1 /* 2 * Copyright (C) 2008 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "Zygote" 18 19 // sys/mount.h has to come before linux/fs.h due to redefinition of MS_RDONLY, MS_BIND, etc 20 #include <sys/mount.h> 21 #include <linux/fs.h> 22 23 #include <list> 24 #include <sstream> 25 #include <string> 26 27 #include <fcntl.h> 28 #include <grp.h> 29 #include <inttypes.h> 30 #include <malloc.h> 31 #include <mntent.h> 32 #include <paths.h> 33 #include <signal.h> 34 #include <stdlib.h> 35 #include <sys/capability.h> 36 #include <sys/cdefs.h> 37 #include <sys/personality.h> 38 #include <sys/prctl.h> 39 #include <sys/resource.h> 40 #include <sys/stat.h> 41 #include <sys/time.h> 42 #include <sys/types.h> 43 #include <sys/utsname.h> 44 #include <sys/wait.h> 45 #include <unistd.h> 46 47 #include "android-base/logging.h" 48 #include <android-base/file.h> 49 #include <android-base/stringprintf.h> 50 #include <cutils/fs.h> 51 #include <cutils/multiuser.h> 52 #include <cutils/sched_policy.h> 53 #include <private/android_filesystem_config.h> 54 #include <utils/String8.h> 55 #include <selinux/android.h> 56 #include <processgroup/processgroup.h> 57 58 #include "core_jni_helpers.h" 59 #include <nativehelper/JNIHelp.h> 60 #include <nativehelper/ScopedLocalRef.h> 61 #include <nativehelper/ScopedPrimitiveArray.h> 62 #include <nativehelper/ScopedUtfChars.h> 63 #include "fd_utils.h" 64 65 #include "nativebridge/native_bridge.h" 66 67 namespace { 68 69 using android::String8; 70 using android::base::StringPrintf; 71 using android::base::WriteStringToFile; 72 73 static pid_t gSystemServerPid = 0; 74 75 static const char kZygoteClassName[] = "com/android/internal/os/Zygote"; 76 static jclass gZygoteClass; 77 static jmethodID gCallPostForkChildHooks; 78 79 // Must match values in com.android.internal.os.Zygote. 80 enum MountExternalKind { 81 MOUNT_EXTERNAL_NONE = 0, 82 MOUNT_EXTERNAL_DEFAULT = 1, 83 MOUNT_EXTERNAL_READ = 2, 84 MOUNT_EXTERNAL_WRITE = 3, 85 }; 86 87 static void RuntimeAbort(JNIEnv* env, int line, const char* msg) { 88 std::ostringstream oss; 89 oss << __FILE__ << ":" << line << ": " << msg; 90 env->FatalError(oss.str().c_str()); 91 } 92 93 // This signal handler is for zygote mode, since the zygote must reap its children 94 static void SigChldHandler(int /*signal_number*/) { 95 pid_t pid; 96 int status; 97 98 // It's necessary to save and restore the errno during this function. 99 // Since errno is stored per thread, changing it here modifies the errno 100 // on the thread on which this signal handler executes. If a signal occurs 101 // between a call and an errno check, it's possible to get the errno set 102 // here. 103 // See b/23572286 for extra information. 104 int saved_errno = errno; 105 106 while ((pid = waitpid(-1, &status, WNOHANG)) > 0) { 107 // Log process-death status that we care about. In general it is 108 // not safe to call LOG(...) from a signal handler because of 109 // possible reentrancy. However, we know a priori that the 110 // current implementation of LOG() is safe to call from a SIGCHLD 111 // handler in the zygote process. If the LOG() implementation 112 // changes its locking strategy or its use of syscalls within the 113 // lazy-init critical section, its use here may become unsafe. 114 if (WIFEXITED(status)) { 115 if (WEXITSTATUS(status)) { 116 ALOGI("Process %d exited cleanly (%d)", pid, WEXITSTATUS(status)); 117 } 118 } else if (WIFSIGNALED(status)) { 119 if (WTERMSIG(status) != SIGKILL) { 120 ALOGI("Process %d exited due to signal (%d)", pid, WTERMSIG(status)); 121 } 122 if (WCOREDUMP(status)) { 123 ALOGI("Process %d dumped core.", pid); 124 } 125 } 126 127 // If the just-crashed process is the system_server, bring down zygote 128 // so that it is restarted by init and system server will be restarted 129 // from there. 