2 * Copyright (C) 2008 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 #define LOG_TAG "Zygote"
21 // sys/mount.h has to come before linux/fs.h due to redefinition of MS_RDONLY, MS_BIND, etc
22 #include <sys/mount.h>
35 #include <sys/capability.h>
36 #include <sys/personality.h>
37 #include <sys/prctl.h>
38 #include <sys/resource.h>
40 #include <sys/types.h>
41 #include <sys/utsname.h>
45 #include <cutils/fs.h>
46 #include <cutils/multiuser.h>
47 #include <cutils/sched_policy.h>
48 #include <private/android_filesystem_config.h>
49 #include <utils/String8.h>
50 #include <selinux/android.h>
51 #include <processgroup/processgroup.h>
53 #include "core_jni_helpers.h"
55 #include "ScopedLocalRef.h"
56 #include "ScopedPrimitiveArray.h"
57 #include "ScopedUtfChars.h"
58 #include "fd_utils-inl.h"
60 #include "nativebridge/native_bridge.h"
64 using android::String8;
66 static pid_t gSystemServerPid = 0;
68 static const char kZygoteClassName[] = "com/android/internal/os/Zygote";
69 static jclass gZygoteClass;
70 static jmethodID gCallPostForkChildHooks;
72 // Must match values in com.android.internal.os.Zygote.
73 enum MountExternalKind {
74 MOUNT_EXTERNAL_NONE = 0,
75 MOUNT_EXTERNAL_DEFAULT = 1,
76 MOUNT_EXTERNAL_READ = 2,
77 MOUNT_EXTERNAL_WRITE = 3,
80 static void RuntimeAbort(JNIEnv* env) {
81 env->FatalError("RuntimeAbort");
84 static void RuntimeAbort(JNIEnv* env, int line, const char* msg) {
85 std::ostringstream oss;
86 oss << __FILE__ << ":" << line << ": " << msg;
87 env->FatalError(oss.str().c_str());
90 // This signal handler is for zygote mode, since the zygote must reap its children
91 static void SigChldHandler(int /*signal_number*/) {
95 // It's necessary to save and restore the errno during this function.
96 // Since errno is stored per thread, changing it here modifies the errno
97 // on the thread on which this signal handler executes. If a signal occurs
98 // between a call and an errno check, it's possible to get the errno set
100 // See b/23572286 for extra information.
101 int saved_errno = errno;
103 while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
104 // Log process-death status that we care about. In general it is
105 // not safe to call LOG(...) from a signal handler because of
106 // possible reentrancy. However, we know a priori that the
107 // current implementation of LOG() is safe to call from a SIGCHLD
108 // handler in the zygote process. If the LOG() implementation
109 // changes its locking strategy or its use of syscalls within the
110 // lazy-init critical section, its use here may become unsafe.
111 if (WIFEXITED(status)) {
112 if (WEXITSTATUS(status)) {
113 ALOGI("Process %d exited cleanly (%d)", pid, WEXITSTATUS(status));
115 } else if (WIFSIGNALED(status)) {
116 if (WTERMSIG(status) != SIGKILL) {
117 ALOGI("Process %d exited due to signal (%d)", pid, WTERMSIG(status));
119 if (WCOREDUMP(status)) {
120 ALOGI("Process %d dumped core.", pid);
124 // If the just-crashed process is the system_server, bring down zygote
125 // so that it is restarted by init and system server will be restarted
127 if (pid == gSystemServerPid) {
128 ALOGE("Exit zygote because system server (%d) has terminated", pid);
129 kill(getpid(), SIGKILL);
133 // Note that we shouldn't consider ECHILD an error because
134 // the secondary zygote might have no children left to wait for.
135 if (pid < 0 && errno != ECHILD) {
136 ALOGW("Zygote SIGCHLD error in waitpid: %s", strerror(errno));
142 // Configures the SIGCHLD handler for the zygote process. This is configured
143 // very late, because earlier in the runtime we may fork() and exec()
144 // other processes, and we want to waitpid() for those rather than
145 // have them be harvested immediately.
147 // This ends up being called repeatedly before each fork(), but there's
148 // no real harm in that.
149 static void SetSigChldHandler() {
151 memset(&sa, 0, sizeof(sa));
152 sa.sa_handler = SigChldHandler;
154 int err = sigaction(SIGCHLD, &sa, NULL);
156 ALOGW("Error setting SIGCHLD handler: %s", strerror(errno));
160 // Sets the SIGCHLD handler back to default behavior in zygote children.
