diff options
-rw-r--r-- | fs_mgr/fs_mgr.cpp | 12 | ||||
-rw-r--r-- | init/Android.mk | 1 | ||||
-rw-r--r-- | init/init.cpp | 13 | ||||
-rw-r--r-- | init/service.cpp | 22 |
4 files changed, 24 insertions, 24 deletions
diff --git a/fs_mgr/fs_mgr.cpp b/fs_mgr/fs_mgr.cpp index 91ed49663..c9af42164 100644 --- a/fs_mgr/fs_mgr.cpp +++ b/fs_mgr/fs_mgr.cpp | |||
@@ -249,6 +249,13 @@ static ext4_fsblk_t ext4_r_blocks_count(const struct ext4_super_block* es) { | |||
249 | le32_to_cpu(es->s_r_blocks_count_lo); | 249 | le32_to_cpu(es->s_r_blocks_count_lo); |
250 | } | 250 | } |
251 | 251 | ||
252 | static bool is_ext4_superblock_valid(const struct ext4_super_block* es) { | ||
253 | if (es->s_magic != EXT4_SUPER_MAGIC) return false; | ||
254 | if (es->s_rev_level != EXT4_DYNAMIC_REV && es->s_rev_level != EXT4_GOOD_OLD_REV) return false; | ||
255 | if (EXT4_INODES_PER_GROUP(es) == 0) return false; | ||
256 | return true; | ||
257 | } | ||
258 | |||
252 | // Read the primary superblock from an ext4 filesystem. On failure return | 259 | // Read the primary superblock from an ext4 filesystem. On failure return |
253 | // false. If it's not an ext4 filesystem, also set FS_STAT_EXT4_INVALID_MAGIC. | 260 | // false. If it's not an ext4 filesystem, also set FS_STAT_EXT4_INVALID_MAGIC. |
254 | static bool read_ext4_superblock(const char* blk_device, struct ext4_super_block* sb, int* fs_stat) { | 261 | static bool read_ext4_superblock(const char* blk_device, struct ext4_super_block* sb, int* fs_stat) { |
@@ -264,9 +271,8 @@ static bool read_ext4_superblock(const char* blk_device, struct ext4_super_block | |||
264 | return false; | 271 | return false; |
265 | } | 272 | } |
266 | 273 | ||
267 | if (sb->s_magic != EXT4_SUPER_MAGIC) { | 274 | if (!is_ext4_superblock_valid(sb)) { |
268 | LINFO << "Invalid ext4 magic:0x" << std::hex << sb->s_magic << " " | 275 | LINFO << "Invalid ext4 superblock on '" << blk_device << "'"; |
269 | << "on '" << blk_device << "'"; | ||
270 | // not a valid fs, tune2fs, fsck, and mount will all fail. | 276 | // not a valid fs, tune2fs, fsck, and mount will all fail. |
271 | *fs_stat |= FS_STAT_EXT4_INVALID_MAGIC; | 277 | *fs_stat |= FS_STAT_EXT4_INVALID_MAGIC; |
272 | return false; | 278 | return false; |
diff --git a/init/Android.mk b/init/Android.mk index c0c490559..fe58e04e0 100644 --- a/init/Android.mk +++ b/init/Android.mk | |||
@@ -75,6 +75,7 @@ LOCAL_STATIC_LIBRARIES := \ | |||
75 | libcutils \ | 75 | libcutils \ |
76 | libbase \ | 76 | libbase \ |
77 | libc \ | 77 | libc \ |
78 | libseccomp_policy \ | ||
78 | libselinux \ | 79 | libselinux \ |
79 | liblog \ | 80 | liblog \ |
80 | libcrypto_utils \ | 81 | libcrypto_utils \ |
diff --git a/init/init.cpp b/init/init.cpp index 55d5fa826..24f863c74 100644 --- a/init/init.cpp +++ b/init/init.cpp | |||
@@ -23,6 +23,7 @@ | |||
23 | #include <inttypes.h> | 23 | #include <inttypes.h> |
24 | #include <libgen.h> | 24 | #include <libgen.h> |
25 | #include <paths.h> | 25 | #include <paths.h> |
