com_android_internal_os_Zygote.cpp revision 76f6a86de25e1bf74717e047e55fd44b089673f3
1/* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#define LOG_TAG "Zygote" 18 19// sys/mount.h has to come before linux/fs.h due to redefinition of MS_RDONLY, MS_BIND, etc 20#include <sys/mount.h> 21#include <linux/fs.h> 22 23#include <fcntl.h> 24#include <grp.h> 25#include <inttypes.h> 26#include <paths.h> 27#include <signal.h> 28#include <stdlib.h> 29#include <sys/capability.h> 30#include <sys/personality.h> 31#include <sys/prctl.h> 32#include <sys/resource.h> 33#include <sys/stat.h> 34#include <sys/types.h> 35#include <sys/utsname.h> 36#include <sys/wait.h> 37#include <unistd.h> 38 39#include <cutils/fs.h> 40#include <cutils/multiuser.h> 41#include <cutils/sched_policy.h> 42#include <private/android_filesystem_config.h> 43#include <utils/String8.h> 44#include <selinux/android.h> 45#include <processgroup/processgroup.h> 46 47#include "core_jni_helpers.h" 48#include "JNIHelp.h" 49#include "ScopedLocalRef.h" 50#include "ScopedPrimitiveArray.h" 51#include "ScopedUtfChars.h" 52 53#include "nativebridge/native_bridge.h" 54 55namespace { 56 57using android::String8; 58 59static pid_t gSystemServerPid = 0; 60 61static const char kZygoteClassName[] = "com/android/internal/os/Zygote"; 62static jclass gZygoteClass; 63static jmethodID gCallPostForkChildHooks; 64 65// Must match values in com.android.internal.os.Zygote. 66enum MountExternalKind { 67 MOUNT_EXTERNAL_NONE = 0, 68 MOUNT_EXTERNAL_SINGLEUSER = 1, 69 MOUNT_EXTERNAL_MULTIUSER = 2, 70 MOUNT_EXTERNAL_MULTIUSER_ALL = 3, 71}; 72 73static void RuntimeAbort(JNIEnv* env) { 74 env->FatalError("RuntimeAbort"); 75} 76 77// This signal handler is for zygote mode, since the zygote must reap its children 78static void SigChldHandler(int /*signal_number*/) { 79 pid_t pid; 80 int status; 81 82 while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { 83 // Log process-death status that we care about. In general it is 84 // not safe to call LOG(...) from a signal handler because of 85 // possible reentrancy. However, we know a priori that the 86 // current implementation of LOG() is safe to call from a SIGCHLD 87 // handler in the zygote process. If the LOG() implementation 88 // changes its locking strategy or its use of syscalls within the 89 // lazy-init critical section, its use here may become unsafe. 90 if (WIFEXITED(status)) { 91 if (WEXITSTATUS(status)) { 92 ALOGI("Process %d exited cleanly (%d)", pid, WEXITSTATUS(status)); 93 } 94 } else if (WIFSIGNALED(status)) { 95 if (WTERMSIG(status) != SIGKILL) { 96 ALOGI("Process %d exited due to signal (%d)", pid, WTERMSIG(status)); 97 } 98 if (WCOREDUMP(status)) { 99 ALOGI("Process %d dumped core.", pid); 100 } 101 } 102 103 // If the just-crashed process is the system_server, bring down zygote 104 // so that it is restarted by init and system server will be restarted 105 // from there. 106 if (pid == gSystemServerPid) { 107 ALOGE("Exit zygote because system server (%d) has terminated", pid); 108 kill(getpid(), SIGKILL); 109 } 110 } 111 112 // Note that we shouldn't consider ECHILD an error because 113 // the secondary zygote might have no children left to wait for. 114 if (pid < 0 && errno != ECHILD) { 115 ALOGW("Zygote SIGCHLD error in waitpid: %s", strerror(errno)); 116 } 117} 118 119// Configures the SIGCHLD handler for the zygote process. This is configured 120// very late, because earlier in the runtime we may fork() and exec() 121// other processes, and we want to waitpid() for those rather than 122// have them be harvested immediately. 