From ec18f508f9934fc9548fff6b0532452200defdbe Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 11 May 2022 22:32:47 +0000 Subject: init: Add option to listen on sockets before starting service. Review note: Original change was a p-o-c by agl in https://r.android.com/2094350 which I think is actually production quality. I'm just taking it over so that he doesn't get spammed by any review comments as that's not a good use of his time. Needed for the hardware entropy daemon (see bug). Original commit message: If one needs to create a service that synchronously starts listening on a socket then there are currently no good options. The traditional UNIX solution is to have the service create the socket and then daemonise. In this situation, init could start the service with `exec_start` and yet not block forever because the service forks and exits. However, when the initial child process exits, init kills the daemon process: > init: Killed 1 additional processes from a oneshot process group for > service 'foo'. This is new behavior, previously child processes > would not be killed in this case. Next, there is a `socket` option for services and (although the documentation didn't nail this down), the socket is created synchronously by `start`. However, init doesn't call `listen` on the socket so, until the service starts listening on the socket itself, clients will get ECONNREFUSED. This this change adds a `+listen` option, similar to `+passcred` which allows a socket service to reliably handle connections. Bug: 243933553 Test: Started prng_seeder from init using the new listen flag Change-Id: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5 Merged-In: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5 (cherry picked from commit ecc14a595809846cd09760d2c59b1fdfa9660ce8) (cherry picked from commit 56a658874be2e8f5bdda288cb4fc37353c07ca37) Merged-In: I91b3b2b1fd38cc3d96e19e92b76c8e95788191d5 --- init/README.md | 7 ++++--- init/property_service.cpp | 3 ++- init/service_parser.cpp | 9 ++++++--- init/service_utils.cpp | 3 ++- init/service_utils.h | 1 + init/util.cpp | 7 +++++-- init/util.h | 4 ++-- 7 files changed, 22 insertions(+), 12 deletions(-) diff --git a/init/README.md b/init/README.md index 13c6ebdfa..aaafe7887 100644 --- a/init/README.md +++ b/init/README.md @@ -352,9 +352,10 @@ runs the service. `socket [ [ [ ] ] ]` > Create a UNIX domain socket named /dev/socket/_name_ and pass its fd to the - launched process. _type_ must be "dgram", "stream" or "seqpacket". _type_ - may end with "+passcred" to enable SO_PASSCRED on the socket. User and - group default to 0. 'seclabel' is the SELinux security context for the + launched process. The socket is created synchronously when the service starts. + _type_ must be "dgram", "stream" or "seqpacket". _type_ may end with "+passcred" + to enable SO_PASSCRED on the socket or "+listen" to synchronously make it a listening socket. + User and group default to 0. 'seclabel' is the SELinux security context for the socket. It defaults to the service security context, as specified by seclabel or computed based on the service executable file security context. For native executables see libcutils android\_get\_control\_socket(). diff --git a/init/property_service.cpp b/init/property_service.cpp index 9f7c21543..26341b196 100644 --- a/init/property_service.cpp +++ b/init/property_service.cpp @@ -1379,7 +1379,8 @@ void StartPropertyService(int* epoll_socket) { StartSendingMessages(); if (auto result = CreateSocket(PROP_SERVICE_NAME, SOCK_STREAM | SOCK_CLOEXEC | SOCK_NONBLOCK, - false, 0666, 0, 0, {}); + /*passcred=*/false, /*should_listen=*/false, 0666, /*uid=*/0, + /*gid=*/0, /*socketcon=*/{}); result.ok()) { property_set_fd = *result; } else { diff --git a/init/service_parser.cpp b/init/service_parser.cpp index 9e914ee7c..1ee309d98 100644 --- a/init/service_parser.cpp +++ b/init/service_parser.cpp @@ -434,11 +434,14 @@ Result ServiceParser::ParseSocket(std::vector&& args) { << "' instead."; } - if (types.size() > 1) { - if (types.size() == 2 && types[1] == "passcred") { + for (size_t i = 1; i < types.size(); i++) { + if (types[i] == "passcred") { socket.passcred = true; + } else if (types[i] == "listen") { + socket.listen = true; } else { - return Error() << "Only 'passcred' may be used to modify the socket type"; + return Error() << "Unknown socket type decoration '" << types[i] + << "'. Known values are ['passcred', 'listen']"; } } diff --git a/init/service_utils.cpp b/init/service_utils.cpp index eed5c65db..d19f5eef5 100644 --- a/init/service_utils.cpp +++ b/init/service_utils.cpp @@ -168,7 +168,8 @@ void Descriptor::Publish() const { Result SocketDescriptor::Create(const std::string& global_context) const { const auto& socket_context = context.empty() ? global_context : context; - auto result = CreateSocket(name, type | SOCK_CLOEXEC, passcred, perm, uid, gid, socket_context); + auto