130 if (pid == gSystemServerPid) { 131 ALOGE("Exit zygote because system server (%d) has terminated", pid); 132 kill(getpid(), SIGKILL); 133 } 134 } 135 136 // Note that we shouldn't consider ECHILD an error because 137 // the secondary zygote might have no children left to wait for. 138 if (pid < 0 && errno != ECHILD) { 139 ALOGW("Zygote SIGCHLD error in waitpid: %s", strerror(errno)); 140 } 141 142 errno = saved_errno; 143 } 144 145 // Configures the SIGCHLD handler for the zygote process. This is configured 146 // very late, because earlier in the runtime we may fork() and exec() 147 // other processes, and we want to waitpid() for those rather than 148 // have them be harvested immediately. 149 // 150 // This ends up being called repeatedly before each fork(), but there's 151 // no real harm in that. 152 static void SetSigChldHandler() { 153 struct sigaction sa; 154 memset(&sa, 0, sizeof(sa)); 155 sa.sa_handler = SigChldHandler; 156 157 int err = sigaction(SIGCHLD, &sa, NULL); 158 if (err < 0) { 159 ALOGW("Error setting SIGCHLD handler: %s", strerror(errno)); 160 } 161 } 162 163 // Sets the SIGCHLD handler back to default behavior in zygote children. 164 static void UnsetSigChldHandler() { 165 struct sigaction sa; 166 memset(&sa, 0, sizeof(sa)); 167 sa.sa_handler = SIG_DFL; 168 169 int err = sigaction(SIGCHLD, &sa, NULL); 170 if (err < 0) { 171 ALOGW("Error unsetting SIGCHLD handler: %s", strerror(errno)); 172 } 173 } 174 175 // Calls POSIX setgroups() using the int[] object as an argument. 176 // A NULL argument is tolerated. 177 static void SetGids(JNIEnv* env, jintArray javaGids) { 178 if (javaGids == NULL) { 179 return; 180 } 181 182 ScopedIntArrayRO gids(env, javaGids); 183 if (gids.get() == NULL) { 184 RuntimeAbort(env, __LINE__, "Getting gids int array failed"); 185 } 186 int rc = setgroups(gids.size(), reinterpret_cast<const gid_t*>(&gids[0])); 187 if (rc == -1) { 188 std::ostringstream oss; 189 oss << "setgroups failed: " << strerror(errno) << ", gids.size=" << gids.size(); 190 RuntimeAbort(env, __LINE__, oss.str().c_str()); 191 } 192 } 193 194 // Sets the resource limits via setrlimit(2) for the values in the 195 // two-dimensional array of integers that's passed in. The second dimension 196 // contains a tuple of length 3: (resource, rlim_cur, rlim_max). NULL is 197 // treated as an empty array. 198 static void SetRLimits(JNIEnv* env, jobjectArray javaRlimits) { 199 if (javaRlimits == NULL) { 200 return; 201 } 202 203 rlimit rlim; 204 memset(&rlim, 0, sizeof(rlim)); 205 206 for (int i = 0; i < env->GetArrayLength(javaRlimits); ++i) { 207 ScopedLocalRef<jobject> javaRlimitObject(env, env->GetObjectArrayElement(javaRlimits, i)); 208 ScopedIntArrayRO javaRlimit(env, reinterpret_cast<jintArray>(javaRlimitObject.get())); 209 if (javaRlimit.size() != 3) { 210 RuntimeAbort(env, __LINE__, "rlimits array must have a second dimension of size 3"); 211 } 212 213 rlim.rlim_cur = javaRlimit[1]; 214 rlim.rlim_max = javaRlimit[2]; 215 216 int rc = setrlimit(javaRlimit[0], &rlim); 217 if (rc == -1) { 218 ALOGE("setrlimit(%d, {%ld, %ld}) failed", javaRlimit[0], rlim.rlim_cur, 219 rlim.rlim_max); 220 RuntimeAbort(env, __LINE__, "setrlimit failed"); 221 } 222 } 223 } 224 225 // The debug malloc library needs to know whether it's the zygote or a child. 226 extern "C" int gMallocLeakZygoteChild; 227 228 static void PreApplicationInit() { 229 // The child process sets this to indicate it's not the zygote. 230 gMallocLeakZygoteChild = 1; 231 232 // Set the jemalloc decay time to 1. 