123// 124// This ends up being called repeatedly before each fork(), but there's 125// no real harm in that. 126static void SetSigChldHandler() { 127 struct sigaction sa; 128 memset(&sa, 0, sizeof(sa)); 129 sa.sa_handler = SigChldHandler; 130 131 int err = sigaction(SIGCHLD, &sa, NULL); 132 if (err < 0) { 133 ALOGW("Error setting SIGCHLD handler: %s", strerror(errno)); 134 } 135} 136 137// Sets the SIGCHLD handler back to default behavior in zygote children. 138static void UnsetSigChldHandler() { 139 struct sigaction sa; 140 memset(&sa, 0, sizeof(sa)); 141 sa.sa_handler = SIG_DFL; 142 143 int err = sigaction(SIGCHLD, &sa, NULL); 144 if (err < 0) { 145 ALOGW("Error unsetting SIGCHLD handler: %s", strerror(errno)); 146 } 147} 148 149// Calls POSIX setgroups() using the int[] object as an argument. 150// A NULL argument is tolerated. 151static void SetGids(JNIEnv* env, jintArray javaGids) { 152 if (javaGids == NULL) { 153 return; 154 } 155 156 ScopedIntArrayRO gids(env, javaGids); 157 if (gids.get() == NULL) { 158 RuntimeAbort(env); 159 } 160 int rc = setgroups(gids.size(), reinterpret_cast<const gid_t*>(&gids[0])); 161 if (rc == -1) { 162 ALOGE("setgroups failed"); 163 RuntimeAbort(env); 164 } 165} 166 167// Sets the resource limits via setrlimit(2) for the values in the 168// two-dimensional array of integers that's passed in. The second dimension 169// contains a tuple of length 3: (resource, rlim_cur, rlim_max). NULL is 170// treated as an empty array. 171static void SetRLimits(JNIEnv* env, jobjectArray javaRlimits) { 172 if (javaRlimits == NULL) { 173 return; 174 } 175 176 rlimit rlim; 177 memset(&rlim, 0, sizeof(rlim)); 178 179 for (int i = 0; i < env->GetArrayLength(javaRlimits); ++i) { 180 ScopedLocalRef<jobject> javaRlimitObject(env, env->GetObjectArrayElement(javaRlimits, i)); 181 ScopedIntArrayRO javaRlimit(env, reinterpret_cast<jintArray>(javaRlimitObject.get())); 182 if (javaRlimit.size() != 3) { 183 ALOGE("rlimits array must have a second dimension of size 3"); 184 RuntimeAbort(env); 185 } 186 187 rlim.rlim_cur = javaRlimit[1]; 188 rlim.rlim_max = javaRlimit[2]; 189 190 int rc = setrlimit(javaRlimit[0], &rlim); 191 if (rc == -1) { 192 ALOGE("setrlimit(%d, {%ld, %ld}) failed", javaRlimit[0], rlim.rlim_cur, 193 rlim.rlim_max); 194 RuntimeAbort(env); 195 } 196 } 197} 198 199// The debug malloc library needs to know whether it's the zygote or a child. 200extern "C" int gMallocLeakZygoteChild; 201 202static void EnableKeepCapabilities(JNIEnv* env) { 203 int rc = prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); 204 if (rc == -1) { 205 ALOGE("prctl(PR_SET_KEEPCAPS) failed"); 206 RuntimeAbort(env); 207 } 208} 209 210static void DropCapabilitiesBoundingSet(JNIEnv* env) { 211 for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) { 212 int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0); 213 if (rc == -1) { 214 if (errno == EINVAL) { 215 ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify " 216 "your kernel is compiled with file capabilities support"); 217 } else { 218 ALOGE("prctl(PR_CAPBSET_DROP) failed"); 219 RuntimeAbort(env); 220 } 221 } 222 } 223} 224 