Merge "shell_and_utilities_recovery: Fix required dependencies"
diff --git a/adb/Android.bp b/adb/Android.bp
index 8747182..2fc205f 100644
--- a/adb/Android.bp
+++ b/adb/Android.bp
@@ -25,7 +25,6 @@
"-Wthread-safety",
"-Wvla",
"-DADB_HOST=1", // overridden by adbd_defaults
- "-DALLOW_ADBD_ROOT=0", // overridden by adbd_defaults
"-DANDROID_BASE_UNIQUE_FD_DISABLE_IMPLICIT_CONVERSION=1",
],
cpp_std: "experimental",
@@ -81,16 +80,6 @@
defaults: ["adb_defaults"],
cflags: ["-UADB_HOST", "-DADB_HOST=0"],
- product_variables: {
- debuggable: {
- cflags: [
- "-UALLOW_ADBD_ROOT",
- "-DALLOW_ADBD_ROOT=1",
- "-DALLOW_ADBD_DISABLE_VERITY",
- "-DALLOW_ADBD_NO_AUTH",
- ],
- },
- },
}
cc_defaults {
@@ -640,16 +629,14 @@
],
}
},
-
- required: [
- "libadbd_auth",
- "libadbd_fs",
- ],
}
phony {
- name: "adbd_system_binaries",
+ // Interface between adbd in a module and the system.
+ name: "adbd_system_api",
required: [
+ "libadbd_auth",
+ "libadbd_fs",
"abb",
"reboot",
"set-verity-state",
@@ -657,8 +644,10 @@
}
phony {
- name: "adbd_system_binaries_recovery",
+ name: "adbd_system_api_recovery",
required: [
+ "libadbd_auth",
+ "libadbd_fs",
"reboot.recovery",
],
}
diff --git a/adb/daemon/main.cpp b/adb/daemon/main.cpp
index db8f07b..eb28668 100644
--- a/adb/daemon/main.cpp
+++ b/adb/daemon/main.cpp
@@ -62,23 +62,7 @@
#if defined(__ANDROID__)
static const char* root_seclabel = nullptr;
-static inline bool is_device_unlocked() {
- return "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
-}
-
-static bool should_drop_capabilities_bounding_set() {
- if (ALLOW_ADBD_ROOT || is_device_unlocked()) {
- if (__android_log_is_debuggable()) {
- return false;
- }
- }
- return true;
-}
-
static bool should_drop_privileges() {
- // "adb root" not allowed, always drop privileges.
- if (!ALLOW_ADBD_ROOT && !is_device_unlocked()) return true;
-
// The properties that affect `adb root` and `adb unroot` are ro.secure and
// ro.debuggable. In this context the names don't make the expected behavior
// particularly obvious.
@@ -132,7 +116,7 @@
// Don't listen on a port (default 5037) if running in secure mode.
// Don't run as root if running in secure mode.
if (should_drop_privileges()) {
- const bool should_drop_caps = should_drop_capabilities_bounding_set();
+ const bool should_drop_caps = !__android_log_is_debuggable();
if (should_drop_caps) {
minijail_use_caps(jail.get(), CAP_TO_MASK(CAP_SETUID) | CAP_TO_MASK(CAP_SETGID));
@@ -218,15 +202,10 @@
// descriptor will always be open.
adbd_cloexec_auth_socket();
-#if defined(__ANDROID_RECOVERY__)
- if (is_device_unlocked() || __android_log_is_debuggable()) {
- auth_required = false;
- }
-#elif defined(ALLOW_ADBD_NO_AUTH)
- // If ro.adb.secure is unset, default to no authentication required.
- auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
-#elif defined(__ANDROID__)
- if (is_device_unlocked()) { // allows no authentication when the device is unlocked.
+#if defined(__ANDROID__)
+ // If we're on userdebug/eng or the device is unlocked, permit no-authentication.
+ bool device_unlocked = "orange" == android::base::GetProperty("ro.boot.verifiedbootstate", "");
+ if (__android_log_is_debuggable() || device_unlocked) {
auth_required = android::base::GetBoolProperty("ro.adb.secure", false);
}
#endif
diff --git a/fastboot/fastboot.cpp b/fastboot/fastboot.cpp
index 46d1d36..0e9713d 100644
--- a/fastboot/fastboot.cpp
+++ b/fastboot/fastboot.cpp
@@ -200,8 +200,10 @@
double last_start_time;
static void Status(const std::string& message) {
- static constexpr char kStatusFormat[] = "%-50s ";
- fprintf(stderr, kStatusFormat, message.c_str());
+ if (!message.empty()) {
+ static constexpr char kStatusFormat[] = "%-50s ";
+ fprintf(stderr, kStatusFormat, message.c_str());
+ }
last_start_time = now();
}
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp
index 8c2e001..b2c7a27 100644
--- a/fs_mgr/fs_mgr.cpp
+++ b/fs_mgr/fs_mgr.cpp
@@ -1099,8 +1099,28 @@
}
android::dm::DmTable table;
- if (!table.AddTarget(std::make_unique<android::dm::DmTargetBow>(
- 0, size, entry->blk_device))) {
+ auto bowTarget =
+ std::make_unique<android::dm::DmTargetBow>(0, size, entry->blk_device);
+
+ // dm-bow uses the first block as a log record, and relocates the real first block
+ // elsewhere. For metadata encrypted devices, dm-bow sits below dm-default-key, and
+ // for post Android Q devices dm-default-key uses a block size of 4096 always.