233 mallopt(M_DECAY_TIME, 1); 234 } 235 236 static void EnableKeepCapabilities(JNIEnv* env) { 237 int rc = prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0); 238 if (rc == -1) { 239 RuntimeAbort(env, __LINE__, "prctl(PR_SET_KEEPCAPS) failed"); 240 } 241 } 242 243 static void DropCapabilitiesBoundingSet(JNIEnv* env) { 244 for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) { 245 int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0); 246 if (rc == -1) { 247 if (errno == EINVAL) { 248 ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify " 249 "your kernel is compiled with file capabilities support"); 250 } else { 251 ALOGE("prctl(PR_CAPBSET_DROP, %d) failed: %s", i, strerror(errno)); 252 RuntimeAbort(env, __LINE__, "prctl(PR_CAPBSET_DROP) failed"); 253 } 254 } 255 } 256 } 257 258 static void SetInheritable(JNIEnv* env, uint64_t inheritable) { 259 __user_cap_header_struct capheader; 260 memset(&capheader, 0, sizeof(capheader)); 261 capheader.version = _LINUX_CAPABILITY_VERSION_3; 262 capheader.pid = 0; 263 264 __user_cap_data_struct capdata[2]; 265 if (capget(&capheader, &capdata[0]) == -1) { 266 ALOGE("capget failed: %s", strerror(errno)); 267 RuntimeAbort(env, __LINE__, "capget failed"); 268 } 269 270 capdata[0].inheritable = inheritable; 271 capdata[1].inheritable = inheritable >> 32; 272 273 if (capset(&capheader, &capdata[0]) == -1) { 274 ALOGE("capset(inh=%" PRIx64 ") failed: %s", inheritable, strerror(errno)); 275 RuntimeAbort(env, __LINE__, "capset failed"); 276 } 277 } 278 279 static void SetCapabilities(JNIEnv* env, uint64_t permitted, uint64_t effective, 280 uint64_t inheritable) { 281 __user_cap_header_struct capheader; 282 memset(&capheader, 0, sizeof(capheader)); 283 capheader.version = _LINUX_CAPABILITY_VERSION_3; 284 capheader.pid = 0; 285 286 __user_cap_data_struct capdata[2]; 287 memset(&capdata, 0, sizeof(capdata)); 288 capdata[0].effective = effective; 289 capdata[1].effective = effective >> 32; 290 capdata[0].permitted = permitted; 291 capdata[1].permitted = permitted >> 32; 292 capdata[0].inheritable = inheritable; 293 capdata[1].inheritable = inheritable >> 32; 294 295 if (capset(&capheader, &capdata[0]) == -1) { 296 ALOGE("capset(perm=%" PRIx64 ", eff=%" PRIx64 ", inh=%" PRIx64 ") failed: %s", permitted, 297 effective, inheritable, strerror(errno)); 298 RuntimeAbort(env, __LINE__, "capset failed"); 299 } 300 } 301 302 static void SetSchedulerPolicy(JNIEnv* env) { 303 errno = -set_sched_policy(0, SP_DEFAULT); 304 if (errno != 0) { 305 ALOGE("set_sched_policy(0, SP_DEFAULT) failed"); 306 RuntimeAbort(env, __LINE__, "set_sched_policy(0, SP_DEFAULT) failed"); 307 } 308 } 309 310 static int UnmountTree(const char* path) { 311 size_t path_len = strlen(path); 312 313 FILE* fp = setmntent("/proc/mounts", "r"); 314 if (fp == NULL) { 315 ALOGE("Error opening /proc/mounts: %s", strerror(errno)); 316 return -errno; 317 } 318 319 // Some volumes can be stacked on each other, so force unmount in 320 // reverse order to give us the best chance of success. 321 std::list<std::string> toUnmount; 322 mntent* mentry; 323 while ((mentry = getmntent(fp)) != NULL) { 324 if (strncmp(mentry->mnt_dir, path, path_len) == 0) { 325 toUnmount.push_front(std::string(mentry->mnt_dir)); 326 } 327 } 328 endmntent(fp); 329 330 for (auto path : toUnmount) { 331 if (umount2(path.c_str(), MNT_DETACH)) { 332 ALOGW("Failed to unmount %s: %s", path.c_str(), strerror(errno)); 333 } 334 } 335 return 0; 336 } 337 338 // Create a private mount namespace and bind mount appropriate emulated 339 // storage for the given user. 340 static bool MountEmulatedStorage(uid_t