Add minimized init.rc and services to microdroid
This adds a minimized init.rc and services to microdroid, so microdroid
can boot and adb can work.
Bug: 179340780
Test: boot with manually added selinux stuffs and apexd session patch
Change-Id: I42ae13f3f2ac9ca22ed646564867da3931824682
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index 35a4156..fc26f89 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -2,6 +2,13 @@
default_applicable_licenses: ["Android-Apache-2.0"],
}
+microdroid_shell_and_utilities = [
+ "reboot",
+ "sh",
+ "toolbox",
+ "toybox",
+]
+
microdroid_rootdirs = [
"dev",
"proc",
@@ -38,13 +45,42 @@
avb_algorithm: "SHA256_RSA4096",
deps: [
"init_second_stage",
- ],
+ "microdroid_init_rc",
+ "libbinder",
+ "libstdc++",
+ "logcat",
+ "logd",
+ "run-as",
+ "secilc",
+ "adbd",
+ "apexd",
+ "debuggerd",
+ "linker",
+ "servicemanager",
+ "tombstoned",
+ "cgroups.json",
+ ] + microdroid_shell_and_utilities,
+ multilib: {
+ common: {
+ deps: [
+ "com.android.runtime",
+ ],
+ },
+ },
base_dir: "system",
dirs: microdroid_rootdirs,
symlinks: microdroid_symlinks,
file_contexts: "microdroid_file_contexts",
}
+prebuilt_etc {
+ name: "microdroid_init_rc",
+ filename: "init.rc",
+ src: "init.rc",
+ relative_install_path: "init/hw",
+ installable: false, // avoid collision with system partition's init.rc
+}
+
bootimg {
name: "microdroid_vendor_boot-5.10",
ramdisk_module: "microdroid_ramdisk-5.10",
diff --git a/microdroid/init.rc b/microdroid/init.rc
new file mode 100644
index 0000000..3ad22f8
--- /dev/null
+++ b/microdroid/init.rc
@@ -0,0 +1,172 @@
+# Copyright (C) 2021 The Android Open Source Project
+#
+# init.rc for microdroid. This contains a minimal script plus basic service definitions (e.g. apexd)
+# needed for microdroid to run.
+# TODO(b/179340780): support APEX init scripts
+#
+# IMPORTANT: Do not create world writable files or directories.
+# This is a common source of Android security bugs.
+#
+
+import /init.environ.rc
+
+# Cgroups are mounted right before early-init using list from /etc/cgroups.json
+on early-init
+ start ueventd
+
+ # Run apexd-bootstrap so that APEXes that provide critical libraries
+ # become available. Note that this is executed as exec_start to ensure that
+ # the libraries are available to the processes started after this statement.
+ exec_start apexd-bootstrap
+
+on init
+ # Mount binderfs
+ mkdir /dev/binderfs
+ mount binder binder /dev/binderfs stats=global
+ chmod 0755 /dev/binderfs
+
+ symlink /dev/binderfs/binder /dev/binder
+ symlink /dev/binderfs/hwbinder /dev/hwbinder
+ symlink /dev/binderfs/vndbinder /dev/vndbinder
+
+ chmod 0666 /dev/binderfs/hwbinder
+ chmod 0666 /dev/binderfs/binder
+ chmod 0666 /dev/binderfs/vndbinder
+
+ # Start logd before any other services run to ensure we capture all of their logs.
+ start logd
+
+ start servicemanager
+
+on load_persist_props_action
+ start logd
+ start logd-reinit
+
+# Mount filesystems and start core system services.
+on late-init
+ trigger early-fs
+
+ # Mount fstab in init.{$device}.rc by mount_all command. Optional parameter
+ # '--early' can be specified to skip entries with 'latemount'.
+ # /system and /vendor must be mounted by the end of the fs stage,
+ # while /data is optional.
+ trigger fs
+ trigger post-fs
+
+ # Mount fstab in init.{$device}.rc by mount_all with '--late' parameter
+ # to only mount entries with 'latemount'. This is needed if '--early' is
+ # specified in the previous mount_all command on the fs stage.
+ # With /system mounted and properties form /system + /factory available,
+ # some services can be started.
+ trigger late-fs
+
+ # Load persist properties and override properties (if enabled) from /data.
+ trigger load_persist_props_action
+
+ # Should be before netd, but after apex, properties and logging is available.
+ trigger load_bpf_programs
+
+ # Now we can start zygote for devices with file based encryption
+ trigger zygote-start
+
+ # Remove a file to wake up anything waiting for firmware.
+ trigger firmware_mounts_complete
+
+ trigger early-boot
+ trigger boot
+
+on post-fs
+ # Once everything is setup, no need to modify /.
+ # The bind+remount combination allows this to work in containers.
+ mount rootfs rootfs / remount bind ro nodev
+
+ # Currently, exec_start apexd-bootstrap is enough to run adb.
+ # TODO(b/179342589): uncomment after turning off APEX session on microdroid
+ # start apexd
+ # Wait for apexd to finish activating APEXes before starting more processes.
+ # wait_for_prop apexd.status activated
+
+ start adbd
+
+service ueventd /system/bin/ueventd
+ class core
+ critical
+ seclabel u:r:ueventd:s0
+ shutdown critical
+
+service console /system/bin/sh
+ class core
+ console
+ disabled
+ user shell
+ group shell log readproc
+ seclabel u:r:shell:s0
+ setenv HOSTNAME console
+
+service servicemanager /system/bin/servicemanager
+ class core animation
+ user system
+ group system readproc
+ critical
+ # TODO(b/179342589): uncomment after turning off APEX session on microdroid
+ # onrestart restart apexd
+ onrestart class_restart main
+ shutdown critical
+
+service logd /system/bin/logd
+ socket logd stream 0666 logd logd
+ socket logdr seqpacket 0666 logd logd
+ socket logdw dgram+passcred 0222 logd logd
+ file /proc/kmsg r
+ file /dev/kmsg w
+ user logd
+ group logd system package_info readproc
+ capabilities SYSLOG AUDIT_CONTROL
+ priority 10
+
+service logd-reinit /system/bin/logd --reinit
+ oneshot
+ disabled
+ user logd
+ group logd
+
+# Limit SELinux denial generation to 5/second
+service logd-auditctl /system/bin/auditctl -r 5
+ oneshot
+ disabled
+ user logd
+ group logd
+ capabilities AUDIT_CONTROL
+
+on fs
+ write /dev/event-log-tags "# content owned by logd
+"
+ chown logd logd /dev/event-log-tags
+ chmod 0644 /dev/event-log-tags
+
+on property:sys.boot_completed=1
+ start logd-auditctl
+
+service adbd /system/bin/adbd --root_seclabel=u:r:su:s0
+ class core
+ socket adbd seqpacket 660 system system
+ disabled
+ seclabel u:r:adbd:s0
+
+#TODO(b/179342589): uncomment after turning off APEX session on microdroid
+#service apexd /system/bin/apexd
+# interface aidl apexservice
+# class core
+# user root
+# group system
+# oneshot
+# disabled # does not start with the core class
+# reboot_on_failure reboot,apexd-failed
+
+service apexd-bootstrap /system/bin/apexd --bootstrap
+ user root
+ group system
+ oneshot
+ disabled
+ reboot_on_failure reboot,bootloader,bootstrap-apexd-failed
+