1/* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17#include <ctype.h> 18#include <dirent.h> 19#include <errno.h> 20#include <fcntl.h> 21#include <inttypes.h> 22#include <keyutils.h> 23#include <libgen.h> 24#include <paths.h> 25#include <signal.h> 26#include <stdarg.h> 27#include <stdio.h> 28#include <stdlib.h> 29#include <string.h> 30#include <sys/epoll.h> 31#include <sys/mount.h> 32#include <sys/socket.h> 33#include <sys/stat.h> 34#include <sys/sysmacros.h> 35#include <sys/types.h> 36#include <sys/un.h> 37#include <sys/wait.h> 38#include <unistd.h> 39 40#include <selinux/selinux.h> 41#include <selinux/label.h> 42#include <selinux/android.h> 43 44#include <android-base/file.h> 45#include <android-base/properties.h> 46#include <android-base/stringprintf.h> 47#include <android-base/strings.h> 48#include <android-base/unique_fd.h> 49#include <libavb/libavb.h> 50#include <private/android_filesystem_config.h> 51 52#include <fstream> 53#include <memory> 54#include <vector> 55 56#include "action.h" 57#include "bootchart.h" 58#include "devices.h" 59#include "import_parser.h" 60#include "init.h" 61#include "init_first_stage.h" 62#include "init_parser.h" 63#include "keychords.h" 64#include "log.h" 65#include "property_service.h" 66#include "reboot.h" 67#include "service.h" 68#include "signal_handler.h" 69#include "ueventd.h" 70#include "util.h" 71#include "watchdogd.h" 72 73using android::base::GetProperty; 74using android::base::StringPrintf; 75 76struct selabel_handle *sehandle; 77struct selabel_handle *sehandle_prop; 78 79static int property_triggers_enabled = 0; 80 81static char qemu[32]; 82 83std::string default_console = "/dev/console"; 84static time_t process_needs_restart_at; 85 86const char *ENV[32]; 87 88static int epoll_fd = -1; 89 90static std::unique_ptr<Timer> waiting_for_prop(nullptr); 91static std::string wait_prop_name; 92static std::string wait_prop_value; 93 94void register_epoll_handler(int fd, void (*fn)()) { 95 epoll_event ev; 96 ev.events = EPOLLIN; 97 ev.data.ptr = reinterpret_cast<void*>(fn); 98 if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, fd, &ev) == -1) { 99 PLOG(ERROR) << "epoll_ctl failed"; 100 } 101} 102 103/* add_environment - add "key=value" to the current environment */ 104int add_environment(const char *key, const char *val) 105{ 106 size_t n; 107 size_t key_len = strlen(key); 108 109 /* The last environment entry is reserved to terminate the list */ 110 for (n = 0; n < (arraysize(ENV) - 1); n++) { 111 112 /* Delete any existing entry for this key */ 113 if (ENV[n] != NULL) { 114 size_t entry_key_len = strcspn(ENV[n], "="); 115 if ((entry_key_len == key_len) && (strncmp(ENV[n], key, entry_key_len) == 0)) { 116 free((char*)ENV[n]); 117 ENV[n] = NULL; 118 } 119 } 120 121 /* Add entry if a free slot is available */ 122 if (ENV[n] == NULL) { 123 char* entry; 124 asprintf(&entry, "%s=%s", key, val); 125 ENV[n] = entry; 126 return 0; 127 } 128 } 129 130 LOG(ERROR) << "No env. room to store: '" << key << "':'" << val << "'"; 131 132 return -1; 133} 134 135bool start_waiting_for_property(const char *name, const char *value) 136{ 137 if (waiting_for_prop) { 138 return false; 139 } 140 if (GetProperty(name, "") != value) { 141 // Current property value is not equal to expected value 142 wait_prop_name = name; 143 wait_prop_value = value; 144 waiting_for_prop.reset(new Timer()); 145 } else { 146 LOG(INFO) << "start_waiting_for_property(\"" 147 << name << "\", \"" << value << "\"): already set"; 148 } 149 return true; 150} 151 152void property_changed(const std::string& name, const std::string& value) { 153 // If the property is sys.powerctl, we bypass the event queue and immediately handle it. 154 // This is to ensure that init will always and immediately shutdown/reboot, regardless of 155 // if there are other pending events to process or if init is waiting on an exec service or 156 // waiting on a property. 157 if (name == "sys.powerctl") HandlePowerctlMessage(value); 158 159 if (property_triggers_enabled) 160 ActionManager::GetInstance().QueuePropertyTrigger(name, value); 161 if (waiting_for_prop) { 162 if (wait_prop_name == name && wait_prop_value == value) { 163 wait_prop_name.clear(); 164 wait_prop_value.clear(); 165 LOG(INFO) << "Wait for property took " << *waiting_for_prop; 166 waiting_for_prop.reset(); 167 } 168 } 169} 170 171static void restart_processes() 172{ 173 process_needs_restart_at = 0; 174 ServiceManager::GetInstance().ForEachServiceWithFlags(SVC_RESTARTING, [](Service* s) { 175 s->RestartIfNeeded(&process_needs_restart_at); 176 }); 177} 178 179void handle_control_message(const std::string& msg, const std::string& name) { 180 Service* svc = ServiceManager::GetInstance().FindServiceByName(name); 181 if (svc == nullptr) { 182 LOG(ERROR) << "no such service '" << name << "'"; 183 return; 184 } 185 186 if (msg == "start") { 187 svc->Start(); 188 } else if (msg == "stop") { 189 svc->Stop(); 190 } else if (msg == "restart") { 191 svc->Restart(); 192 } else { 193 LOG(ERROR) << "unknown control msg '" << msg << "'"; 194 } 195} 196 197static int wait_for_coldboot_done_action(const std::vector<std::string>& args) { 198 Timer t; 199 200 LOG(VERBOSE) << "Waiting for " COLDBOOT_DONE "..."; 201 202 // Historically we had a 1s timeout here because we weren't otherwise 203 // tracking boot time, and many OEMs made their sepolicy regular 204 // expressions too expensive (http://b/19899875). 