uid, jint mount_mode, 341 bool force_mount_namespace) { 342 // See storage config details at http://source.android.com/tech/storage/ 343 344 String8 storageSource; 345 if (mount_mode == MOUNT_EXTERNAL_DEFAULT) { 346 storageSource = "/mnt/runtime/default"; 347 } else if (mount_mode == MOUNT_EXTERNAL_READ) { 348 storageSource = "/mnt/runtime/read"; 349 } else if (mount_mode == MOUNT_EXTERNAL_WRITE) { 350 storageSource = "/mnt/runtime/write"; 351 } else if (!force_mount_namespace) { 352 // Sane default of no storage visible 353 return true; 354 } 355 356 // Create a second private mount namespace for our process 357 if (unshare(CLONE_NEWNS) == -1) { 358 ALOGW("Failed to unshare(): %s", strerror(errno)); 359 return false; 360 } 361 362 // Handle force_mount_namespace with MOUNT_EXTERNAL_NONE. 363 if (mount_mode == MOUNT_EXTERNAL_NONE) { 364 return true; 365 } 366 367 if (TEMP_FAILURE_RETRY(mount(storageSource.string(), "/storage", 368 NULL, MS_BIND | MS_REC | MS_SLAVE, NULL)) == -1) { 369 ALOGW("Failed to mount %s to /storage: %s", storageSource.string(), strerror(errno)); 370 return false; 371 } 372 373 // Mount user-specific symlink helper into place 374 userid_t user_id = multiuser_get_user_id(uid); 375 const String8 userSource(String8::format("/mnt/user/%d", user_id)); 376 if (fs_prepare_dir(userSource.string(), 0751, 0, 0) == -1) { 377 return false; 378 } 379 if (TEMP_FAILURE_RETRY(mount(userSource.string(), "/storage/self", 380 NULL, MS_BIND, NULL)) == -1) { 381 ALOGW("Failed to mount %s to /storage/self: %s", userSource.string(), strerror(errno)); 382 return false; 383 } 384 385 return true; 386 } 387 388 static bool NeedsNoRandomizeWorkaround() { 389 #if !defined(__arm__) 390 return false; 391 #else 392 int major; 393 int minor; 394 struct utsname uts; 395 if (uname(&uts) == -1) { 396 return false; 397 } 398 399 if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) { 400 return false; 401 } 402 403 // Kernels before 3.4.* need the workaround. 404 return (major < 3) || ((major == 3) && (minor < 4)); 405 #endif 406 } 407 408 // Utility to close down the Zygote socket file descriptors while 409 // the child is still running as root with Zygote's privileges. Each 410 // descriptor (if any) is closed via dup2(), replacing it with a valid 411 // (open) descriptor to /dev/null. 412 413 static void DetachDescriptors(JNIEnv* env, jintArray fdsToClose) { 414 if (!fdsToClose) { 415 return; 416 } 417 jsize count = env->GetArrayLength(fdsToClose); 418 ScopedIntArrayRO ar(env, fdsToClose); 419 if (ar.get() == NULL) { 420 RuntimeAbort(env, __LINE__, "Bad fd array"); 421 } 422 jsize i; 423 int devnull; 424 for (i = 0; i < count; i++) { 425 devnull = open("/dev/null", O_RDWR); 426 if (devnull < 0) { 427 ALOGE("Failed to open /dev/null: %s", strerror(errno)); 428 RuntimeAbort(env, __LINE__, "Failed to open /dev/null"); 429 continue; 430 } 431 ALOGV("Switching descriptor %d to /dev/null: %s", ar[i], strerror(errno)); 432 if (dup2(devnull, ar[i]) < 0) { 433 ALOGE("Failed dup2() on descriptor %d: %s", ar[i], strerror(errno)); 434 RuntimeAbort(env, __LINE__, "Failed dup2()"); 435 } 436 close(devnull); 437 } 438 } 439 440 void SetThreadName(const char* thread_name) { 441 bool hasAt = false; 442 bool hasDot = false; 443 const char* s = thread_name; 444 while (*s) { 445 if (*s == '.') { 446 hasDot = true; 447 } else if (*s == '@') { 448 hasAt = true; 449 } 450 s++; 451 } 452 const int len = s - thread_name; 453 if (len < 15 || hasAt || !hasDot) { 454 s = thread_name; 455 } else { 456 s = thread_name + len - 15; 457 } 458 // pthread_setname_np fails rather than truncating long strings. 