+ // So if dm-bow's block size, which by default is the block size of the underlying
+ // hardware, is less than dm-default-key's, blocks will get broken up and I/O will
+ // fail as it won't be data_unit_size aligned.
+ // However, since it is possible there is an already shipping non
+ // metadata-encrypted device with smaller blocks, we must not change this for
+ // devices shipped with Q or earlier unless they explicitly selected dm-default-key
+ // v2
+ constexpr unsigned int pre_gki_level = __ANDROID_API_Q__;
+ unsigned int options_format_version = android::base::GetUintProperty<unsigned int>(
+ "ro.crypto.dm_default_key.options_format.version",
+ (android::fscrypt::GetFirstApiLevel() <= pre_gki_level ? 1 : 2));
+ if (options_format_version > 1) {
+ bowTarget->SetBlockSize(4096);
+ }
+
+ if (!table.AddTarget(std::move(bowTarget))) {
LERROR << "Failed to add bow target";
return false;
}
@@ -1736,6 +1756,11 @@
// wrapper to __mount() and expects a fully prepared fstab_rec,
// unlike fs_mgr_do_mount which does more things with avb / verity etc.
int fs_mgr_do_mount_one(const FstabEntry& entry, const std::string& mount_point) {
+ // First check the filesystem if requested.
+ if (entry.fs_mgr_flags.wait && !WaitForFile(entry.blk_device, 20s)) {
+ LERROR << "Skipping mounting '" << entry.blk_device << "'";
+ }
+
// Run fsck if needed
prepare_fs_for_mount(entry.blk_device, entry);
diff --git a/fs_mgr/libdm/dm_target.cpp b/fs_mgr/libdm/dm_target.cpp
index a594198..250cb82 100644
--- a/fs_mgr/libdm/dm_target.cpp
+++ b/fs_mgr/libdm/dm_target.cpp
@@ -120,6 +120,11 @@
return keyid_ + " " + block_device_;
}
+std::string DmTargetBow::GetParameterString() const {
+ if (!block_size_) return target_string_;
+ return target_string_ + " 1 block_size:" + std::to_string(block_size_);
+}
+
std::string DmTargetSnapshot::name() const {
if (mode_ == SnapshotStorageMode::Merge) {
return "snapshot-merge";
diff --git a/fs_mgr/libdm/include/libdm/dm_target.h b/fs_mgr/libdm/include/libdm/dm_target.h
index 57096ce..f986cfe 100644
--- a/fs_mgr/libdm/include/libdm/dm_target.h
+++ b/fs_mgr/libdm/include/libdm/dm_target.h
@@ -175,11 +175,14 @@
DmTargetBow(uint64_t start, uint64_t length, const std::string& target_string)
: DmTarget(start, length), target_string_(target_string) {}
+ void SetBlockSize(uint32_t block_size) { block_size_ = block_size; }
+
std::string name() const override { return "bow"; }
- std::string GetParameterString() const override { return target_string_; }
+ std::string GetParameterString() const override;
private:
std::string target_string_;
+ uint32_t block_size_ = 0;
};
enum class SnapshotStorageMode {
diff --git a/init/README.md b/init/README.md
index 0dd1490..188f19b 100644
--- a/init/README.md
+++ b/init/README.md
@@ -564,9 +564,11 @@
_options_ include "barrier=1", "noauto\_da\_alloc", "discard", ... as
a comma separated string, e.g. barrier=1,noauto\_da\_alloc
-`parse_apex_configs`
-> Parses config file(s) from the mounted APEXes. Intended to be used only once
- when apexd notifies the mount event by setting apexd.status to ready.
+`perform_apex_config`
+> Performs tasks after APEXes are mounted. For example, creates data directories
+ for the mounted APEXes, parses config file(s) from them, and updates linker
+ configurations. Intended to be used only once when apexd notifies the mount
+ event by setting `apexd.status` to ready.
`restart <service>`
> Stops and restarts a running service, does nothing if the service is currently
@@ -623,8 +625,11 @@
`stop <service>`
> Stop a service from running if it is currently running.
-`swapon_all <fstab>`
+`swapon_all [ <fstab> ]`
> Calls fs\_mgr\_swapon\_all on the given fstab file.
+ If the fstab parameter is not specified, fstab.${ro.boot.fstab_suffix},
+ fstab.${ro.hardware} or fstab.${ro.hardware.platform} will be scanned for
+ under /odm/etc, /vendor/etc, or / at runtime, in that order.
`symlink <target> <path>`
> Create a symbolic link at _path_ with the value _target_
@@ -639,6 +644,12 @@
`umount <path>`
> Unmount the filesystem mounted at that path.
+`umount_all [ <fstab> ]`
+> Calls fs\_mgr\_umount\_all on the given fstab file.