161 static void UnsetSigChldHandler() {
163 memset(&sa, 0, sizeof(sa));
164 sa.sa_handler = SIG_DFL;
166 int err = sigaction(SIGCHLD, &sa, NULL);
168 ALOGW("Error unsetting SIGCHLD handler: %s", strerror(errno));
172 // Calls POSIX setgroups() using the int[] object as an argument.
173 // A NULL argument is tolerated.
174 static void SetGids(JNIEnv* env, jintArray javaGids) {
175 if (javaGids == NULL) {
179 ScopedIntArrayRO gids(env, javaGids);
180 if (gids.get() == NULL) {
183 int rc = setgroups(gids.size(), reinterpret_cast<const gid_t*>(&gids[0]));
185 ALOGE("setgroups failed");
190 // Sets the resource limits via setrlimit(2) for the values in the
191 // two-dimensional array of integers that's passed in. The second dimension
192 // contains a tuple of length 3: (resource, rlim_cur, rlim_max). NULL is
193 // treated as an empty array.
194 static void SetRLimits(JNIEnv* env, jobjectArray javaRlimits) {
195 if (javaRlimits == NULL) {
200 memset(&rlim, 0, sizeof(rlim));
202 for (int i = 0; i < env->GetArrayLength(javaRlimits); ++i) {
203 ScopedLocalRef<jobject> javaRlimitObject(env, env->GetObjectArrayElement(javaRlimits, i));
204 ScopedIntArrayRO javaRlimit(env, reinterpret_cast<jintArray>(javaRlimitObject.get()));
205 if (javaRlimit.size() != 3) {
206 ALOGE("rlimits array must have a second dimension of size 3");
210 rlim.rlim_cur = javaRlimit[1];
211 rlim.rlim_max = javaRlimit[2];
213 int rc = setrlimit(javaRlimit[0], &rlim);
215 ALOGE("setrlimit(%d, {%ld, %ld}) failed", javaRlimit[0], rlim.rlim_cur,
222 // The debug malloc library needs to know whether it's the zygote or a child.
223 extern "C" int gMallocLeakZygoteChild;
225 static void EnableKeepCapabilities(JNIEnv* env) {
226 int rc = prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0);
228 ALOGE("prctl(PR_SET_KEEPCAPS) failed");
233 static void DropCapabilitiesBoundingSet(JNIEnv* env) {
234 for (int i = 0; prctl(PR_CAPBSET_READ, i, 0, 0, 0) >= 0; i++) {
235 int rc = prctl(PR_CAPBSET_DROP, i, 0, 0, 0);
237 if (errno == EINVAL) {
238 ALOGE("prctl(PR_CAPBSET_DROP) failed with EINVAL. Please verify "
239 "your kernel is compiled with file capabilities support");
241 ALOGE("prctl(PR_CAPBSET_DROP) failed");
248 static void SetCapabilities(JNIEnv* env, int64_t permitted, int64_t effective) {
249 __user_cap_header_struct capheader;
250 memset(&capheader, 0, sizeof(capheader));
251 capheader.version = _LINUX_CAPABILITY_VERSION_3;
254 __user_cap_data_struct capdata[2];
255 memset(&capdata, 0, sizeof(capdata));
256 capdata[0].effective = effective;
257 capdata[1].effective = effective >> 32;
258 capdata[0].permitted = permitted;
259 capdata[1].permitted = permitted >> 32;
261 if (capset(&capheader, &capdata[0]) == -1) {
262 ALOGE("capset(%" PRId64 ", %" PRId64 ") failed", permitted, effective);
267 static void SetSchedulerPolicy(JNIEnv* env) {
268 errno = -set_sched_policy(0, SP_DEFAULT);
270 ALOGE("set_sched_policy(0, SP_DEFAULT) failed");
275 static int UnmountTree(const char* path) {
276 size_t path_len = strlen(path);
278 FILE* fp = setmntent("/proc/mounts", "r");
280 ALOGE("Error opening /proc/mounts: %s", strerror(errno));
284 // Some volumes can be stacked on each other, so force unmount in
285 // reverse order to give us the best chance of success.
286 std::list<std::string> toUnmount;
288 while ((mentry = getmntent(fp)) != NULL) {
289 if (strncmp(mentry->mnt_dir, path, path_len) == 0) {
290 toUnmount.push_front(std::string(mentry->mnt_dir));
295 for (auto path : toUnmount) {
296 if (umount2(path.c_str(), MNT_DETACH)) {
297 ALOGW("Failed to unmount %s: %s", path.c_str(), strerror(errno));
303 // Create a private mount namespace and bind mount appropriate emulated
304 // storage for the given user.