459 char buf[16]; // MAX_TASK_COMM_LEN=16 is hard-coded into bionic 460 strlcpy(buf, s, sizeof(buf)-1); 461 errno = pthread_setname_np(pthread_self(), buf); 462 if (errno != 0) { 463 ALOGW("Unable to set the name of current thread to '%s': %s", buf, strerror(errno)); 464 } 465 } 466 467 // The list of open zygote file descriptors. 468 static FileDescriptorTable* gOpenFdTable = NULL; 469 470 static void FillFileDescriptorVector(JNIEnv* env, 471 jintArray java_fds, 472 std::vector<int>* fds) { 473 CHECK(fds != nullptr); 474 if (java_fds != nullptr) { 475 ScopedIntArrayRO ar(env, java_fds); 476 if (ar.get() == nullptr) { 477 RuntimeAbort(env, __LINE__, "Bad fd array"); 478 } 479 fds->reserve(ar.size()); 480 for (size_t i = 0; i < ar.size(); ++i) { 481 fds->push_back(ar[i]); 482 } 483 } 484 } 485 486 // Utility routine to fork zygote and specialize the child process. 487 static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray javaGids, 488 jint debug_flags, jobjectArray javaRlimits, 489 jlong permittedCapabilities, jlong effectiveCapabilities, 490 jint mount_external, 491 jstring java_se_info, jstring java_se_name, 492 bool is_system_server, jintArray fdsToClose, 493 jintArray fdsToIgnore, 494 jstring instructionSet, jstring dataDir) { 495 SetSigChldHandler(); 496 497 sigset_t sigchld; 498 sigemptyset(&sigchld); 499 sigaddset(&sigchld, SIGCHLD); 500 501 // Temporarily block SIGCHLD during forks. The SIGCHLD handler might 502 // log, which would result in the logging FDs we close being reopened. 503 // This would cause failures because the FDs are not whitelisted. 504 // 505 // Note that the zygote process is single threaded at this point. 506 if (sigprocmask(SIG_BLOCK, &sigchld, nullptr) == -1) { 507 ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); 508 RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_BLOCK, { SIGCHLD }) failed."); 509 } 510 511 // Close any logging related FDs before we start evaluating the list of 512 // file descriptors. 513 __android_log_close(); 514 515 // If this is the first fork for this zygote, create the open FD table. 516 // If it isn't, we just need to check whether the list of open files has 517 // changed (and it shouldn't in the normal case). 518 std::vector<int> fds_to_ignore; 519 FillFileDescriptorVector(env, fdsToIgnore, &fds_to_ignore); 520 if (gOpenFdTable == NULL) { 521 gOpenFdTable = FileDescriptorTable::Create(fds_to_ignore); 522 if (gOpenFdTable == NULL) { 523 RuntimeAbort(env, __LINE__, "Unable to construct file descriptor table."); 524 } 525 } else if (!gOpenFdTable->Restat(fds_to_ignore)) { 526 RuntimeAbort(env, __LINE__, "Unable to restat file descriptor table."); 527 } 528 529 pid_t pid = fork(); 530 531 if (pid == 0) { 532 PreApplicationInit(); 533 534 // Clean up any descriptors which must be closed immediately 535 DetachDescriptors(env, fdsToClose); 536 537 // Re-open all remaining open file descriptors so that they aren't shared 538 // with the zygote across a fork. 539 if (!gOpenFdTable->ReopenOrDetach()) { 540 RuntimeAbort(env, __LINE__, "Unable to reopen whitelisted descriptors."); 541 } 542 543 if (sigprocmask(SIG_UNBLOCK, &sigchld, nullptr) == -1) { 544 ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); 545 RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_UNBLOCK, { SIGCHLD }) failed."); 546 } 547 548 // Keep capabilities across UID change, unless we're staying root. 549 if (uid != 0) { 550 EnableKeepCapabilities(env); 551 } 552 553 SetInheritable(env, permittedCapabilities); 554 DropCapabilitiesBoundingSet(env); 555 556 bool use_native_bridge = !is_system_server && (instructionSet != NULL) 557 && android::NativeBridgeAvailable(); 558 if (use_native_bridge) { 559 ScopedUtfChars isa_string(env, instructionSet); 560 use_native_bridge = android::NeedsNativeBridge(isa_string.c_str()); 561 } 562 if (use_native_bridge && dataDir == NULL) { 563 // dataDir should never be null if we need to use a native bridge. 