+ If the fstab parameter is not specified, fstab.${ro.boot.fstab_suffix},
+ fstab.${ro.hardware} or fstab.${ro.hardware.platform} will be scanned for
+ under /odm/etc, /vendor/etc, or / at runtime, in that order.
+
`verity_update_state <mount-point>`
> Internal implementation detail used to update dm-verity state and
set the partition._mount-point_.verified properties used by adb remount
@@ -753,7 +764,7 @@
These are equivalent to using the `start`, `restart`, and `stop` commands on the service specified
by the _value_ of the property.
-`oneshot_one` and `oneshot_off` will turn on or off the _oneshot_
+`oneshot_on` and `oneshot_off` will turn on or off the _oneshot_
flag for the service specified by the _value_ of the property. This is
particularly intended for services that are conditionally lazy HALs. When
they are lazy HALs, oneshot must be on, otherwise oneshot should be off.
diff --git a/init/builtins.cpp b/init/builtins.cpp
index e918e12..0ac66f2 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -708,10 +708,20 @@
return {};
}
+/* swapon_all [ <fstab> ] */
static Result<void> do_swapon_all(const BuiltinArguments& args) {
+ auto swapon_all = ParseSwaponAll(args.args);
+ if (!swapon_all.ok()) return swapon_all.error();
+
Fstab fstab;
- if (!ReadFstabFromFile(args[1], &fstab)) {
- return Error() << "Could not read fstab '" << args[1] << "'";
+ if (swapon_all->empty()) {
+ if (!ReadDefaultFstab(&fstab)) {
+ return Error() << "Could not read default fstab";
+ }
+ } else {
+ if (!ReadFstabFromFile(*swapon_all, &fstab)) {
+ return Error() << "Could not read fstab '" << *swapon_all << "'";
+ }
}
if (!fs_mgr_swapon_all(fstab)) {
@@ -1371,7 +1381,7 @@
{"setrlimit", {3, 3, {false, do_setrlimit}}},
{"start", {1, 1, {false, do_start}}},
{"stop", {1, 1, {false, do_stop}}},
- {"swapon_all", {1, 1, {false, do_swapon_all}}},
+ {"swapon_all", {0, 1, {false, do_swapon_all}}},
{"enter_default_mount_ns", {0, 0, {false, do_enter_default_mount_ns}}},
{"symlink", {2, 2, {true, do_symlink}}},
{"sysclktz", {1, 1, {false, do_sysclktz}}},
diff --git a/init/check_builtins.cpp b/init/check_builtins.cpp
index 450c079..481fa31 100644
--- a/init/check_builtins.cpp
+++ b/init/check_builtins.cpp
@@ -202,6 +202,14 @@
return {};
}
+Result<void> check_swapon_all(const BuiltinArguments& args) {
+ auto options = ParseSwaponAll(args.args);
+ if (!options.ok()) {
+ return options.error();
+ }
+ return {};
+}
+
Result<void> check_sysclktz(const BuiltinArguments& args) {
ReturnIfAnyArgsEmpty();
diff --git a/init/check_builtins.h b/init/check_builtins.h
index 725a6fd..dc1b752 100644
--- a/init/check_builtins.h
+++ b/init/check_builtins.h
@@ -37,6 +37,7 @@
Result<void> check_restorecon_recursive(const BuiltinArguments& args);
Result<void> check_setprop(const BuiltinArguments& args);
Result<void> check_setrlimit(const BuiltinArguments& args);
+Result<void> check_swapon_all(const BuiltinArguments& args);
Result<void> check_sysclktz(const BuiltinArguments& args);
Result<void> check_umount_all(const BuiltinArguments& args);
Result<void> check_wait(const BuiltinArguments& args);
diff --git a/init/util.cpp b/init/util.cpp
index 40f24b1..aec3173 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -654,11 +654,22 @@
return std::pair(flag, paths);
}
+Result<std::string> ParseSwaponAll(const std::vector<std::string>& args) {
+ if (args.size() <= 1) {
+ if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
+ return Error() << "swapon_all requires at least 1 argument";
+ }
+ return {};
+ }
+ return args[1];
+}
+
Result<std::string> ParseUmountAll(const std::vector<std::string>& args) {
- if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
- if (args.size() <= 1) {
+ if (args.size() <= 1) {
+ if (SelinuxGetVendorAndroidVersion() <= __ANDROID_API_Q__) {
return Error() << "umount_all requires at least 1 argument";
}
+ return {};
}
return args[1];
}
diff --git a/init/util.h b/init/util.h
index 28f6b18..8a6aa60 100644
--- a/init/util.h
+++ b/init/util.h
@@ -92,6 +92,8 @@
Result<std::pair<int, std::vector<std::string>>> ParseRestorecon(
const std::vector<std::string>& args);
+Result<std::string> ParseSwaponAll(const std::vector<std::string>& args);
+
Result<std::string> ParseUmountAll(const std::vector<std::string>& args);
void SetStdioToDevNull(char** argv);
diff --git a/libbacktrace/Android.bp b/libbacktrace/Android.bp
index c4cfa6f..f75e8df 100644
--- a/libbacktrace/Android.bp
+++ b/libbacktrace/Android.bp
@@ -126,7 +126,10 @@
// Static library without DEX support to avoid dependencies on the ART APEX.