205 206 // Now we're tracking boot time, just log the time taken to a system 207 // property. We still panic if it takes more than a minute though, 208 // because any build that slow isn't likely to boot at all, and we'd 209 // rather any test lab devices fail back to the bootloader. 210 if (wait_for_file(COLDBOOT_DONE, 60s) < 0) { 211 LOG(ERROR) << "Timed out waiting for " COLDBOOT_DONE; 212 panic(); 213 } 214 215 property_set("ro.boottime.init.cold_boot_wait", std::to_string(t.duration_ms()).c_str()); 216 return 0; 217} 218 219/* 220 * Writes 512 bytes of output from Hardware RNG (/dev/hw_random, backed 221 * by Linux kernel's hw_random framework) into Linux RNG's via /dev/urandom. 222 * Does nothing if Hardware RNG is not present. 223 * 224 * Since we don't yet trust the quality of Hardware RNG, these bytes are not 225 * mixed into the primary pool of Linux RNG and the entropy estimate is left 226 * unmodified. 227 * 228 * If the HW RNG device /dev/hw_random is present, we require that at least 229 * 512 bytes read from it are written into Linux RNG. QA is expected to catch 230 * devices/configurations where these I/O operations are blocking for a long 231 * time. We do not reboot or halt on failures, as this is a best-effort 232 * attempt. 233 */ 234static int mix_hwrng_into_linux_rng_action(const std::vector<std::string>& args) 235{ 236 int result = -1; 237 int hwrandom_fd = -1; 238 int urandom_fd = -1; 239 char buf[512]; 240 ssize_t chunk_size; 241 size_t total_bytes_written = 0; 242 243 hwrandom_fd = TEMP_FAILURE_RETRY( 244 open("/dev/hw_random", O_RDONLY | O_NOFOLLOW | O_CLOEXEC)); 245 if (hwrandom_fd == -1) { 246 if (errno == ENOENT) { 247 LOG(ERROR) << "/dev/hw_random not found"; 248 // It's not an error to not have a Hardware RNG. 249 result = 0; 250 } else { 251 PLOG(ERROR) << "Failed to open /dev/hw_random"; 252 } 253 goto ret; 254 } 255 256 urandom_fd = TEMP_FAILURE_RETRY( 257 open("/dev/urandom", O_WRONLY | O_NOFOLLOW | O_CLOEXEC)); 258 if (urandom_fd == -1) { 259 PLOG(ERROR) << "Failed to open /dev/urandom"; 260 goto ret; 261 } 262 263 while (total_bytes_written < sizeof(buf)) { 264 chunk_size = TEMP_FAILURE_RETRY( 265 read(hwrandom_fd, buf, sizeof(buf) - total_bytes_written)); 266 if (chunk_size == -1) { 267 PLOG(ERROR) << "Failed to read from /dev/hw_random"; 268 goto ret; 269 } else if (chunk_size == 0) { 270 LOG(ERROR) << "Failed to read from /dev/hw_random: EOF"; 271 goto ret; 272 } 273 274 chunk_size = TEMP_FAILURE_RETRY(write(urandom_fd, buf, chunk_size)); 275 if (chunk_size == -1) { 276 PLOG(ERROR) << "Failed to write to /dev/urandom"; 277 goto ret; 278 } 279 total_bytes_written += chunk_size; 280 } 281 282 LOG(INFO) << "Mixed " << total_bytes_written << " bytes from /dev/hw_random into /dev/urandom"; 283 result = 0; 284 285ret: 286 if (hwrandom_fd != -1) { 287 close(hwrandom_fd); 288 } 289 if (urandom_fd != -1) { 290 close(urandom_fd); 291 } 292 return result; 293} 294 295static void security_failure() { 296 LOG(ERROR) << "Security failure..."; 297 panic(); 298} 299 300static bool set_highest_available_option_value(std::string path, int min, int max) 301{ 302 std::ifstream inf(path, std::fstream::in); 303 if (!inf) { 304 LOG(ERROR) << "Cannot open for reading: " << path; 305 return false; 306 } 307 308 int current = max; 309 while (current >= min) { 310 // try to write out new value 311 std::string str_val = std::to_string(current); 312 std::ofstream of(path, std::fstream::out); 313 if (!of) { 314 LOG(ERROR) << "Cannot open for writing: " << path; 315 return false; 316 } 317 of << str_val << std::endl; 318 of.close(); 319 320 // check to make sure it was recorded 321 inf.seekg(0); 322 std::string str_rec; 323 inf >> str_rec; 324 if (str_val.compare(str_rec) == 0) { 325 break; 326 } 327 current--; 328 } 329 inf.close(); 330 331 if (current < min) { 332 LOG(ERROR) << "Unable to set minimum option value " << min << " in " << path; 333 return false; 334 } 335 return true; 336} 337 338#define MMAP_RND_PATH "/proc/sys/vm/mmap_rnd_bits" 339#define MMAP_RND_COMPAT_PATH "/proc/sys/vm/mmap_rnd_compat_bits" 340 341/* __attribute__((unused)) due to lack of mips support: see mips block 342 * in set_mmap_rnd_bits_action */ 343static bool __attribute__((unused)) set_mmap_rnd_bits_min(int start, int min, bool compat) { 344 std::string path; 345 if (compat) { 346 path = MMAP_RND_COMPAT_PATH; 347 } else { 348 path = MMAP_RND_PATH; 349 } 350 351 return set_highest_available_option_value(path, min, start); 352} 353 354/* 355 * Set /proc/sys/vm/mmap_rnd_bits and potentially 356 * /proc/sys/vm/mmap_rnd_compat_bits to the maximum supported values. 