564 // In general, dataDir will never be null for normal applications. It can only happen in 565 // special cases (for isolated processes which are not associated with any app). These are 566 // launched by the framework and should not be emulated anyway. 567 use_native_bridge = false; 568 ALOGW("Native bridge will not be used because dataDir == NULL."); 569 } 570 571 if (!MountEmulatedStorage(uid, mount_external, use_native_bridge)) { 572 ALOGW("Failed to mount emulated storage: %s", strerror(errno)); 573 if (errno == ENOTCONN || errno == EROFS) { 574 // When device is actively encrypting, we get ENOTCONN here 575 // since FUSE was mounted before the framework restarted. 576 // When encrypted device is booting, we get EROFS since 577 // FUSE hasn't been created yet by init. 578 // In either case, continue without external storage. 579 } else { 580 RuntimeAbort(env, __LINE__, "Cannot continue without emulated storage"); 581 } 582 } 583 584 if (!is_system_server) { 585 int rc = createProcessGroup(uid, getpid()); 586 if (rc != 0) { 587 if (rc == -EROFS) { 588 ALOGW("createProcessGroup failed, kernel missing CONFIG_CGROUP_CPUACCT?"); 589 } else { 590 ALOGE("createProcessGroup(%d, %d) failed: %s", uid, pid, strerror(-rc)); 591 } 592 } 593 } 594 595 SetGids(env, javaGids); 596 597 SetRLimits(env, javaRlimits); 598 599 if (use_native_bridge) { 600 ScopedUtfChars isa_string(env, instructionSet); 601 ScopedUtfChars data_dir(env, dataDir); 602 android::PreInitializeNativeBridge(data_dir.c_str(), isa_string.c_str()); 603 } 604 605 int rc = setresgid(gid, gid, gid); 606 if (rc == -1) { 607 ALOGE("setresgid(%d) failed: %s", gid, strerror(errno)); 608 RuntimeAbort(env, __LINE__, "setresgid failed"); 609 } 610 611 rc = setresuid(uid, uid, uid); 612 if (rc == -1) { 613 ALOGE("setresuid(%d) failed: %s", uid, strerror(errno)); 614 RuntimeAbort(env, __LINE__, "setresuid failed"); 615 } 616 617 if (NeedsNoRandomizeWorkaround()) { 618 // Work around ARM kernel ASLR lossage (http://b/5817320). 619 int old_personality = personality(0xffffffff); 620 int new_personality = personality(old_personality | ADDR_NO_RANDOMIZE); 621 if (new_personality == -1) { 622 ALOGW("personality(%d) failed: %s", new_personality, strerror(errno)); 623 } 624 } 625 626 SetCapabilities(env, permittedCapabilities, effectiveCapabilities, permittedCapabilities); 627 628 SetSchedulerPolicy(env); 629 630 const char* se_info_c_str = NULL; 631 ScopedUtfChars* se_info = NULL; 632 if (java_se_info != NULL) { 633 se_info = new ScopedUtfChars(env, java_se_info); 634 se_info_c_str = se_info->c_str(); 635 if (se_info_c_str == NULL) { 636 RuntimeAbort(env, __LINE__, "se_info_c_str == NULL"); 637 } 638 } 639 const char* se_name_c_str = NULL; 640 ScopedUtfChars* se_name = NULL; 641 if (java_se_name != NULL) { 642 se_name = new ScopedUtfChars(env, java_se_name); 643 se_name_c_str = se_name->c_str(); 644 if (se_name_c_str == NULL) { 645 RuntimeAbort(env, __LINE__, "se_name_c_str == NULL"); 646 } 647 } 648 rc = selinux_android_setcontext(uid, is_system_server, se_info_c_str, se_name_c_str); 649 if (rc == -1) { 650 ALOGE("selinux_android_setcontext(%d, %d, \"%s\", \"%s\") failed", uid, 651 is_system_server, se_info_c_str, se_name_c_str); 652 RuntimeAbort(env, __LINE__, "selinux_android_setcontext failed"); 653 } 654 655 // Make it easier to debug audit logs by setting the main thread's name to the 656 // nice name rather than "app_process". 