225static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) { 226 __user_cap_header_struct capheader; 227 memset(&capheader, 0, sizeof(capheader)); 228 capheader.version = _LINUX_CAPABILITY_VERSION_3; 229 capheader.pid = 0; 230 231 __user_cap_data_struct capdata[2]; 232 memset(&capdata, 0, sizeof(capdata)); 233 capdata[0].effective = effective; 234 capdata[1].effective = effective >> 32; 235 capdata[0].permitted = permitted; 236 capdata[1].permitted = permitted >> 32; 237 238 if (capset(&capheader, &capdata[0]) == -1) { 239 ALOGE("capset(%" PRId64 ", %" PRId64 ") failed", permitted, effective); 240 RuntimeAbort(env); 241 } 242} 243 244static void SetSchedulerPolicy(JNIEnv* env) { 245 errno = -set_sched_policy(0, SP_DEFAULT); 246 if (errno != 0) { 247 ALOGE("set_sched_policy(0, SP_DEFAULT) failed"); 248 RuntimeAbort(env); 249 } 250} 251 252// Create a private mount namespace and bind mount appropriate emulated 253// storage for the given user. 254static bool MountEmulatedStorage(uid_t uid, jint mount_mode, bool force_mount_namespace) { 255 if (mount_mode == MOUNT_EXTERNAL_NONE && !force_mount_namespace) { 256 return true; 257 } 258 259 // Create a second private mount namespace for our process 260 if (unshare(CLONE_NEWNS) == -1) { 261 ALOGW("Failed to unshare(): %s", strerror(errno)); 262 return false; 263 } 264 265 if (mount_mode == MOUNT_EXTERNAL_NONE) { 266 return true; 267 } 268 269 // See storage config details at http://source.android.com/tech/storage/ 270 userid_t user_id = multiuser_get_user_id(uid); 271 272 // Create bind mounts to expose external storage 273 if (mount_mode == MOUNT_EXTERNAL_MULTIUSER || mount_mode == MOUNT_EXTERNAL_MULTIUSER_ALL) { 274 // These paths must already be created by init.rc 275 const char* source = getenv("EMULATED_STORAGE_SOURCE"); 276 const char* target = getenv("EMULATED_STORAGE_TARGET"); 277 const char* legacy = getenv("EXTERNAL_STORAGE"); 278 if (source == NULL || target == NULL || legacy == NULL) { 279 ALOGW("Storage environment undefined; unable to provide external storage"); 280 return false; 281 } 282 283 // Prepare source paths 284 285 // /mnt/shell/emulated/0 286 const String8 source_user(String8::format("%s/%d", source, user_id)); 287 // /storage/emulated/0 288 const String8 target_user(String8::format("%s/%d", target, user_id)); 289 290 if (fs_prepare_dir(source_user.string(), 0000, 0, 0) == -1 291 || fs_prepare_dir(target_user.string(), 0000, 0, 0) == -1) { 292 return false; 293 } 294 295 if (mount_mode == MOUNT_EXTERNAL_MULTIUSER_ALL) { 296 // Mount entire external storage tree for all users 297 if (TEMP_FAILURE_RETRY(mount(source, target, NULL, MS_BIND, NULL)) == -1) { 298 ALOGW("Failed to mount %s to %s: %s", source, target, strerror(errno)); 299 return false; 300 } 301 } else { 302 // Only mount user-specific external storage 303 if (TEMP_FAILURE_RETRY(mount(source_user.string(), target_user.string(), NULL, 304 MS_BIND, NULL)) == -1) { 305 ALOGW("Failed to mount %s to %s: %s", source_user.string(), target_user.string(), 306 strerror(errno)); 307 return false; 308 } 309 } 310 311 if (fs_prepare_dir(legacy, 0000, 0, 0) == -1) { 312 return false; 313 } 314 315 // Finally, mount user-specific path into place for legacy users 316 if (TEMP_FAILURE_RETRY( 317 mount(target_user.string(), legacy, NULL, MS_BIND | MS_REC, NULL)) == -1) { 318 ALOGW("Failed to