cc_library_static {
name: "libbacktrace_no_dex",
- visibility: ["//system/core/debuggerd"],
+ visibility: [
+ "//system/core/debuggerd",
+ "//system/core/init",
+ ],
defaults: ["libbacktrace_defaults"],
cflags: ["-DNO_LIBDEXFILE_SUPPORT"],
target: {
diff --git a/libkeyutils/keyutils.cpp b/libkeyutils/keyutils.cpp
index 8f63f70..1c5acc9 100644
--- a/libkeyutils/keyutils.cpp
+++ b/libkeyutils/keyutils.cpp
@@ -32,17 +32,7 @@
#include <sys/syscall.h>
#include <unistd.h>
-// Deliberately not exposed. Callers should use the typed APIs instead.
-static long keyctl(int cmd, ...) {
- va_list va;
- va_start(va, cmd);
- unsigned long arg2 = va_arg(va, unsigned long);
- unsigned long arg3 = va_arg(va, unsigned long);
- unsigned long arg4 = va_arg(va, unsigned long);
- unsigned long arg5 = va_arg(va, unsigned long);
- va_end(va);
- return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
-}
+// keyctl(2) is deliberately not exposed. Callers should use the typed APIs instead.
key_serial_t add_key(const char* type, const char* description, const void* payload,
size_t payload_length, key_serial_t ring_id) {
@@ -50,30 +40,30 @@
}
key_serial_t keyctl_get_keyring_ID(key_serial_t id, int create) {
- return keyctl(KEYCTL_GET_KEYRING_ID, id, create);
+ return syscall(__NR_keyctl, KEYCTL_GET_KEYRING_ID, id, create);
}
long keyctl_revoke(key_serial_t id) {
- return keyctl(KEYCTL_REVOKE, id);
+ return syscall(__NR_keyctl, KEYCTL_REVOKE, id);
}
long keyctl_search(key_serial_t ring_id, const char* type, const char* description,
key_serial_t dest_ring_id) {
- return keyctl(KEYCTL_SEARCH, ring_id, type, description, dest_ring_id);
+ return syscall(__NR_keyctl, KEYCTL_SEARCH, ring_id, type, description, dest_ring_id);
}
long keyctl_setperm(key_serial_t id, int permissions) {
- return keyctl(KEYCTL_SETPERM, id, permissions);
+ return syscall(__NR_keyctl, KEYCTL_SETPERM, id, permissions);
}
long keyctl_unlink(key_serial_t key, key_serial_t keyring) {
- return keyctl(KEYCTL_UNLINK, key, keyring);
+ return syscall(__NR_keyctl, KEYCTL_UNLINK, key, keyring);
}
long keyctl_restrict_keyring(key_serial_t keyring, const char* type, const char* restriction) {
- return keyctl(KEYCTL_RESTRICT_KEYRING, keyring, type, restriction);
+ return syscall(__NR_keyctl, KEYCTL_RESTRICT_KEYRING, keyring, type, restriction);
}
long keyctl_get_security(key_serial_t id, char* buffer, size_t buflen) {
- return keyctl(KEYCTL_GET_SECURITY, id, buffer, buflen);
+ return syscall(__NR_keyctl, KEYCTL_GET_SECURITY, id, buffer, buflen);
}
diff --git a/libprocessgroup/cgroup_map.cpp b/libprocessgroup/cgroup_map.cpp
index 2fc920b..b82b0ab 100644
--- a/libprocessgroup/cgroup_map.cpp
+++ b/libprocessgroup/cgroup_map.cpp
@@ -115,7 +115,13 @@
return true;
}
- std::string cg_tag = StringPrintf(":%s:", name());
+ std::string cg_tag;
+
+ if (version() == 2) {
+ cg_tag = "0::";
+ } else {
+ cg_tag = StringPrintf(":%s:", name());
+ }
size_t start_pos = content.find(cg_tag);
if (start_pos == std::string::npos) {
return false;
diff --git a/libprocessgroup/cgrouprc/include/android/cgrouprc.h b/libprocessgroup/cgrouprc/include/android/cgrouprc.h
index 0ce5123..7e74432 100644
--- a/libprocessgroup/cgrouprc/include/android/cgrouprc.h
+++ b/libprocessgroup/cgrouprc/include/android/cgrouprc.h
@@ -69,6 +69,7 @@
* Flag bitmask used in ACgroupController_getFlags
*/
#define CGROUPRC_CONTROLLER_FLAG_MOUNTED 0x1
+#define CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION 0x2
#if __ANDROID_API__ >= __ANDROID_API_R__
diff --git a/libprocessgroup/setup/cgroup_descriptor.h b/libprocessgroup/setup/cgroup_descriptor.h
index f029c4f..699c03c 100644
--- a/libprocessgroup/setup/cgroup_descriptor.h
+++ b/libprocessgroup/setup/cgroup_descriptor.h
@@ -25,7 +25,7 @@
class CgroupDescriptor {
public:
CgroupDescriptor(uint32_t version, const std::string& name, const std::string& path,
- mode_t mode, const std::string& uid, const std::string& gid);
+ mode_t mode, const std::string& uid, const std::string& gid, uint32_t flags);
const format::CgroupController* controller() const { return &controller_; }