357 * Returns -1 if unable to set these to an acceptable value. 358 * 359 * To support this sysctl, the following upstream commits are needed: 360 * 361 * d07e22597d1d mm: mmap: add new /proc tunable for mmap_base ASLR 362 * e0c25d958f78 arm: mm: support ARCH_MMAP_RND_BITS 363 * 8f0d3aa9de57 arm64: mm: support ARCH_MMAP_RND_BITS 364 * 9e08f57d684a x86: mm: support ARCH_MMAP_RND_BITS 365 * ec9ee4acd97c drivers: char: random: add get_random_long() 366 * 5ef11c35ce86 mm: ASLR: use get_random_long() 367 */ 368static int set_mmap_rnd_bits_action(const std::vector<std::string>& args) 369{ 370 int ret = -1; 371 372 /* values are arch-dependent */ 373#if defined(__aarch64__) 374 /* arm64 supports 18 - 33 bits depending on pagesize and VA_SIZE */ 375 if (set_mmap_rnd_bits_min(33, 24, false) 376 && set_mmap_rnd_bits_min(16, 16, true)) { 377 ret = 0; 378 } 379#elif defined(__x86_64__) 380 /* x86_64 supports 28 - 32 bits */ 381 if (set_mmap_rnd_bits_min(32, 32, false) 382 && set_mmap_rnd_bits_min(16, 16, true)) { 383 ret = 0; 384 } 385#elif defined(__arm__) || defined(__i386__) 386 /* check to see if we're running on 64-bit kernel */ 387 bool h64 = !access(MMAP_RND_COMPAT_PATH, F_OK); 388 /* supported 32-bit architecture must have 16 bits set */ 389 if (set_mmap_rnd_bits_min(16, 16, h64)) { 390 ret = 0; 391 } 392#elif defined(__mips__) || defined(__mips64__) 393 // TODO: add mips support b/27788820 394 ret = 0; 395#else 396 LOG(ERROR) << "Unknown architecture"; 397#endif 398 399 if (ret == -1) { 400 LOG(ERROR) << "Unable to set adequate mmap entropy value!"; 401 security_failure(); 402 } 403 return ret; 404} 405 406#define KPTR_RESTRICT_PATH "/proc/sys/kernel/kptr_restrict" 407#define KPTR_RESTRICT_MINVALUE 2 408#define KPTR_RESTRICT_MAXVALUE 4 409 410/* Set kptr_restrict to the highest available level. 411 * 412 * Aborts if unable to set this to an acceptable value. 413 */ 414static int set_kptr_restrict_action(const std::vector<std::string>& args) 415{ 416 std::string path = KPTR_RESTRICT_PATH; 417 418 if (!set_highest_available_option_value(path, KPTR_RESTRICT_MINVALUE, KPTR_RESTRICT_MAXVALUE)) { 419 LOG(ERROR) << "Unable to set adequate kptr_restrict value!"; 420 security_failure(); 421 } 422 return 0; 423} 424 425static int keychord_init_action(const std::vector<std::string>& args) 426{ 427 keychord_init(); 428 return 0; 429} 430 431static int console_init_action(const std::vector<std::string>& args) 432{ 433 std::string console = GetProperty("ro.boot.console", ""); 434 if (!console.empty()) { 435 default_console = "/dev/" + console; 436 } 437 return 0; 438} 439 440static void import_kernel_nv(const std::string& key, const std::string& value, bool for_emulator) { 441 if (key.empty()) return; 442 443 if (for_emulator) { 444 // In the emulator, export any kernel option with the "ro.kernel." prefix. 445 property_set(StringPrintf("ro.kernel.%s", key.c_str()).c_str(), value.c_str()); 446 return; 447 } 448 449 if (key == "qemu") { 450 strlcpy(qemu, value.c_str(), sizeof(qemu)); 451 } else if (android::base::StartsWith(key, "androidboot.")) { 452 property_set(StringPrintf("ro.boot.%s", key.c_str() + 12).c_str(), value.c_str()); 453 } 454} 455 456static void export_oem_lock_status() { 457 if (!android::base::GetBoolProperty("ro.oem_unlock_supported", false)) { 458 return; 459 } 460 461 std::string value = GetProperty("ro.boot.verifiedbootstate", ""); 462 463 if (!value.empty()) { 464 property_set("ro.boot.flash.locked", value == "orange" ? "0" : "1"); 465 } 466} 467 468static void export_kernel_boot_props() { 469 struct { 470 const char *src_prop; 471 const char *dst_prop; 472 const char *default_value; 473 } prop_map[] = { 474 { "ro.boot.serialno", "ro.serialno", "", }, 475 { "ro.boot.mode", "ro.bootmode", "unknown", }, 476 { "ro.boot.baseband", "ro.baseband", "unknown", }, 477 { "ro.boot.bootloader", "ro.bootloader", "unknown", }, 478 { "ro.boot.hardware", "ro.hardware", "unknown", }, 479 { "ro.boot.revision", "ro.revision", "0", }, 480 }; 481 for (size_t i = 0; i < arraysize(prop_map); i++) { 482 std::string value = GetProperty(prop_map[i].src_prop, ""); 483 property_set(prop_map[i].dst_prop, (!value.empty()) ? value.c_str() : prop_map[i].default_value); 484 } 485} 486 487static void process_kernel_dt() { 488 if (!is_android_dt_value_expected("compatible", "android,firmware")) { 489 return; 490 } 491 492 std::unique_ptr<DIR, int (*)(DIR*)> dir(opendir(kAndroidDtDir.c_str()), closedir); 493 if (!dir) return; 494 495 std::string dt_file; 496 struct dirent *dp; 497 while ((dp = readdir(dir.get())) != NULL) { 498 if (dp->d_type != DT_REG || !strcmp(dp->d_name, "compatible") || !strcmp(dp->d_name, "name")) { 499 continue; 500 } 501 502 std::string file_name = kAndroidDtDir + dp->d_name; 503 504 android::base::ReadFileToString(file_name, &dt_file); 505 std::replace(dt_file.begin(), dt_file.end(), ',', '.'); 506 507 std::string property_name = StringPrintf("ro.boot.