657 if (se_info_c_str == NULL && is_system_server) { 658 se_name_c_str = "system_server"; 659 } 660 if (se_info_c_str != NULL) { 661 SetThreadName(se_name_c_str); 662 } 663 664 delete se_info; 665 delete se_name; 666 667 UnsetSigChldHandler(); 668 669 env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, debug_flags, 670 is_system_server, instructionSet); 671 if (env->ExceptionCheck()) { 672 RuntimeAbort(env, __LINE__, "Error calling post fork hooks."); 673 } 674 } else if (pid > 0) { 675 // the parent process 676 677 // We blocked SIGCHLD prior to a fork, we unblock it here. 678 if (sigprocmask(SIG_UNBLOCK, &sigchld, nullptr) == -1) { 679 ALOGE("sigprocmask(SIG_SETMASK, { SIGCHLD }) failed: %s", strerror(errno)); 680 RuntimeAbort(env, __LINE__, "Call to sigprocmask(SIG_UNBLOCK, { SIGCHLD }) failed."); 681 } 682 } 683 return pid; 684 } 685 } // anonymous namespace 686 687 namespace android { 688 689 static void com_android_internal_os_Zygote_nativePreApplicationInit(JNIEnv*, jclass) { 690 PreApplicationInit(); 691 } 692 693 static jint com_android_internal_os_Zygote_nativeForkAndSpecialize( 694 JNIEnv* env, jclass, jint uid, jint gid, jintArray gids, 695 jint debug_flags, jobjectArray rlimits, 696 jint mount_external, jstring se_info, jstring se_name, 697 jintArray fdsToClose, 698 jintArray fdsToIgnore, 699 jstring instructionSet, jstring appDataDir) { 700 jlong capabilities = 0; 701 702 // Grant CAP_WAKE_ALARM to the Bluetooth process. 703 // Additionally, allow bluetooth to open packet sockets so it can start the DHCP client. 704 // Grant CAP_SYS_NICE to allow Bluetooth to set RT priority for 705 // audio-related threads. 706 // TODO: consider making such functionality an RPC to netd. 707 if (multiuser_get_app_id(uid) == AID_BLUETOOTH) { 708 capabilities |= (1LL << CAP_WAKE_ALARM); 709 capabilities |= (1LL << CAP_NET_RAW); 710 capabilities |= (1LL << CAP_NET_BIND_SERVICE); 711 capabilities |= (1LL << CAP_SYS_NICE); 712 } 713 714 // Grant CAP_BLOCK_SUSPEND to processes that belong to GID "wakelock" 715 bool gid_wakelock_found = false; 716 if (gid == AID_WAKELOCK) { 717 gid_wakelock_found = true; 718 } else if (gids != NULL) { 719 jsize gids_num = env->GetArrayLength(gids); 720 ScopedIntArrayRO ar(env, gids); 721 if (ar.get() == NULL) { 722 RuntimeAbort(env, __LINE__, "Bad gids array"); 723 } 724 for (int i = 0; i < gids_num; i++) { 725 if (ar[i] == AID_WAKELOCK) { 726 gid_wakelock_found = true; 727 break; 728 } 729 } 730 } 731 if (gid_wakelock_found) { 732 capabilities |= (1LL << CAP_BLOCK_SUSPEND); 733 } 734 735 return ForkAndSpecializeCommon(env, uid, gid, gids, debug_flags, 736 rlimits, capabilities, capabilities, mount_external, se_info, 737 se_name, false, fdsToClose, fdsToIgnore, instructionSet, appDataDir); 738 } 739 740 static jint com_android_internal_os_Zygote_nativeForkSystemServer( 741 JNIEnv* env, jclass, uid_t uid, gid_t gid, jintArray gids, 742 jint debug_flags, jobjectArray rlimits, jlong permittedCapabilities, 743 jlong effectiveCapabilities) { 744 pid_t pid = ForkAndSpecializeCommon(env, uid, gid, gids, 745 debug_flags, rlimits, 746 permittedCapabilities, effectiveCapabilities, 747 MOUNT_EXTERNAL_DEFAULT, NULL, NULL, true, NULL, 748 NULL, NULL, NULL); 749 if (pid > 0) { 750 // The zygote process checks whether the child process has died or not. 751 ALOGI("System server process %d has been created", pid); 752 gSystemServerPid = pid; 753 // There is a slight window that the system server process has crashed 754 // but it went unnoticed because we haven't published its pid yet. So 755 // we recheck here just to make sure that all is well. 756 int status; 757 if (waitpid(pid, &status, WNOHANG) == pid) { 758 ALOGE("System server process %d has died. Restarting Zygote!", pid); 759 RuntimeAbort(env, __LINE__, "System server process has died. Restarting Zygote!"); 760 } 761 762 // Assign system_server to the correct memory cgroup. 