mode_t mode() const { return mode_; }
diff --git a/libprocessgroup/setup/cgroup_map_write.cpp b/libprocessgroup/setup/cgroup_map_write.cpp
index 17ea06e..25f16a6 100644
--- a/libprocessgroup/setup/cgroup_map_write.cpp
+++ b/libprocessgroup/setup/cgroup_map_write.cpp
@@ -17,6 +17,7 @@
//#define LOG_NDEBUG 0
#define LOG_TAG "libprocessgroup"
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <grp.h>
@@ -54,58 +55,53 @@
static constexpr const char* CGROUPS_DESC_FILE = "/etc/cgroups.json";
static constexpr const char* CGROUPS_DESC_VENDOR_FILE = "/vendor/etc/cgroups.json";
-static bool Mkdir(const std::string& path, mode_t mode, const std::string& uid,
- const std::string& gid) {
- if (mode == 0) {
- mode = 0755;
- }
-
- if (mkdir(path.c_str(), mode) != 0) {
- /* chmod in case the directory already exists */
- if (errno == EEXIST) {
- if (fchmodat(AT_FDCWD, path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0) {
- // /acct is a special case when the directory already exists
- // TODO: check if file mode is already what we want instead of using EROFS
- if (errno != EROFS) {
- PLOG(ERROR) << "fchmodat() failed for " << path;
- return false;
- }
- }
- } else {
- PLOG(ERROR) << "mkdir() failed for " << path;
- return false;
- }
- }
-
- if (uid.empty()) {
- return true;
- }
-
- passwd* uid_pwd = getpwnam(uid.c_str());
- if (!uid_pwd) {
- PLOG(ERROR) << "Unable to decode UID for '" << uid << "'";
- return false;
- }
-
- uid_t pw_uid = uid_pwd->pw_uid;
+static bool ChangeDirModeAndOwner(const std::string& path, mode_t mode, const std::string& uid,
+ const std::string& gid, bool permissive_mode = false) {
+ uid_t pw_uid = -1;
gid_t gr_gid = -1;
- if (!gid.empty()) {
- group* gid_pwd = getgrnam(gid.c_str());
- if (!gid_pwd) {
- PLOG(ERROR) << "Unable to decode GID for '" << gid << "'";
+
+ if (!uid.empty()) {
+ passwd* uid_pwd = getpwnam(uid.c_str());
+ if (!uid_pwd) {
+ PLOG(ERROR) << "Unable to decode UID for '" << uid << "'";
return false;
}
- gr_gid = gid_pwd->gr_gid;
+
+ pw_uid = uid_pwd->pw_uid;
+ gr_gid = -1;
+
+ if (!gid.empty()) {
+ group* gid_pwd = getgrnam(gid.c_str());
+ if (!gid_pwd) {
+ PLOG(ERROR) << "Unable to decode GID for '" << gid << "'";
+ return false;
+ }
+ gr_gid = gid_pwd->gr_gid;
+ }
}
- if (lchown(path.c_str(), pw_uid, gr_gid) < 0) {
- PLOG(ERROR) << "lchown() failed for " << path;
+ auto dir = std::unique_ptr<DIR, decltype(&closedir)>(opendir(path.c_str()), closedir);
+
+ if (dir == NULL) {
+ PLOG(ERROR) << "opendir failed for " << path;
return false;
}
- /* chown may have cleared S_ISUID and S_ISGID, chmod again */
- if (mode & (S_ISUID | S_ISGID)) {
- if (fchmodat(AT_FDCWD, path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0) {
+ struct dirent* dir_entry;
+ while ((dir_entry = readdir(dir.get()))) {
+ if (!strcmp("..", dir_entry->d_name)) {
+ continue;
+ }
+
+ std::string file_path = path + "/" + dir_entry->d_name;
+
+ if (pw_uid != -1 && lchown(file_path.c_str(), pw_uid, gr_gid) < 0) {
+ PLOG(ERROR) << "lchown() failed for " << file_path;
+ return false;
+ }
+
+ if (fchmodat(AT_FDCWD, file_path.c_str(), mode, AT_SYMLINK_NOFOLLOW) != 0 &&
+ (errno != EROFS || !permissive_mode)) {
PLOG(ERROR) << "fchmodat() failed for " << path;
return false;
}
@@ -114,6 +110,67 @@
return true;
}
+static bool Mkdir(const std::string& path, mode_t mode, const std::string& uid,
+ const std::string& gid) {
+ bool permissive_mode = false;
+
+ if (mode == 0) {
+ /* Allow chmod to fail */
+ permissive_mode = true;
+ mode = 0755;
+ }
+
+ if (mkdir(path.c_str(), mode) != 0) {
+ // /acct is a special case when the directory already exists
+ if (errno != EEXIST) {
+ PLOG(ERROR) << "mkdir() failed for " << path;
+ return false;
+ } else {
+ permissive_mode = true;
+ }
+ }
+
+ if (uid.empty() && permissive_mode) {
+ return true;
+ }
+
+ if (!ChangeDirModeAndOwner(path, mode, uid, gid, permissive_mode)) {
+ PLOG(ERROR) << "change of ownership or mode failed for " << path;
+ return false;
+ }
+
+ return true;
+}
+
+static void MergeCgroupToDescriptors(std::map<std::string, CgroupDescriptor>* descriptors,
+ const Json::Value& cgroup, const std::string& name,