result = CreateSocket(name, type | SOCK_CLOEXEC, passcred, listen, perm, uid, gid, + socket_context); if (!result.ok()) { return result.error(); } diff --git a/init/service_utils.h b/init/service_utils.h index 9b65dca74..65a2012ff 100644 --- a/init/service_utils.h +++ b/init/service_utils.h @@ -54,6 +54,7 @@ struct SocketDescriptor { int perm = 0; std::string context; bool passcred = false; + bool listen = false; bool persist = false; // Create() creates the named unix domain socket in /dev/socket and returns a Descriptor object. diff --git a/init/util.cpp b/init/util.cpp index d1e518b57..5b3a73c0d 100644 --- a/init/util.cpp +++ b/init/util.cpp @@ -86,8 +86,8 @@ Result DecodeUid(const std::string& name) { * daemon. We communicate the file descriptor's value via the environment * variable ANDROID_SOCKET_ENV_PREFIX ("ANDROID_SOCKET_foo"). */ -Result CreateSocket(const std::string& name, int type, bool passcred, mode_t perm, uid_t uid, - gid_t gid, const std::string& socketcon) { +Result CreateSocket(const std::string& name, int type, bool passcred, bool should_listen, + mode_t perm, uid_t uid, gid_t gid, const std::string& socketcon) { if (!socketcon.empty()) { if (setsockcreatecon(socketcon.c_str()) == -1) { return ErrnoError() << "setsockcreatecon(\"" << socketcon << "\") failed"; @@ -142,6 +142,9 @@ Result CreateSocket(const std::string& name, int type, bool passcred, mode_ if (fchmodat(AT_FDCWD, addr.sun_path, perm, AT_SYMLINK_NOFOLLOW)) { return ErrnoError() << "Failed to fchmodat socket '" << addr.sun_path << "'"; } + if (should_listen && listen(fd, /* use OS maximum */ 1 << 30)) { + return ErrnoError() << "Failed to listen on socket '" << addr.sun_path << "'"; + } LOG(INFO) << "Created socket '" << addr.sun_path << "'" << ", mode " << std::oct << perm << std::dec diff --git a/init/util.h b/init/util.h index bf5367531..1e2eef090 100644 --- a/init/util.h +++ b/init/util.h @@ -44,8 +44,8 @@ static const char kColdBootDoneProp[] = "ro.cold_boot_done"; extern void (*trigger_shutdown)(const std::string& command); -Result CreateSocket(const std::string& name, int type, bool passcred, mode_t perm, uid_t uid, - gid_t gid, const std::string& socketcon); +Result CreateSocket(const std::string& name, int type, bool passcred, bool should_listen, + mode_t perm, uid_t uid, gid_t gid, const std::string& socketcon); Result ReadFile(const std::string& path); Result WriteFile(const std::string& path, const std::string& content); -- cgit v1.2.3 From 841946be56adc4efb5f3ffa59ecd720a2f1de83a Mon Sep 17 00:00:00 2001 From: Pete Bentley Date: Fri, 23 Sep 2022 12:09:32 +0100 Subject: Add AID for PRNG seeder daemon. Also adjust permissions on /dev/hw_random to allow prng_seeder group read access. Manual testing protocol: * Verify prng_seeder daemon is running and has the correct label and uid/gid. * Verify prng_seeder socket present and has correct label and permissions * Verify no SELinux denials * strace a libcrypto process and verify it reads seeding data from prng_seeder (e.g. strace bssl rand -hex 1024) * strace seeder daemon to observe incoming connections (e.g. strace -f -p `pgrep prng_seeder`) * Kill daemon, observe that init restarts it * strace again and observe clients now seed from new instance Bug: 243933553 Test: Manual - see above Change-Id: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96 Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96 (cherry picked from commit 6cb61610e619e31bd22c12895ec0ca623f793127) (cherry picked from commit 046a809a90814bcea76aec1ec26d464db3b686dd) Merged-In: I4d526844b232fc2a1fa5ffd701ca5bc5c09e7e96 --- libcutils/include/private/android_filesystem_config.h | 1 + rootdir/ueventd.rc | 2 ++ 2 files changed, 3 insertions(+) diff --git a/libcutils/include/private/android_filesystem_config.h b/libcutils/include/private/android_filesystem_config.h index bdb807538..0030887a1 100644 --- a/libcutils/include/private/android_filesystem_config.h +++ b/libcutils/include/private/android_filesystem_config.h @@ -138,6 +138,7 @@ #define AID_JC_IDENTITYCRED 1089 /* Javacard Identity Cred HAL - to manage omapi ARA rules */ #define AID_SDK_SANDBOX 1090 /* SDK sandbox virtual UID */ #define AID_SECURITY_LOG_WRITER 1091 /* write to security log */ +#define AID_PRNG_SEEDER 1092 /* PRNG seeder daemon */ /* Changes to this file must be made in AOSP, *not* in internal branches. */ #define AID_SHELL 2000 /* adb and debug shell user */ diff --git a/rootdir/ueventd.rc b/rootdir/ueventd.rc index a140c8c51..4ec59afe9 100644 --- a/rootdir/ueventd.rc +++ b/rootdir/ueventd.rc @@ -37,6 +37,8 @@ subsystem dma_heap /dev/tty 0666 root root /dev/random 0666 root root /dev/urandom 0666 root root +# Aside from kernel threads, only prng_seeder needs access to HW RNG +/dev/hw_random 0400 prng_seeder prng_seeder /dev/ashmem* 0666 root root /dev/binder 0666 root root /dev/hwbinder 0666 root root -- cgit v1.2.3