763 if (!WriteStringToFile(StringPrintf("%d", pid), "/dev/memcg/system/tasks")) { 764 ALOGE("couldn't write %d to /dev/memcg/system/tasks", pid); 765 } 766 } 767 return pid; 768 } 769 770 static void com_android_internal_os_Zygote_nativeAllowFileAcrossFork( 771 JNIEnv* env, jclass, jstring path) { 772 ScopedUtfChars path_native(env, path); 773 const char* path_cstr = path_native.c_str(); 774 if (!path_cstr) { 775 RuntimeAbort(env, __LINE__, "path_cstr == NULL"); 776 } 777 FileDescriptorWhitelist::Get()->Allow(path_cstr); 778 } 779 780 static void com_android_internal_os_Zygote_nativeUnmountStorageOnInit(JNIEnv* env, jclass) { 781 // Zygote process unmount root storage space initially before every child processes are forked. 782 // Every forked child processes (include SystemServer) only mount their own root storage space 783 // and no need unmount storage operation in MountEmulatedStorage method. 784 // Zygote process does not utilize root storage spaces and unshares its mount namespace below. 785 786 // See storage config details at http://source.android.com/tech/storage/ 787 // Create private mount namespace shared by all children 788 if (unshare(CLONE_NEWNS) == -1) { 789 RuntimeAbort(env, __LINE__, "Failed to unshare()"); 790 return; 791 } 792 793 // Mark rootfs as being a slave so that changes from default 794 // namespace only flow into our children. 795 if (mount("rootfs", "/", nullptr, (MS_SLAVE | MS_REC), nullptr) == -1) { 796 RuntimeAbort(env, __LINE__, "Failed to mount() rootfs as MS_SLAVE"); 797 return; 798 } 799 800 // Create a staging tmpfs that is shared by our children; they will 801 // bind mount storage into their respective private namespaces, which 802 // are isolated from each other. 803 const char* target_base = getenv("EMULATED_STORAGE_TARGET"); 804 if (target_base != nullptr) { 805 #define STRINGIFY_UID(x) __STRING(x) 806 if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV, 807 "uid=0,gid=" STRINGIFY_UID(AID_SDCARD_R) ",mode=0751") == -1) { 808 ALOGE("Failed to mount tmpfs to %s", target_base); 809 RuntimeAbort(env, __LINE__, "Failed to mount tmpfs"); 810 return; 811 } 812 #undef STRINGIFY_UID 813 } 814 815 UnmountTree("/storage"); 816 } 817 818 static const JNINativeMethod gMethods[] = { 819 { "nativeForkAndSpecialize", 820 "(II[II[[IILjava/lang/String;Ljava/lang/String;[I[ILjava/lang/String;Ljava/lang/String;)I", 821 (void *) com_android_internal_os_Zygote_nativeForkAndSpecialize }, 822 { "nativeForkSystemServer", "(II[II[[IJJ)I", 823 (void *) com_android_internal_os_Zygote_nativeForkSystemServer }, 824 { "nativeAllowFileAcrossFork", "(Ljava/lang/String;)V", 825 (void *) com_android_internal_os_Zygote_nativeAllowFileAcrossFork }, 826 { "nativeUnmountStorageOnInit", "()V", 827 (void *) com_android_internal_os_Zygote_nativeUnmountStorageOnInit }, 828 { "nativePreApplicationInit", "()V", 829 (void *) com_android_internal_os_Zygote_nativePreApplicationInit } 830 }; 831 832 int register_com_android_internal_os_Zygote(JNIEnv* env) { 833 gZygoteClass = MakeGlobalRefOrDie(env, FindClassOrDie(env, kZygoteClassName)); 834 gCallPostForkChildHooks = GetStaticMethodIDOrDie(env, gZygoteClass, "callPostForkChildHooks", 835 "(IZLjava/lang/String;)V"); 836 837 return RegisterMethodsOrDie(env, "com/android/internal/os/Zygote", gMethods, NELEM(gMethods)); 838 } 839 } // namespace android 840