+ const std::string& root_path, int cgroups_version) {
+ std::string path;
+
+ if (!root_path.empty()) {
+ path = root_path + "/" + cgroup["Path"].asString();
+ } else {
+ path = cgroup["Path"].asString();
+ }
+
+ uint32_t controller_flags = 0;
+
+ if (cgroup["NeedsActivation"].isBool() && cgroup["NeedsActivation"].asBool()) {
+ controller_flags |= CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION;
+ }
+
+ CgroupDescriptor descriptor(
+ cgroups_version, name, path, std::strtoul(cgroup["Mode"].asString().c_str(), 0, 8),
+ cgroup["UID"].asString(), cgroup["GID"].asString(), controller_flags);
+
+ auto iter = descriptors->find(name);
+ if (iter == descriptors->end()) {
+ descriptors->emplace(name, descriptor);
+ } else {
+ iter->second = descriptor;
+ }
+}
+
static bool ReadDescriptorsFromFile(const std::string& file_name,
std::map<std::string, CgroupDescriptor>* descriptors) {
std::vector<CgroupDescriptor> result;
@@ -135,36 +192,19 @@
const Json::Value& cgroups = root["Cgroups"];
for (Json::Value::ArrayIndex i = 0; i < cgroups.size(); ++i) {
std::string name = cgroups[i]["Controller"].asString();
- auto iter = descriptors->find(name);
- if (iter == descriptors->end()) {
- descriptors->emplace(
- name, CgroupDescriptor(
- 1, name, cgroups[i]["Path"].asString(),
- std::strtoul(cgroups[i]["Mode"].asString().c_str(), 0, 8),
- cgroups[i]["UID"].asString(), cgroups[i]["GID"].asString()));
- } else {
- iter->second = CgroupDescriptor(
- 1, name, cgroups[i]["Path"].asString(),
- std::strtoul(cgroups[i]["Mode"].asString().c_str(), 0, 8),
- cgroups[i]["UID"].asString(), cgroups[i]["GID"].asString());
- }
+ MergeCgroupToDescriptors(descriptors, cgroups[i], name, "", 1);
}
}
if (root.isMember("Cgroups2")) {
const Json::Value& cgroups2 = root["Cgroups2"];
- auto iter = descriptors->find(CGROUPV2_CONTROLLER_NAME);
- if (iter == descriptors->end()) {
- descriptors->emplace(
- CGROUPV2_CONTROLLER_NAME,
- CgroupDescriptor(2, CGROUPV2_CONTROLLER_NAME, cgroups2["Path"].asString(),
- std::strtoul(cgroups2["Mode"].asString().c_str(), 0, 8),
- cgroups2["UID"].asString(), cgroups2["GID"].asString()));
- } else {
- iter->second =
- CgroupDescriptor(2, CGROUPV2_CONTROLLER_NAME, cgroups2["Path"].asString(),
- std::strtoul(cgroups2["Mode"].asString().c_str(), 0, 8),
- cgroups2["UID"].asString(), cgroups2["GID"].asString());
+ std::string root_path = cgroups2["Path"].asString();
+ MergeCgroupToDescriptors(descriptors, cgroups2, CGROUPV2_CONTROLLER_NAME, "", 2);
+
+ const Json::Value& childGroups = cgroups2["Controllers"];
+ for (Json::Value::ArrayIndex i = 0; i < childGroups.size(); ++i) {
+ std::string name = childGroups[i]["Controller"].asString();
+ MergeCgroupToDescriptors(descriptors, childGroups[i], name, root_path, 2);
}
}
@@ -192,17 +232,51 @@
static bool SetupCgroup(const CgroupDescriptor& descriptor) {
const format::CgroupController* controller = descriptor.controller();
- // mkdir <path> [mode] [owner] [group]
- if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
- LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
- return false;
- }
-
int result;
if (controller->version() == 2) {
- result = mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
- nullptr);
+ result = 0;
+ if (!strcmp(controller->name(), CGROUPV2_CONTROLLER_NAME)) {
+ // /sys/fs/cgroup is created by cgroup2 with specific selinux permissions,
+ // try to create again in case the mount point is changed
+ if (!Mkdir(controller->path(), 0, "", "")) {
+ LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
+ return false;
+ }
+
+ result = mount("none", controller->path(), "cgroup2", MS_NODEV | MS_NOEXEC | MS_NOSUID,
+ nullptr);
+
+ // selinux permissions change after mounting, so it's ok to change mode and owner now
+ if (!ChangeDirModeAndOwner(controller->path(), descriptor.mode(), descriptor.uid(),
+ descriptor.gid())) {
+ LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
+ result = -1;
+ } else {
+ LOG(ERROR) << "restored ownership for " << controller->name() << " cgroup";
+ }
+ } else {
+ if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
+ LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
+ return false;
+ }
+
+ if (controller->flags() & CGROUPRC_CONTROLLER_FLAG_NEEDS_ACTIVATION) {
+ std::string str = std::string("+") + controller->name();
+ std::string path = std::string(controller->path()) + "/cgroup.subtree_control";
+
+ if (!base::WriteStringToFile(str, path)) {
+ LOG(ERROR) << "Failed to activate controller " << controller->name();
+ return false;
+ }
+ }
+ }
} else {
+ // mkdir <path> [mode] [owner] [group]
+ if (!Mkdir(controller->path(), descriptor.mode(), descriptor.uid(), descriptor.gid())) {
+ LOG(ERROR) << "Failed to create directory for " << controller->name() << " cgroup";
+ return false;
+ }
+
// Unfortunately historically cpuset controller was mounted using a mount command
// different from all other controllers. This results in controller attributes not
// to be prepended with controller name. For example this way instead of
@@ -267,8 +341,8 @@
CgroupDescriptor::CgroupDescriptor(uint32_t version, const std::string& name,
const std::string& path, mode_t mode, const std::string& uid,
- const std::string& gid)
- : controller_(version, 0, name, path), mode_(mode), uid_(uid), gid_(gid) {}
+ const std::string& gid, uint32_t flags = 0)
+ : controller_(version, flags, name, path), mode_(mode), uid_(uid), gid_(gid) {}
void CgroupDescriptor::set_mounted(bool mounted) {
uint32_t flags = controller_.flags();
diff --git a/logcat/event.logtags b/logcat/event.logtags
index 56a670a..93c3d6d 100644
--- a/logcat/event.logtags
+++ b/logcat/event.logtags
@@ -116,6 +116,9 @@
# audio
# 61000 - 61199 reserved for audioserver
+# input
+# 62000 - 62199 reserved for inputflinger
+
# com.android.server.policy
# 70000 - 70199 reserved for PhoneWindowManager and other policies
diff --git a/logcat/logcat.cpp b/logcat/logcat.cpp
index 13023f2..0056c80 100644
--- a/logcat/logcat.cpp
+++ b/logcat/logcat.cpp
@@ -36,6 +36,7 @@
#include <memory>
#include <regex>
+#include <set>
#include <string>
#include <utility>
#include <vector>
@@ -358,6 +359,10 @@
-T '<time>' Print the lines since specified time (not imply -d).
count is pure numerical, time is 'MM-DD hh:mm:ss.mmm...'
'YYYY-MM-DD hh:mm:ss.mmm...' or 'sssss.mmm...' format.
+ --uid=<uids> Only display log messages from UIDs present in the comma separate list
+ <uids>. No name look-up is performed, so UIDs must be provided as
+ numeric values. This option is only useful for the 'root', 'log', and
+ 'system' users since only those users can view logs from other users.
)init");
fprintf(stderr, "\nfilterspecs are a series of \n"
@@ -535,6 +540,7 @@
size_t pid = 0;
bool got_t = false;
unsigned id_mask = 0;
+ std::set<uid_t> uids;
if (argc == 2 && !strcmp(argv[1], "--help")) {
show_help();
@@ -554,6 +560,7 @@
static const char id_str[] = "id";
static const char wrap_str[] = "wrap";
static const char print_str[] = "print";
+ static const char uid_str[] = "uid";
// clang-format off
static const struct option long_options[] = {
{ "binary", no_argument, nullptr, 'B' },
@@ -581,6 +588,7 @@
{ "statistics", no_argument, nullptr, 'S' },
// hidden and undocumented reserved alias for -t
{ "tail", required_argument, nullptr, 't' },
+ { uid_str, required_argument, nullptr, 0 },
// support, but ignore and do not document, the optional argument
{ wrap_str, optional_argument, nullptr, 0 },
{ nullptr, 0, nullptr, 0 }
@@ -631,6 +639,17 @@
if (long_options[option_index].name == id_str) {
setId = (optarg && optarg[0]) ? optarg : nullptr;
}
+ if (long_options[option_index].name == uid_str) {
+ auto uid_strings = Split(optarg, delimiters);
+ for (const auto& uid_string : uid_strings) {
+ uid_t uid;
+ if (!ParseUint(uid_string, &uid)) {
+ error(EXIT_FAILURE, 0, "Unable to parse UID '%s'", uid_string.c_str());
+ }
+ uids.emplace(uid);
+ }
+ break;
+ }
break;
case 's':
@@ -1164,6 +1183,10 @@
LOG_ID_MAX);
}
+ if (!uids.empty() && uids.count(log_msg.entry.uid) == 0) {
+ continue;
+ }
+
PrintDividers(log_msg.id(), printDividers);
if (print_binary_) {
diff --git a/logcat/tests/logcat_test.cpp b/logcat/tests/logcat_test.cpp
index f3fdfd7..a2daeb0 100644