%s", dp->d_name); 508 property_set(property_name.c_str(), dt_file.c_str()); 509 } 510} 511 512static void process_kernel_cmdline() { 513 // The first pass does the common stuff, and finds if we are in qemu. 514 // The second pass is only necessary for qemu to export all kernel params 515 // as properties. 516 import_kernel_cmdline(false, import_kernel_nv); 517 if (qemu[0]) import_kernel_cmdline(true, import_kernel_nv); 518} 519 520static int property_enable_triggers_action(const std::vector<std::string>& args) 521{ 522 /* Enable property triggers. */ 523 property_triggers_enabled = 1; 524 return 0; 525} 526 527static int queue_property_triggers_action(const std::vector<std::string>& args) 528{ 529 ActionManager::GetInstance().QueueBuiltinAction(property_enable_triggers_action, "enable_property_trigger"); 530 ActionManager::GetInstance().QueueAllPropertyTriggers(); 531 return 0; 532} 533 534static void selinux_init_all_handles(void) 535{ 536 sehandle = selinux_android_file_context_handle(); 537 selinux_android_set_sehandle(sehandle); 538 sehandle_prop = selinux_android_prop_context_handle(); 539} 540 541enum selinux_enforcing_status { SELINUX_PERMISSIVE, SELINUX_ENFORCING }; 542 543static selinux_enforcing_status selinux_status_from_cmdline() { 544 selinux_enforcing_status status = SELINUX_ENFORCING; 545 546 import_kernel_cmdline(false, [&](const std::string& key, const std::string& value, bool in_qemu) { 547 if (key == "androidboot.selinux" && value == "permissive") { 548 status = SELINUX_PERMISSIVE; 549 } 550 }); 551 552 return status; 553} 554 555static bool selinux_is_enforcing(void) 556{ 557 if (ALLOW_PERMISSIVE_SELINUX) { 558 return selinux_status_from_cmdline() == SELINUX_ENFORCING; 559 } 560 return true; 561} 562 563static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_t len) { 564 565 property_audit_data *d = reinterpret_cast<property_audit_data*>(data); 566 567 if (!d || !d->name || !d->cr) { 568 LOG(ERROR) << "audit_callback invoked with null data arguments!"; 569 return 0; 570 } 571 572 snprintf(buf, len, "property=%s pid=%d uid=%d gid=%d", d->name, 573 d->cr->pid, d->cr->uid, d->cr->gid); 574 return 0; 575} 576 577/* 578 * Forks, executes the provided program in the child, and waits for the completion in the parent. 579 * Child's stderr is captured and logged using LOG(ERROR). 580 * 581 * Returns true if the child exited with status code 0, returns false otherwise. 582 */ 583static bool fork_execve_and_wait_for_completion(const char* filename, char* const argv[], 584 char* const envp[]) { 585 // Create a pipe used for redirecting child process's output. 586 // * pipe_fds[0] is the FD the parent will use for reading. 587 // * pipe_fds[1] is the FD the child will use for writing. 588 int pipe_fds[2]; 589 if (pipe(pipe_fds) == -1) { 590 PLOG(ERROR) << "Failed to create pipe"; 591 return false; 592 } 593 594 pid_t child_pid = fork(); 595 if (child_pid == -1) { 596 PLOG(ERROR) << "Failed to fork for " << filename; 597 return false; 598 } 599 600 if (child_pid == 0) { 601 // fork succeeded -- this is executing in the child process 602 603 // Close the pipe FD not used by this process 604 TEMP_FAILURE_RETRY(close(pipe_fds[0])); 605 606 // Redirect stderr to the pipe FD provided by the parent 607 if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) { 608 PLOG(ERROR) << "Failed to redirect stderr of " << filename; 609 _exit(127); 610 return false; 611 } 612 TEMP_FAILURE_RETRY(close(pipe_fds[1])); 613 614 if (execve(filename, argv, envp) == -1) { 615 PLOG(ERROR) << "Failed to execve " << filename; 616 return false; 617 } 618 // Unreachable because execve will have succeeded and replaced this code 619 // with child process's code. 620 _exit(127); 621 return false; 622 } else { 623 // fork succeeded -- this is executing in the original/parent process 624 625 // Close the pipe FD not used by this process 626 TEMP_FAILURE_RETRY(close(pipe_fds[1])); 627 628 // Log the redirected output of the child process. 629 // It's unfortunate that there's no standard way to obtain an istream for a file descriptor. 