mount %s to %s: %s", target_user.string(), legacy, strerror(errno)); 319 return false; 320 } 321 } else { 322 ALOGW("Mount mode %d unsupported", mount_mode); 323 return false; 324 } 325 326 return true; 327} 328 329static bool NeedsNoRandomizeWorkaround() { 330#if !defined(__arm__) 331 return false; 332#else 333 int major; 334 int minor; 335 struct utsname uts; 336 if (uname(&uts) == -1) { 337 return false; 338 } 339 340 if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) { 341 return false; 342 } 343 344 // Kernels before 3.4.* need the workaround. 345 return (major < 3) || ((major == 3) && (minor < 4)); 346#endif 347} 348 349// Utility to close down the Zygote socket file descriptors while 350// the child is still running as root with Zygote's privileges. Each 351// descriptor (if any) is closed via dup2(), replacing it with a valid 352// (open) descriptor to /dev/null. 353 354static void DetachDescriptors(JNIEnv* env, jintArray fdsToClose) { 355 if (!fdsToClose) { 356 return; 357 } 358 jsize count = env->GetArrayLength(fdsToClose); 359 ScopedIntArrayRO ar(env, fdsToClose); 360 if (ar.get() == NULL) { 361 ALOGE("Bad fd array"); 362 RuntimeAbort(env); 363 } 364 jsize i; 365 int devnull; 366 for (i = 0; i < count; i++) { 367 devnull = open("/dev/null", O_RDWR); 368 if (devnull < 0) { 369 ALOGE("Failed to open /dev/null: %s", strerror(errno)); 370 RuntimeAbort(env); 371 continue; 372 } 373 ALOGV("Switching descriptor %d to /dev/null: %s", ar[i], strerror(errno)); 374 if (dup2(devnull, ar[i]) < 0) { 375 ALOGE("Failed dup2() on descriptor %d: %s", ar[i], strerror(errno)); 376 RuntimeAbort(env); 377 } 378 close(devnull); 379 } 380} 381 382void SetThreadName(const char* thread_name) { 383 bool hasAt = false; 384 bool hasDot = false; 385 const char* s = thread_name; 386 while (*s) { 387 if (*s == '.') { 388 hasDot = true; 389 } else if (*s == '@') { 390 hasAt = true; 391 } 392 s++; 393 } 394 const int len = s - thread_name; 395 if (len < 15 || hasAt || !hasDot) { 396 s = thread_name; 397 } else { 398 s = thread_name + len - 15; 399 } 400 // pthread_setname_np fails rather than truncating long strings. 401 char buf[16]; // MAX_TASK_COMM_LEN=16 is hard-coded into bionic 402 strlcpy(buf, s, sizeof(buf)-1); 403 errno = pthread_setname_np(pthread_self(), buf); 404 if (errno != 0) { 405 ALOGW("Unable to set the name of current thread to '%s': %s", buf, strerror(errno)); 406 } 407} 408 409// Utility routine to fork zygote and specialize the child process. 410static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray javaGids, 411 jint debug_flags, jobjectArray javaRlimits, 412 jlong permittedCapabilities, jlong effectiveCapabilities, 413 jint mount_external, 414 jstring java_se_info, jstring java_se_name, 415 bool is_system_server, jintArray fdsToClose, 416 jstring instructionSet, jstring dataDir) { 417 SetSigChldHandler(); 418 419 pid_t pid = fork(); 420 421 if (pid == 0) { 422 // The child process. 423 gMallocLeakZygoteChild = 1; 424 425 // Clean up any descriptors which must be closed immediately 426 DetachDescriptors(env, fdsToClose); 427 428 // Keep capabilities across UID change, unless we're staying root. 429 if (uid != 0) { 430 EnableKeepCapabilities(env); 431 } 432 433 DropCapabilitiesBoundingSet(env); 434 435 bool use_native_bridge = !is_system_server && (instructionSet != NULL) 436 && android::NativeBridgeAvailable(); 437 if (use_native_bridge) { 438 ScopedUtfChars isa_string(env, instructionSet); 439 use_native_bridge = android::NeedsNativeBridge(isa_string.c_str()); 440 } 441 if (use_native_bridge && dataDir == NULL) { 442 // dataDir should never be null if we need to use a native bridge. 