26 | #include <seccomp_policy.h> | ||
26 | #include <signal.h> | 27 | #include <signal.h> |
27 | #include <stdarg.h> | 28 | #include <stdarg.h> |
28 | #include <stdio.h> | 29 | #include <stdio.h> |
@@ -554,6 +555,15 @@ static int queue_property_triggers_action(const std::vector<std::string>& args) | |||
554 | return 0; | 555 | return 0; |
555 | } | 556 | } |
556 | 557 | ||
558 | static void global_seccomp() { | ||
559 | import_kernel_cmdline(false, [](const std::string& key, const std::string& value, bool in_qemu) { | ||
560 | if (key == "androidboot.seccomp" && value == "global" && !set_global_seccomp_filter()) { | ||
561 | LOG(ERROR) << "Failed to globally enable seccomp!"; | ||
562 | panic(); | ||
563 | } | ||
564 | }); | ||
565 | } | ||
566 | |||
557 | static void selinux_init_all_handles(void) | 567 | static void selinux_init_all_handles(void) |
558 | { | 568 | { |
559 | sehandle = selinux_android_file_context_handle(); | 569 | sehandle = selinux_android_file_context_handle(); |
@@ -1025,6 +1035,9 @@ int main(int argc, char** argv) { | |||
1025 | 1035 | ||
1026 | SetInitAvbVersionInRecovery(); | 1036 | SetInitAvbVersionInRecovery(); |
1027 | 1037 | ||
1038 | // Enable seccomp if global boot option was passed (otherwise it is enabled in zygote). | ||
1039 | global_seccomp(); | ||
1040 | |||
1028 | // Set up SELinux, loading the SELinux policy. | 1041 | // Set up SELinux, loading the SELinux policy. |
1029 | selinux_initialize(true); | 1042 | selinux_initialize(true); |
1030 | 1043 | ||
diff --git a/init/service.cpp b/init/service.cpp index 82dd9b137..fc64db69a 100644 --- a/init/service.cpp +++ b/init/service.cpp | |||
@@ -156,27 +156,7 @@ ServiceEnvironmentInfo::ServiceEnvironmentInfo(const std::string& name, | |||
156 | } | 156 | } |
157 | 157 | ||
158 | Service::Service(const std::string& name, const std::vector<std::string>& args) | 158 | Service::Service(const std::string& name, const std::vector<std::string>& args) |
159 | : name_(name), | 159 | : Service(name, 0, 0, 0, {}, 0, 0, "", args) {} |
160 | classnames_({"default"}), | ||
161 | flags_(0), | ||
162 | pid_(0), | ||
163 | crash_count_(0), | ||
164 | uid_(0), | ||
165 | gid_(0), | ||
166 | namespace_flags_(0), | ||
167 | seclabel_(""), | ||
168 | onrestart_(false, "<Service '" + name + "' onrestart>", 0), | ||
169 | keychord_id_(0), | ||
170 | ioprio_class_(IoSchedClass_NONE), | ||
171 | ioprio_pri_(0), | ||
172 | priority_(0), | ||
173 | oom_score_adjust_(-1000), | ||
174 | swappiness_(-1), | ||
175 | soft_limit_in_bytes_(-1), | ||
176 | limit_in_bytes_(-1), | ||
177 | args_(args) { | ||
178 | onrestart_.InitSingleTrigger("onrestart"); | ||
179 | } | ||
180 | 160 | ||
181 | Service::Service(const std::string& name, unsigned flags, uid_t uid, gid_t gid, | 161 | Service::Service(const std::string& name, unsigned flags, uid_t uid, gid_t gid, |
182 | const std::vector<gid_t>& supp_gids, const CapSet& capabilities, | 162 | const std::vector<gid_t>& supp_gids, const CapSet& capabilities, |