).c_str(), 1);
1017
1018 char* path = argv[0];
1019 char* args[] = { path, nullptr };
1020 execv(path, args);
1021
1022 // execv() only returns if an error happened, in which case we
1023 // panic and never fall through this conditional.
1024 PLOG(ERROR) << "execv(\"" << path << "\") failed";
1025 security_failure();
1026 }
1027
1028 // At this point we're in the second stage of init.
1029 InitKernelLogging(argv);
1030 LOG(INFO) << "init second stage started!";
1031
1032 // Set up a session keyring that all processes will have access to. It
1033 // will hold things like FBE encryption keys. No process should override
1034 // its session keyring.
1035 keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_SESSION_KEYRING, 1);
1036
1037 // Indicate that booting is in progress to background fw loaders, etc.
1038 close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000));
1039
1040 property_init();
1041
1042 // If arguments are passed both on the command line and in DT,
1043 // properties set in DT always have priority over the command-line ones.
1044 process_kernel_dt();
1045 process_kernel_cmdline();
1046
1047 // Propagate the kernel variables to internal variables
1048 // used by init as well as the current required properties.
1049 export_kernel_boot_props();
1050
1051 // Make the time that init started available for bootstat to log.
1052 property_set("ro.boottime.init", getenv("INIT_STARTED_AT"));
1053 property_set("ro.boottime.init.selinux", getenv("INIT_SELINUX_TOOK"));
1054
1055 // Set libavb version for Framework-only OTA match in Treble build.
1056 const char* avb_version = getenv("INIT_AVB_VERSION");
1057 if (avb_version) property_set("ro.boot.avb_version", avb_version);
1058
1059 // Clean up our environment.
1060 unsetenv("INIT_SECOND_STAGE");
1061 unsetenv("INIT_STARTED_AT");
1062 unsetenv("INIT_SELINUX_TOOK");
1063 unsetenv("INIT_AVB_VERSION");
1064
1065 // Now set up SELinux for second stage.
1066 selinux_initialize(false);
1067 selinux_restore_context();
1068
1069 epoll_fd = epoll_create1(EPOLL_CLOEXEC);
1070 if (epoll_fd == -1) {
1071 PLOG(ERROR) << "epoll_create1 failed";
1072 exit(1);
1073 }
1074
1075 signal_handler_init();
1076
1077 property_load_boot_defaults();
1078 export_oem_lock_status();
1079 start_property_service();
1080 set_usb_controller();
1081
1082 const BuiltinFunctionMap function_map;
1083 Action::set_function_map(&function_map);
1084
1085 Parser& parser = Parser::GetInstance();
1086 parser.AddSectionParser("service",std::make_unique<ServiceParser>());
1087 parser.AddSectionParser("on", std::make_unique<ActionParser>());
1088 parser.AddSectionParser("import", std::make_unique<ImportParser>());
1089 std::string bootscript = GetProperty("ro.boot.init_rc", "");
1090 if (bootscript.empty()) {
1091 parser.ParseConfig("/init.rc");
1092 parser.set_is_system_etc_init_loaded(
1093 parser.ParseConfig("/system/etc/init"));
1094 parser.set_is_vendor_etc_init_loaded(
1095 parser.ParseConfig("/vendor/etc/init"));
1096 parser.set_is_odm_etc_init_loaded(parser.ParseConfig("/odm/etc/init"));
1097 } else {
1098 parser.ParseConfig(bootscript);
1099 parser.set_is_system_etc_init_loaded(true);
1100 parser.set_is_vendor_etc_init_loaded(true);
1101 parser.set_is_odm_etc_init_loaded(true);
1102 }
1103
1104 // Turning this on and letting the INFO logging be discarded adds 0.2s to
1105 // Nexus 9 boot time, so it's disabled by default.
1106 if (false) parser.DumpState();
1107
1108 ActionManager& am = ActionManager::GetInstance();
1109
1110 am.QueueEventTrigger("early-init");
1111
1112 // Queue an action that waits for coldboot done so we know ueventd has set up all of /dev...
1113 am.QueueBuiltinAction(wait_for_coldboot_done_action, "wait_for_coldboot_done");
1114 // ... so that we can start queuing up actions that require stuff from /dev.
1115 am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng");
1116 am.QueueBuiltinAction(set_mmap_rnd_bits_action, "set_mmap_rnd_bits");
1117 am.QueueBuiltinAction(set_kptr_restrict_action, "set_kptr_restrict");
1118 am.QueueBuiltinAction(keychord_init_action, "keychord_init");
1119 am.QueueBuiltinAction(console_init_action, "console_init");
1120
1121 // Trigger all the boot actions to get us started.
1122 am.QueueEventTrigger("init");
1123
1124 // Repeat mix_hwrng_into_linux_rng in case /dev/hw_random or /dev/random
1125 // wasn't ready immediately after wait_for_coldboot_done
1126 am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng");
1127
1128 // Don't mount filesystems or start core system services in charger mode.
1129 std::string bootmode = GetProperty("ro.bootmode", "");
1130 if (bootmode == "charger") {
1131 am.QueueEventTrigger("charger");
1132 } else {
1133 am.QueueEventTrigger("late-init");
1134 }
1135
1136 // Run all property triggers based on current state of the properties.
1137 am.QueueBuiltinAction(queue_property_triggers_action, "queue_property_triggers");
1138
1139 while (true) {
1140 // By default, sleep until something happens.
1141 int epoll_timeout_ms = -1;
1142
1143 if (!(waiting_for_prop || ServiceManager::GetInstance().IsWaitingForExec())) {
1144 am.ExecuteOneCommand();
1145 }
1146 if (!(waiting_for_prop || ServiceManager::GetInstance().IsWaitingForExec())) {
1147 restart_processes();
1148
1149 // If there's a process that needs restarting, wake up in time for that.
1150 if (process_needs_restart_at != 0) {
1151 epoll_timeout_ms = (process_needs_restart_at - time(nullptr)) * 1000;
1152 if (epoll_timeout_ms < 0) epoll_timeout_ms = 0;
1153 }
1154
1155 // If there's more work to do, wake up again immediately.
1156 if (am.HasMoreCommands()) epoll_timeout_ms = 0;
1157 }
1158
1159 epoll_event ev;
1160 int nr = TEMP_FAILURE_RETRY(epoll_wait(epoll_fd, &ev, 1, epoll_timeout_ms));
1161 if (nr == -1) {
1162 PLOG(ERROR) << "epoll_wait failed";
1163 } else if (nr == 1) {
1164 ((void (*)()) ev.data.ptr)();
1165 }
1166 }
1167
1168 return 0;
1169 }
1170