Before this change, seccomp filter setup is as early as in zygote's main
function. To make it possible to split app and system server's filter,
this postpone the setup to after fork. It also starts to call app
specific and system server specific setup function.
In terms of performance since this happens at fork, the measure shows
the overhead is negligible. Assuming 130 instruction in the BPF, on
walleye, even when running on little core with fixed low frequency, each
setup took about 60.9us on average. When it runs on big core with
higher frequency, it took about 39.3us.
Test: (cts) -m CtsSecurityTestCases -t android.security.cts.SeccompTest
Bug: 63944145
Change-Id: I748735b478405098beac1e200d911c13ea60e380
Merged-In: I748735b478405098beac1e200d911c13ea60e380
Add a method to compute the size of a ProxyMap without cleared
references. Use it in the crash decision. Report both counts, as
well as the count after a forced GC before actually crashing.
Rename the histogram generating function after a small refactoring
to make that easier.
When we crash, we now generate a message like the following
(generated here with reduced thresholds):
01-03 01:40:52.273 4793 4947 E JavaBinder: java.lang.AssertionError:
Binder ProxyMap has too many entries: 277 (total), 275 (uncleared),
257 (after GC). BinderProxy leak?
after the histogram. Unfortunately, the intervening GC may take some
time, and other intervening messages may sneak into the log between
them.
Experiments so far suggest that none of this greatly affects the
decision when to die. But this eliminates uncertainty as to whether
there was really a problem.
Bug: 71353150
Test: Tested with reduced thresholds, and then booted AOSP.
Change-Id: I53f24bae23eedcdb78a1c32296c65692b7bb2c42
In general, using Mutable inside of structures
or as API arguments is a code smell. However, it
is the most syntactically clean way of fetching
something out of a lambda or inner class.
Using this, one can do:
Mutable<Result> res = new Mutable<>();
hidlObject.foo((...) -> {
res.value = ...;
});
There is an alternative:
Result a[] = new Result[1];
hidlObject.foo((...) -> {
a[0] = ...;
});
However, this alternative syntax is relatively messy.
Bug: N/A
Test: boot, use w/ wifi
Change-Id: Ibff13c653cc17bd25ddbb0534ba21ef485bff7aa
To help investigate potential BinderProxy leaks, attempt to log a
histogram of BinderProxy descriptors to the logcat before asserting.
Bug: 71353150
Test: m
Change-Id: I47313814160678369b15e7dc5851d8096c286b9d
Settings application shows internal storage size using API getTotalBytes in StorageStatsManager.
This API calls getPrimaryStorageSize() in StorageManager.
getPrimaryStorageSize() returns /data parition size calculated API roundStorageSize() in FileUtils.
Using this API, total primary storage size returns 8GB if 16GB emmc size device has /data partition size below 8GB.
So we should modify getting of primary storage size close to real emmc size.
getPrimaryStorageSize() will be calculated sum of /data and /system partition size.
Test: Check primary storage size in Settings application
Change-Id: I3ad33534b1c55d09afbb0e9be1c408c02c442842
Signed-off-by: hj.seo <hj.seo@lge.com>
GSI disables AVB by overriding vbmeta partition.
When a device can run runtime vintf checking, it should already
pass AVB, so we don't need to check AVB in runtime vintf.
We cannot change the original VintfObject.verify() because AVB check is
still needed for android.os.RecoverySystem to verify a newly downloaded
OTA package.
Bug: 68016134
Test: Boot with GSI and there is no Android System dialog
Change-Id: Ie1efa6f1abd8fa8f495aededd145c0ab2c0c1fae
Merged-In: Ie1efa6f1abd8fa8f495aededd145c0ab2c0c1fae
This fails when trying to run the AOSP mailer with CRASH_AT_SIZE = 500,
when the check interval is reduced sufficiently so that the test is
actually executed. System server has been observed to use more than
1000 BinderProxies. Thus 5000 seems like roughly the lowest safe limit.
Note that the test is executed somewhat rarely, so we may exceed
this number by quite a few before we actually crash.
Bug: 65760710
Test: Builds, AOSP boots & works for a few tasks. Fails as expected
with reduced limit.
Change-Id: I1c999b85e1ba1bd1d166a9ffba4f0b3992ffee45
Added note within getSerial() in android.os.Build class. Device
identifiers, such as hardware serial numbers, can be modified if a
device is rooted. Others can use key attestation to discover these
changes. Added a note to this effect within this method.
Test: make ds-docs -j8
Bug: 38312326
Change-Id: I76e3f6a15b9a8673ca3304218653e8cd26da38d7
Original-Change-Id: Ibd2dab621c14683e12a213957b567ee49b8d00fd
... that returns PID of the process for debuggable builds.
This calls into the C++ equivalent of the function.
Test: lshal
Bug: 68992575
Change-Id: Ia177c709c6930510035cff33dc2389441a76351d
For fresh installs the PM does not set the app uid before invoking
dexopt; so we would always get a bogus GID.
This is a temporary workaround which fixes the GID of newly
installed apps to an arbitrary UNKNOWN gid.
Test: adb install
Bug: 64548938
Bug: 69331247
(cherry picked from commit a73e165c2e)
Change-Id: I6438ec8cfca88df813e166f9ef5821e62faf524a
Bluetooth service needs to natively access id of parent profile. Add
method exposing it.