630 // As a result, we're buffering all output and logging it in one go at the end of the 631 // invocation, instead of logging it as it comes in. 632 const int child_out_fd = pipe_fds[0]; 633 std::string child_output; 634 if (!android::base::ReadFdToString(child_out_fd, &child_output)) { 635 PLOG(ERROR) << "Failed to capture full output of " << filename; 636 } 637 TEMP_FAILURE_RETRY(close(child_out_fd)); 638 if (!child_output.empty()) { 639 // Log captured output, line by line, because LOG expects to be invoked for each line 640 std::istringstream in(child_output); 641 std::string line; 642 while (std::getline(in, line)) { 643 LOG(ERROR) << filename << ": " << line; 644 } 645 } 646 647 // Wait for child to terminate 648 int status; 649 if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) { 650 PLOG(ERROR) << "Failed to wait for " << filename; 651 return false; 652 } 653 654 if (WIFEXITED(status)) { 655 int status_code = WEXITSTATUS(status); 656 if (status_code == 0) { 657 return true; 658 } else { 659 LOG(ERROR) << filename << " exited with status " << status_code; 660 } 661 } else if (WIFSIGNALED(status)) { 662 LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status); 663 } else if (WIFSTOPPED(status)) { 664 LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status); 665 } else { 666 LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status; 667 } 668 669 return false; 670 } 671} 672 673static bool read_first_line(const char* file, std::string* line) { 674 line->clear(); 675 676 std::string contents; 677 if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) { 678 return false; 679 } 680 std::istringstream in(contents); 681 std::getline(in, *line); 682 return true; 683} 684 685static bool selinux_find_precompiled_split_policy(std::string* file) { 686 file->clear(); 687 688 static constexpr const char precompiled_sepolicy[] = "/vendor/etc/selinux/precompiled_sepolicy"; 689 if (access(precompiled_sepolicy, R_OK) == -1) { 690 return false; 691 } 692 std::string actual_plat_id; 693 if (!read_first_line("/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256", 694 &actual_plat_id)) { 695 PLOG(INFO) << "Failed to read " 696 "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256"; 697 return false; 698 } 699 std::string precompiled_plat_id; 700 if (!read_first_line("/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256", 701 &precompiled_plat_id)) { 702 PLOG(INFO) << "Failed to read " 703 "/vendor/etc/selinux/" 704 "precompiled_sepolicy.plat_and_mapping.sha256"; 705 return false; 706 } 707 if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) { 708 return false; 709 } 710 711 *file = precompiled_sepolicy; 712 return true; 713} 714 715static bool selinux_get_vendor_mapping_version(std::string* plat_vers) { 716 if (!read_first_line("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) { 717 PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt"; 718 return false; 719 } 720 if (plat_vers->empty()) { 721 LOG(ERROR) << "No version present in plat_sepolicy_vers.txt"; 722 return false; 723 } 724 return true; 725} 726 727static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil"; 728 729static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; } 730 731/* 732 * Loads SELinux policy split across platform/system and non-platform/vendor files. 733 * 734 * Returns true upon success, false otherwise (failure cause is logged). 735 */ 736static bool selinux_load_split_policy() { 737 // IMPLEMENTATION NOTE: Split policy consists of three CIL files: 738 // * platform -- policy needed due to logic contained in the system image, 739 // * non-platform -- policy needed due to logic contained in the vendor image, 740 // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy 741 // with newer versions of platform policy. 742 // 743 // secilc is invoked to compile the above three policy files into a single monolithic policy 744 // file. This file is then loaded into the kernel. 745 746 // Load precompiled policy from vendor image, if a matching policy is found there. The policy 747 // must match the platform policy on the system image. 748 std::string precompiled_sepolicy_file; 749 if (selinux_find_precompiled_split_policy(&precompiled_sepolicy_file)) { 750 android::base::unique_fd fd( 751 open(precompiled_sepolicy_file.c_str(), O_RDONLY | O_CLOEXEC | O_BINARY)); 752 if (fd != -1) { 753 if (selinux_android_load_policy_from_fd(fd, precompiled_sepolicy_file.c_str()) < 0) { 754 LOG(ERROR) << "Failed to load SELinux policy from " << precompiled_sepolicy_file; 755 return false; 756 } 757 return true; 758 } 759 } 760 // No suitable precompiled policy could be loaded 761 762 LOG(INFO) << "Compiling SELinux policy"; 763 764 // Determine the highest policy language version supported by the kernel 765 set_selinuxmnt("/sys/fs/selinux"); 766 int max_policy_version = security_policyvers(); 767 if (max_policy_version == -1) { 768 PLOG(ERROR) << "Failed to determine highest policy version supported by kernel"; 769 return false; 770 } 771 772 // We store the output of the compilation on /dev because this is the most convenient tmpfs 773 // storage mount available this early in the boot sequence. 