443 // In general, dataDir will never be null for normal applications. It can only happen in 444 // special cases (for isolated processes which are not associated with any app). These are 445 // launched by the framework and should not be emulated anyway. 446 use_native_bridge = false; 447 ALOGW("Native bridge will not be used because dataDir == NULL."); 448 } 449 450 if (!MountEmulatedStorage(uid, mount_external, use_native_bridge)) { 451 ALOGW("Failed to mount emulated storage: %s", strerror(errno)); 452 if (errno == ENOTCONN || errno == EROFS) { 453 // When device is actively encrypting, we get ENOTCONN here 454 // since FUSE was mounted before the framework restarted. 455 // When encrypted device is booting, we get EROFS since 456 // FUSE hasn't been created yet by init. 457 // In either case, continue without external storage. 458 } else { 459 ALOGE("Cannot continue without emulated storage"); 460 RuntimeAbort(env); 461 } 462 } 463 464 if (!is_system_server) { 465 int rc = createProcessGroup(uid, getpid()); 466 if (rc != 0) { 467 if (rc == -EROFS) { 468 ALOGW("createProcessGroup failed, kernel missing CONFIG_CGROUP_CPUACCT?"); 469 } else { 470 ALOGE("createProcessGroup(%d, %d) failed: %s", uid, pid, strerror(-rc)); 471 } 472 } 473 } 474 475 SetGids(env, javaGids); 476 477 SetRLimits(env, javaRlimits); 478 479 if (use_native_bridge) { 480 ScopedUtfChars isa_string(env, instructionSet); 481 ScopedUtfChars data_dir(env, dataDir); 482 android::PreInitializeNativeBridge(data_dir.c_str(), isa_string.c_str()); 483 } 484 485 int rc = setresgid(gid, gid, gid); 486 if (rc == -1) { 487 ALOGE("setresgid(%d) failed: %s", gid, strerror(errno)); 488 RuntimeAbort(env); 489 } 490 491 rc = setresuid(uid, uid, uid); 492 if (rc == -1) { 493 ALOGE("setresuid(%d) failed: %s", uid, strerror(errno)); 494 RuntimeAbort(env); 495 } 496 497 if (NeedsNoRandomizeWorkaround()) { 498 // Work around ARM kernel ASLR lossage (http://b/5817320). 499 int old_personality = personality(0xffffffff); 500 int new_personality = personality(old_personality | ADDR_NO_RANDOMIZE); 501 if (new_personality == -1) { 502 ALOGW("personality(%d) failed: %s", new_personality, strerror(errno)); 503 } 504 } 505 506 SetCapabilities(env, permittedCapabilities, effectiveCapabilities); 507 508 SetSchedulerPolicy(env); 509 510 const char* se_info_c_str = NULL; 511 ScopedUtfChars* se_info = NULL; 512 if (java_se_info != NULL) { 513 se_info = new ScopedUtfChars(env, java_se_info); 514 se_info_c_str = se_info->c_str(); 515 if (se_info_c_str == NULL) { 516 ALOGE("se_info_c_str == NULL"); 517 RuntimeAbort(env); 518 } 519 } 520 const char* se_name_c_str = NULL; 521 ScopedUtfChars* se_name = NULL; 522 if (java_se_name != NULL) { 523 se_name = new ScopedUtfChars(env, java_se_name); 524 se_name_c_str = se_name->c_str(); 525 if (se_name_c_str == NULL) { 526 ALOGE("se_name_c_str == NULL"); 527 RuntimeAbort(env); 528 } 529 } 530 rc = selinux_android_setcontext(uid, is_system_server, se_info_c_str, se_name_c_str); 531 if (rc == -1) { 532 ALOGE("selinux_android_setcontext(%d, %d, \"%s\", \"%s\") failed", uid, 533 is_system_server, se_info_c_str, se_name_c_str); 534 RuntimeAbort(env); 535 } 536 537 // Make it easier to debug audit logs by setting the main thread's name to the 538 // nice name rather than "app_process". 