Test: cts-tradefed run cts-dev -m DevicePolicyManager --test
com.android.cts.devicepolicy.ManagedProfileTest#testBluetooth
Bug: 69284968
Change-Id: I697906f2959b0736c1d3cc6af7560c27d77ce11b
AID_SHARED_GID is a GID shared by a specific app across all users on
the same device. Bring the UserHandle and multiuser.c implementations
into agreement, and copy/paste the unit tests that verify that both
behave identically.
Since we might now return "-1" when a GID is invalid, have
ActivityManager handle these cases by quickly swapping in the
always-valid getUserGid().
Test: bit FrameworksCoreTests:android.os.UserHandleTest
Bug: 34151068, 64548938
Change-Id: I0463aba923ae5ce1942666359a394ae6cdb7c1f8
Symptom:
Global reference table overflow happens on system_server.
Root cause:
If a process repeatedly create a context and get AutofillManager
from the context, each BinderProxy of AutofillManagerClient are
registered to AutofillManagerServiceImpl. They aren't removed until
the process is died. BinderProxy consumes global reference and finally
causes crash on system_server.
Solution:
Remove AutofillManagerClient from AutofillManagerServiceImpl after
AutofillManager is finalized.
Test: cts-tradefed run commandAndExit cts-dev -m CtsAutoFillServiceTestCases
Bug: 68747744
Change-Id: I8b76c5368b54317b8696cac470cc390b36e910e7
IFoo.Proxy.equals() -> HidlSupport.equals() ->
IHwInterface.asBinder().equals() -> HwRemoteBinder.equals().
IFoo.Stub.equals() -> default Object.equals()
Notice that IHwInterface.asBinder() returns mRemote(of type
HwRemoteBinder) for proxies and itself (of type HwBinder) for stubs.
If IFoo.Stub.asBinder() had not return "this", its equals()
should also be overridden.
Bug: 68727931
Test: hidl_test_java
Change-Id: I916983d7bc739747145e2ebb6830226310fd4980
Support for instruction counting has been removed from ART
and the VMDebug APIs in question throw UnsupportedOperationException
unconditionally.
Test: make
Change-Id: Ibcaa160f755a5708bc6fbef3a783acfc26f0ba90
The javadoc of TokenWatcher promised to implement repeated calls to
acquire() with the same token as a no-op, but this wasn't the case.
When acquire() is called repeatedly with the same token, its associated
DeathRecipient object is replaced by a new one. The old DeathRecipient
can therefore be destroyed. This is problematic because the finalizer of
this DeathRecipient implementation calls release() on the same token,
resulting in the token being released unexpectedly.
In this CL we properly implement the documented no-op behavior.
Bug: 68368071
Test: (First, cherry-pick to internal master)
Test: cts-tradefed run cts-dev -m OsTest -t android.os.cts.TokenWatcherTest
Test: CTS verifier > Managed provisioning > Device owner tests
> LockTask UI
Change-Id: Idfad7c88075a510ea1f8527b5a8620121a5dd7bb
This removes all GlobalRef allocation as part of building BinderProxys.
Previously these were used to map IBinders to the corresponding
Java object, so the Java objects could be reused. We now keep
that mapping at the Java level.
This means we often need to call into Java to look up or allocate
a BinderProxy. But this replaces a prior call to Java to dereference
a WeakReference. The Java custom Java map-to-WeakReference data
structure is probably not terribly efficient, but the original
attachement mechanism did not seem to be either. And this
avoids potentially even more catastrophic issues when the number
of GlobalRefs approaches its limit.
We decrease GC triggering frequency from 200 to 1000 allocated
references. This now only applies to other kinds of JNI References
allocated by Binder.
I saw a maximum bucket size of 16 for the ProxyMap data structure
while briefly exercising a freshly booted device. That occurred
in system_server.
Bug: 65760710
Test: Built and booted master with some debugging output. Looks sane.
Change-Id: I322c4d8e9c8e198586d591580c2cdbb094906677
Change the Java BinderProxy to only contain a single native pointer,
so that we can get by with a single NativeAllocationRegistry
registration. This adds some indirections and a new allocation. But it
marginally reduces the number of (expensive) JNI field lookups from
native code, and the extra allocation involves significantly less
overhead than registering each object twice. This also cleans up the
code a little by avoiding some explicit reference count adjustments.
Change BinderProxy Binder to use NativeAllocationRegistry instead of
finalize().
Change the mObject field in Binder to hold a non-reference-counted
but owning pointer to JavaBBinderHolder. Have JavaBBinderHolder no
longer inherit from RefBase.
Make it clear that neither Binder.mObject, not BinderProxy.mNativeData
can be null. Remove null checks.
Avoid checking for null returns from C++ new. It would throw
anyway, which would cause the process to abort.
Test: Booted master.
Bug: 65760710
Change-Id: I323d4bdc7e25f8c27b847b6fe2c073eac3f2efe5
Also add appropriate @NonNull and @Nullable annotations.
Test: built
Change-Id: I22de48105ef685baf594cfc004dd3e27e2ba09e9
Merged-In: I22de48105ef685baf594cfc004dd3e27e2ba09e9
(cherry picked from commit 4cd650c008)