774 char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX"; 775 android::base::unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC)); 776 if (compiled_sepolicy_fd < 0) { 777 PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy; 778 return false; 779 } 780 781 // Determine which mapping file to include 782 std::string vend_plat_vers; 783 if (!selinux_get_vendor_mapping_version(&vend_plat_vers)) { 784 return false; 785 } 786 std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); 787 // clang-format off 788 const char* compile_args[] = { 789 "/system/bin/secilc", 790 plat_policy_cil_file, 791 "-M", "true", "-G", "-N", 792 // Target the highest policy language version supported by the kernel 793 "-c", std::to_string(max_policy_version).c_str(), 794 mapping_file.c_str(), 795 "/vendor/etc/selinux/nonplat_sepolicy.cil", 796 "-o", compiled_sepolicy, 797 // We don't care about file_contexts output by the compiler 798 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available 799 nullptr}; 800 // clang-format on 801 802 if (!fork_execve_and_wait_for_completion(compile_args[0], (char**)compile_args, (char**)ENV)) { 803 unlink(compiled_sepolicy); 804 return false; 805 } 806 unlink(compiled_sepolicy); 807 808 LOG(INFO) << "Loading compiled SELinux policy"; 809 if (selinux_android_load_policy_from_fd(compiled_sepolicy_fd, compiled_sepolicy) < 0) { 810 LOG(ERROR) << "Failed to load SELinux policy from " << compiled_sepolicy; 811 return false; 812 } 813 814 return true; 815} 816 817/* 818 * Loads SELinux policy from a monolithic file. 819 * 820 * Returns true upon success, false otherwise (failure cause is logged). 821 */ 822static bool selinux_load_monolithic_policy() { 823 LOG(VERBOSE) << "Loading SELinux policy from monolithic file"; 824 if (selinux_android_load_policy() < 0) { 825 PLOG(ERROR) << "Failed to load monolithic SELinux policy"; 826 return false; 827 } 828 return true; 829} 830 831/* 832 * Loads SELinux policy into the kernel. 833 * 834 * Returns true upon success, false otherwise (failure cause is logged). 835 */ 836static bool selinux_load_policy() { 837 return selinux_is_split_policy_device() ? selinux_load_split_policy() 838 : selinux_load_monolithic_policy(); 839} 840 841static void selinux_initialize(bool in_kernel_domain) { 842 Timer t; 843 844 selinux_callback cb; 845 cb.func_log = selinux_klog_callback; 846 selinux_set_callback(SELINUX_CB_LOG, cb); 847 cb.func_audit = audit_callback; 848 selinux_set_callback(SELINUX_CB_AUDIT, cb); 849 850 if (in_kernel_domain) { 851 LOG(INFO) << "Loading SELinux policy"; 852 if (!selinux_load_policy()) { 853 panic(); 854 } 855 856 bool kernel_enforcing = (security_getenforce() == 1); 857 bool is_enforcing = selinux_is_enforcing(); 858 if (kernel_enforcing != is_enforcing) { 859 if (security_setenforce(is_enforcing)) { 860 PLOG(ERROR) << "security_setenforce(%s) failed" << (is_enforcing ? "true" : "false"); 861 security_failure(); 862 } 863 } 864 865 if (!write_file("/sys/fs/selinux/checkreqprot", "0")) { 866 security_failure(); 867 } 868 869 // init's first stage can't set properties, so pass the time to the second stage. 870 setenv("INIT_SELINUX_TOOK", std::to_string(t.duration_ms()).c_str(), 1); 871 } else { 872 selinux_init_all_handles(); 873 } 874} 875 876// The files and directories that were created before initial sepolicy load 877// need to have their security context restored to the proper value. 878// This must happen before /dev is populated by ueventd. 879static void selinux_restore_context() { 880 LOG(INFO) << "Running restorecon..."; 881 restorecon("/dev"); 882 restorecon("/dev/kmsg"); 883 restorecon("/dev/socket"); 884 restorecon("/dev/random"); 885 restorecon("/dev/urandom"); 886 restorecon("/dev/__properties__"); 887 888 restorecon("/file_contexts.bin"); 889 restorecon("/plat_file_contexts"); 890 restorecon("/nonplat_file_contexts"); 891 restorecon("/plat_property_contexts"); 892 restorecon("/nonplat_property_contexts"); 893 restorecon("/plat_seapp_contexts"); 894 restorecon("/nonplat_seapp_contexts"); 895 restorecon("/plat_service_contexts"); 896 restorecon("/nonplat_service_contexts"); 897 restorecon("/plat_hwservice_contexts"); 898 restorecon("/nonplat_hwservice_contexts"); 899 restorecon("/sepolicy"); 900 restorecon("/vndservice_contexts"); 901 902 restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE); 903 restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE); 904 restorecon("/dev/device-mapper"); 905} 906 907// Set the UDC controller for the ConfigFS USB Gadgets. 908// Read the UDC controller in use from "/sys/class/udc". 