539 if (se_info_c_str == NULL && is_system_server) { 540 se_name_c_str = "system_server"; 541 } 542 if (se_info_c_str != NULL) { 543 SetThreadName(se_name_c_str); 544 } 545 546 delete se_info; 547 delete se_name; 548 549 UnsetSigChldHandler(); 550 551 env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, debug_flags, 552 is_system_server ? NULL : instructionSet); 553 if (env->ExceptionCheck()) { 554 ALOGE("Error calling post fork hooks."); 555 RuntimeAbort(env); 556 } 557 } else if (pid > 0) { 558 // the parent process 559 } 560 return pid; 561} 562} // anonymous namespace 563 564namespace android { 565 566static jint com_android_internal_os_Zygote_nativeForkAndSpecialize( 567 JNIEnv* env, jclass, jint uid, jint gid, jintArray gids, 568 jint debug_flags, jobjectArray rlimits, 569 jint mount_external, jstring se_info, jstring se_name, 570 jintArray fdsToClose, jstring instructionSet, jstring appDataDir) { 571 // Grant CAP_WAKE_ALARM to the Bluetooth process. 572 jlong capabilities = 0; 573 if (uid == AID_BLUETOOTH) { 574 capabilities |= (1LL << CAP_WAKE_ALARM); 575 } 576 577 return ForkAndSpecializeCommon(env, uid, gid, gids, debug_flags, 578 rlimits, capabilities, capabilities, mount_external, se_info, 579 se_name, false, fdsToClose, instructionSet, appDataDir); 580} 581 582static jint com_android_internal_os_Zygote_nativeForkSystemServer( 583 JNIEnv* env, jclass, uid_t uid, gid_t gid, jintArray gids, 584 jint debug_flags, jobjectArray rlimits, jlong permittedCapabilities, 585 jlong effectiveCapabilities) { 586 pid_t pid = ForkAndSpecializeCommon(env, uid, gid, gids, 587 debug_flags, rlimits, 588 permittedCapabilities, effectiveCapabilities, 589 MOUNT_EXTERNAL_NONE, NULL, NULL, true, NULL, 590 NULL, NULL); 591 if (pid > 0) { 592 // The zygote process checks whether the child process has died or not. 593 ALOGI("System server process %d has been created", pid); 594 gSystemServerPid = pid; 595 // There is a slight window that the system server process has crashed 596 // but it went unnoticed because we haven't published its pid yet. So 597 // we recheck here just to make sure that all is well. 598 int status; 599 if (waitpid(pid, &status, WNOHANG) == pid) { 600 ALOGE("System server process %d has died. Restarting Zygote!", pid); 601 RuntimeAbort(env); 602 } 603 } 604 return pid; 605} 606 607static const JNINativeMethod gMethods[] = { 608 { "nativeForkAndSpecialize", 609 "(II[II[[IILjava/lang/String;Ljava/lang/String;[ILjava/lang/String;Ljava/lang/String;)I", 610 (void *) com_android_internal_os_Zygote_nativeForkAndSpecialize }, 611 { "nativeForkSystemServer", "(II[II[[IJJ)I", 612 (void *) com_android_internal_os_Zygote_nativeForkSystemServer } 613}; 614 615int register_com_android_internal_os_Zygote(JNIEnv* env) { 616 gZygoteClass = MakeGlobalRefOrDie(env, FindClassOrDie(env, kZygoteClassName)); 617 gCallPostForkChildHooks = GetStaticMethodIDOrDie(env, gZygoteClass, "callPostForkChildHooks", 618 "(ILjava/lang/String;)V"); 619 620 return RegisterMethodsOrDie(env, "com/android/internal/os/Zygote", gMethods, NELEM(gMethods)); 621} 622} // namespace android 623 624