--- a/logcat/tests/logcat_test.cpp
+++ b/logcat/tests/logcat_test.cpp
@@ -16,6 +16,7 @@
#include <ctype.h>
#include <dirent.h>
+#include <pwd.h>
#include <signal.h>
#include <stdint.h>
#include <stdio.h>
@@ -28,10 +29,12 @@
#include <unistd.h>
#include <memory>
+#include <regex>
#include <string>
#include <android-base/file.h>
#include <android-base/macros.h>
+#include <android-base/parseint.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <gtest/gtest.h>
@@ -1748,3 +1751,83 @@
ASSERT_TRUE(android::base::StartsWith(output, "unknown buffer foo\n"));
}
+
+static void SniffUid(const std::string& line, uid_t& uid) {
+ auto uid_regex = std::regex{"\\S+\\s+\\S+\\s+(\\S+).*"};
+
+ auto trimmed_line = android::base::Trim(line);
+
+ std::smatch match_results;
+ ASSERT_TRUE(std::regex_match(trimmed_line, match_results, uid_regex))
+ << "Unable to find UID in line '" << trimmed_line << "'";
+ auto uid_string = match_results[1];
+ if (!android::base::ParseUint(uid_string, &uid)) {
+ auto pwd = getpwnam(uid_string.str().c_str());
+ ASSERT_NE(nullptr, pwd) << "uid '" << uid_string << "' in line '" << trimmed_line << "'";
+ uid = pwd->pw_uid;
+ }
+}
+
+static void UidsInLog(std::optional<std::vector<uid_t>> filter_uid, std::map<uid_t, size_t>& uids) {
+ std::string command;
+ if (filter_uid) {
+ std::vector<std::string> uid_strings;
+ for (const auto& uid : *filter_uid) {
+ uid_strings.emplace_back(std::to_string(uid));
+ }
+ command = android::base::StringPrintf(logcat_executable
+ " -v uid -b all -d 2>/dev/null --uid=%s",
+ android::base::Join(uid_strings, ",").c_str());
+ } else {
+ command = logcat_executable " -v uid -b all -d 2>/dev/null";
+ }
+ auto fp = std::unique_ptr<FILE, decltype(&pclose)>(popen(command.c_str(), "r"), pclose);
+ ASSERT_NE(nullptr, fp);
+
+ char buffer[BIG_BUFFER];
+ while (fgets(buffer, sizeof(buffer), fp.get())) {
+ // Ignore dividers, e.g. '--------- beginning of radio'
+ if (android::base::StartsWith(buffer, "---------")) {
+ continue;
+ }
+ uid_t uid;
+ SniffUid(buffer, uid);
+ uids[uid]++;
+ }
+}
+
+static std::vector<uid_t> TopTwoInMap(const std::map<uid_t, size_t>& uids) {
+ std::pair<uid_t, size_t> top = {0, 0};
+ std::pair<uid_t, size_t> second = {0, 0};
+ for (const auto& [uid, count] : uids) {
+ if (count > top.second) {
+ top = second;
+ top = {uid, count};
+ } else if (count > second.second) {
+ second = {uid, count};
+ }
+ }
+ return {top.first, second.first};
+}
+
+TEST(logcat, uid_filter) {
+ std::map<uid_t, size_t> uids;
+ UidsInLog({}, uids);
+
+ ASSERT_GT(uids.size(), 2U);
+ auto top_uids = TopTwoInMap(uids);
+
+ // Test filtering with --uid=<top uid>
+ std::map<uid_t, size_t> uids_only_top;
+ std::vector<uid_t> top_uid = {top_uids[0]};
+ UidsInLog(top_uid, uids_only_top);
+
+ EXPECT_EQ(1U, uids_only_top.size());
+
+ // Test filtering with --uid=<top uid>,<2nd top uid>
+ std::map<uid_t, size_t> uids_only_top2;
+ std::vector<uid_t> top2_uids = {top_uids[0], top_uids[1]};
+ UidsInLog(top2_uids, uids_only_top2);
+
+ EXPECT_EQ(2U, uids_only_top2.size());
+}
diff --git a/rootdir/init.zygote32_64.rc b/rootdir/init.zygote32_64.rc
deleted file mode 100644
index f6149c9..0000000
--- a/rootdir/init.zygote32_64.rc
+++ /dev/null
@@ -1,24 +0,0 @@
-service zygote /system/bin/app_process32 -Xzygote /system/bin --zygote --start-system-server --socket-name=zygote
- class main
- priority -20
- user root
- group root readproc reserved_disk
- socket zygote stream 660 root system
- socket usap_pool_primary stream 660 root system
- onrestart write /sys/power/state on
- onrestart restart audioserver
- onrestart restart cameraserver
- onrestart restart media
- onrestart restart netd
- onrestart restart wificond
- writepid /dev/cpuset/foreground/tasks
-
-service zygote_secondary /system/bin/app_process64 -Xzygote /system/bin --zygote --socket-name=zygote_secondary
- class main
- priority -20
- user root
- group root readproc reserved_disk
- socket zygote_secondary stream 660 root system
- socket usap_pool_secondary stream 660 root system
- onrestart restart zygote
- writepid /dev/cpuset/foreground/tasks