909// In case of multiple UDC controllers select the first one. 910static void set_usb_controller() { 911 std::unique_ptr<DIR, decltype(&closedir)>dir(opendir("/sys/class/udc"), closedir); 912 if (!dir) return; 913 914 dirent* dp; 915 while ((dp = readdir(dir.get())) != nullptr) { 916 if (dp->d_name[0] == '.') continue; 917 918 property_set("sys.usb.controller", dp->d_name); 919 break; 920 } 921} 922 923static void install_reboot_signal_handlers() { 924 // Instead of panic'ing the kernel as is the default behavior when init crashes, 925 // we prefer to reboot to bootloader on development builds, as this will prevent 926 // boot looping bad configurations and allow both developers and test farms to easily 927 // recover. 928 struct sigaction action; 929 memset(&action, 0, sizeof(action)); 930 sigfillset(&action.sa_mask); 931 action.sa_handler = [](int) { 932 // panic() reboots to bootloader 933 panic(); 934 }; 935 action.sa_flags = SA_RESTART; 936 sigaction(SIGABRT, &action, nullptr); 937 sigaction(SIGBUS, &action, nullptr); 938 sigaction(SIGFPE, &action, nullptr); 939 sigaction(SIGILL, &action, nullptr); 940 sigaction(SIGSEGV, &action, nullptr); 941#if defined(SIGSTKFLT) 942 sigaction(SIGSTKFLT, &action, nullptr); 943#endif 944 sigaction(SIGSYS, &action, nullptr); 945 sigaction(SIGTRAP, &action, nullptr); 946} 947 948int main(int argc, char** argv) { 949 if (!strcmp(basename(argv[0]), "ueventd")) { 950 return ueventd_main(argc, argv); 951 } 952 953 if (!strcmp(basename(argv[0]), "watchdogd")) { 954 return watchdogd_main(argc, argv); 955 } 956 957 if (REBOOT_BOOTLOADER_ON_PANIC) { 958 install_reboot_signal_handlers(); 959 } 960 961 add_environment("PATH", _PATH_DEFPATH); 962 963 bool is_first_stage = (getenv("INIT_SECOND_STAGE") == nullptr); 964 965 if (is_first_stage) { 966 boot_clock::time_point start_time = boot_clock::now(); 967 968 // Clear the umask. 969 umask(0); 970 971 // Get the basic filesystem setup we need put together in the initramdisk 972 // on / and then we'll let the rc file figure out the rest. 973 mount("tmpfs", "/dev", "tmpfs", MS_NOSUID, "mode=0755"); 974 mkdir("/dev/pts", 0755); 975 mkdir("/dev/socket", 0755); 976 mount("devpts", "/dev/pts", "devpts", 0, NULL); 977 #define MAKE_STR(x) __STRING(x) 978 mount("proc", "/proc", "proc", 0, "hidepid=2,gid=" MAKE_STR(AID_READPROC)); 979 // Don't expose the raw commandline to unprivileged processes. 980 chmod("/proc/cmdline", 0440); 981 gid_t groups[] = { AID_READPROC }; 982 setgroups(arraysize(groups), groups); 983 mount("sysfs", "/sys", "sysfs", 0, NULL); 984 mount("selinuxfs", "/sys/fs/selinux", "selinuxfs", 0, NULL); 985 mknod("/dev/kmsg", S_IFCHR | 0600, makedev(1, 11)); 986 mknod("/dev/random", S_IFCHR | 0666, makedev(1, 8)); 987 mknod("/dev/urandom", S_IFCHR | 0666, makedev(1, 9)); 988 989 // Now that tmpfs is mounted on /dev and we have /dev/kmsg, we can actually 990 // talk to the outside world... 991 InitKernelLogging(argv); 992 993 LOG(INFO) << "init first stage started!"; 994 995 if (!DoFirstStageMount()) { 996 LOG(ERROR) << "Failed to mount required partitions early ..."; 997 panic(); 998 } 999 1000 SetInitAvbVersionInRecovery(); 1001 1002 // Set up SELinux, loading the SELinux policy. 1003 selinux_initialize(true); 1004 1005 // We're in the kernel domain, so re-exec init to transition to the init domain now 1006 // that the SELinux policy has been loaded. 1007 if (restorecon("/init") == -1) { 1008 PLOG(ERROR) << "restorecon failed"; 1009 security_failure(); 1010 } 1011 1012 setenv("INIT_SECOND_STAGE", "true", 1); 1013 1014 static constexpr uint32_t kNanosecondsPerMillisecond = 1e6; 1015 uint64_t start_ms = start_time.time_since_epoch().count() / kNanosecondsPerMillisecond; 1016 setenv("INIT_STARTED_AT", StringPrintf("%" PRIu64, start_ms).c_str(), 1); 1017 1018 char* path = argv[0]; 1019 char* args[] = { path, nullptr }; 1020 execv(path, args); 1021 1022 // execv() only returns if an error happened, in which case we 1023 // panic and never fall through this conditional. 1024 PLOG(ERROR) << "execv(\"" << path << "\") failed"; 1025 security_failure(); 1026 } 1027 1028 // At this point we're in the second stage of init. 1029 InitKernelLogging(argv); 1030 LOG(INFO) << "init second stage started!"; 1031 1032 // Set up a session keyring that all processes will have access to. It 1033 // will hold things like FBE encryption keys. No process should override 1034 // its session keyring. 1035 keyctl(KEYCTL_GET_KEYRING_ID, KEY_SPEC_SESSION_KEYRING, 1); 1036 1037 // Indicate that booting is in progress to background fw loaders, etc. 1038 close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000)); 1039 1040 property_init(); 1041 1042 // If arguments are passed both on the command line and in DT, 1043 // properties set in DT always have priority over the command-line ones. 1044 process_kernel_dt(); 1045 process_kernel_cmdline(); 1046 1047 // Propagate the kernel variables to internal variables 1048 // used by init as well as the current required properties. 1049 export_kernel_boot_props(); 1050 1051 // Make the time that init started available for bootstat to log. 1052 property_set("ro.boottime.init", getenv("INIT_STARTED_AT")); 1053 property_set("ro.boottime.init.selinux", getenv("INIT_SELINUX_TOOK")); 1054 1055 // Set libavb version for Framework-only OTA match in Treble build. 1056 const char* avb_version = getenv("INIT_AVB_VERSION"); 1057 if (avb_version) property_set("ro.boot.avb_version", avb_version); 1058 1059 // Clean up our environment. 1060 unsetenv("INIT_SECOND_STAGE"); 1061 unsetenv("INIT_STARTED_AT"); 1062 unsetenv("INIT_SELINUX_TOOK"); 1063 unsetenv("INIT_AVB_VERSION"); 1064 1065 // Now set up SELinux for second stage. 1066 selinux_initialize(false); 1067 selinux_restore_context(); 1068 1069 epoll_fd = epoll_create1(EPOLL_CLOEXEC); 1070 if (epoll_fd == -1) { 1071 PLOG(ERROR) << "epoll_create1 failed"; 1072 exit(1); 1073 } 1074 1075 signal_handler_init(); 1076 1077 property_load_boot_defaults(); 1078 export_oem_lock_status(); 1079 start_property_service(); 1080 set_usb_controller(); 1081 1082 const BuiltinFunctionMap function_map; 1083 Action::set_function_map(&function_map); 1084 1085 Parser& parser = Parser::GetInstance(); 1086 parser.AddSectionParser("service",std::make_unique<ServiceParser>()); 1087 parser.AddSectionParser("on", std::make_unique<ActionParser>()); 1088 parser.AddSectionParser("import", std::make_unique<ImportParser>()); 1089 std::string bootscript = GetProperty("ro.boot.init_rc", ""); 1090 if (bootscript.empty()) { 1091 parser.ParseConfig("/init.rc"); 1092 parser.set_is_system_etc_init_loaded( 1093 parser.ParseConfig("/system/etc/init")); 1094 parser.set_is_vendor_etc_init_loaded( 1095 parser.ParseConfig("/vendor/etc/init")); 1096 parser.set_is_odm_etc_init_loaded(parser.ParseConfig("/odm/etc/init")); 1097 } else { 1098 parser.ParseConfig(bootscript); 1099 parser.set_is_system_etc_init_loaded(true); 1100 parser.set_is_vendor_etc_init_loaded(true); 1101 parser.set_is_odm_etc_init_loaded(true); 1102 } 1103 1104 // Turning this on and letting the INFO logging be discarded adds 0.2s to 1105 // Nexus 9 boot time, so it's disabled by default. 1106 if (false) parser.DumpState(); 1107 1108 ActionManager& am = ActionManager::GetInstance(); 1109 1110 am.QueueEventTrigger("early-init"); 1111 1112 // Queue an action that waits for coldboot done so we know ueventd has set up all of /dev... 1113 am.QueueBuiltinAction(wait_for_coldboot_done_action, "wait_for_coldboot_done"); 1114 // ... so that we can start queuing up actions that require stuff from /dev. 1115 am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng"); 1116 am.QueueBuiltinAction(set_mmap_rnd_bits_action, "set_mmap_rnd_bits"); 1117 am.QueueBuiltinAction(set_kptr_restrict_action, "set_kptr_restrict"); 1118 am.QueueBuiltinAction(keychord_init_action, "keychord_init"); 1119 am.QueueBuiltinAction(console_init_action, "console_init"); 1120 1121 // Trigger all the boot actions to get us started. 1122 am.QueueEventTrigger("init"); 1123 1124 // Repeat mix_hwrng_into_linux_rng in case /dev/hw_random or /dev/random 1125 // wasn't ready immediately after wait_for_coldboot_done 1126 am.QueueBuiltinAction(mix_hwrng_into_linux_rng_action, "mix_hwrng_into_linux_rng"); 1127 1128 // Don't mount filesystems or start core system services in charger mode. 1129 std::string bootmode = GetProperty("ro.bootmode", ""); 1130 if (bootmode == "charger") { 1131 am.QueueEventTrigger("charger"); 1132 } else { 1133 am.QueueEventTrigger("late-init"); 1134 } 1135 1136 // Run all property triggers based on current state of the properties. 1137 am.QueueBuiltinAction(queue_property_triggers_action, "queue_property_triggers"); 1138 1139 while (true) { 1140 // By default, sleep until something happens. 1141 int epoll_timeout_ms = -1; 1142 1143 if (!(waiting_for_prop || ServiceManager::GetInstance().IsWaitingForExec())) { 1144 am.ExecuteOneCommand(); 1145 } 1146 if (!(waiting_for_prop || ServiceManager::GetInstance().IsWaitingForExec())) { 1147 restart_processes(); 1148 1149 // If there's a process that needs restarting, wake up in time for that. 1150 if (process_needs_restart_at != 0) { 1151 epoll_timeout_ms = (process_needs_restart_at - time(nullptr)) * 1000; 1152 if (epoll_timeout_ms < 0) epoll_timeout_ms = 0; 1153 } 1154 1155 // If there's more work to do, wake up again immediately. 1156 if (am.HasMoreCommands()) epoll_timeout_ms = 0; 1157 } 1158 1159 epoll_event ev; 1160 int nr = TEMP_FAILURE_RETRY(epoll_wait(epoll_fd, &ev, 1, epoll_timeout_ms)); 1161 if (nr == -1) { 1162 PLOG(ERROR) << "epoll_wait failed"; 1163 } else if (nr == 1) { 1164 ((void (*)()) ev.data.ptr)(); 1165 } 1166 } 1167 1168 return 0; 1169} 1170