305 static bool MountEmulatedStorage(uid_t uid, jint mount_mode,
306 bool force_mount_namespace) {
307 // See storage config details at http://source.android.com/tech/storage/
309 // Create a second private mount namespace for our process
310 if (unshare(CLONE_NEWNS) == -1) {
311 ALOGW("Failed to unshare(): %s", strerror(errno));
315 // Unmount storage provided by root namespace and mount requested view
316 UnmountTree("/storage");
318 String8 storageSource;
319 if (mount_mode == MOUNT_EXTERNAL_DEFAULT) {
320 storageSource = "/mnt/runtime/default";
321 } else if (mount_mode == MOUNT_EXTERNAL_READ) {
322 storageSource = "/mnt/runtime/read";
323 } else if (mount_mode == MOUNT_EXTERNAL_WRITE) {
324 storageSource = "/mnt/runtime/write";
326 // Sane default of no storage visible
329 if (TEMP_FAILURE_RETRY(mount(storageSource.string(), "/storage",
330 NULL, MS_BIND | MS_REC | MS_SLAVE, NULL)) == -1) {
331 ALOGW("Failed to mount %s to /storage: %s", storageSource.string(), strerror(errno));
335 // Mount user-specific symlink helper into place
336 userid_t user_id = multiuser_get_user_id(uid);
337 const String8 userSource(String8::format("/mnt/user/%d", user_id));
338 if (fs_prepare_dir(userSource.string(), 0751, 0, 0) == -1) {
341 if (TEMP_FAILURE_RETRY(mount(userSource.string(), "/storage/self",
342 NULL, MS_BIND, NULL)) == -1) {
343 ALOGW("Failed to mount %s to /storage/self: %s", userSource.string(), strerror(errno));
350 static bool NeedsNoRandomizeWorkaround() {
351 #if !defined(__arm__)
357 if (uname(&uts) == -1) {
361 if (sscanf(uts.release, "%d.%d", &major, &minor) != 2) {
365 // Kernels before 3.4.* need the workaround.
366 return (major < 3) || ((major == 3) && (minor < 4));
370 // Utility to close down the Zygote socket file descriptors while
371 // the child is still running as root with Zygote's privileges. Each
372 // descriptor (if any) is closed via dup2(), replacing it with a valid
373 // (open) descriptor to /dev/null.
375 static void DetachDescriptors(JNIEnv* env, jintArray fdsToClose) {
379 jsize count = env->GetArrayLength(fdsToClose);
380 jint *ar = env->GetIntArrayElements(fdsToClose, 0);
382 ALOGE("Bad fd array");
387 for (i = 0; i < count; i++) {
388 devnull = open("/dev/null", O_RDWR);
390 ALOGE("Failed to open /dev/null: %s", strerror(errno));
394 ALOGV("Switching descriptor %d to /dev/null: %s", ar[i], strerror(errno));
395 if (dup2(devnull, ar[i]) < 0) {
396 ALOGE("Failed dup2() on descriptor %d: %s", ar[i], strerror(errno));
403 void SetThreadName(const char* thread_name) {
406 const char* s = thread_name;
410 } else if (*s == '@') {
415 const int len = s - thread_name;
416 if (len < 15 || hasAt || !hasDot) {
419 s = thread_name + len - 15;
421 // pthread_setname_np fails rather than truncating long strings.
422 char buf[16]; // MAX_TASK_COMM_LEN=16 is hard-coded into bionic
423 strlcpy(buf, s, sizeof(buf)-1);
424 errno = pthread_setname_np(pthread_self(), buf);
426 ALOGW("Unable to set the name of current thread to '%s': %s", buf, strerror(errno));
430 #ifdef ENABLE_SCHED_BOOST
431 static void SetForkLoad(bool boost) {
432 // set scheduler knob to boost forked processes
433 pid_t currentPid = getpid();
434 // fits at most "/proc/XXXXXXX/sched_init_task_load\0"
436 snprintf(schedPath, sizeof(schedPath), "/proc/%u/sched_init_task_load", currentPid);
437 int schedBoostFile = open(schedPath, O_WRONLY);
438 if (schedBoostFile < 0) {
439 ALOGW("Unable to set zygote scheduler boost");
443 write(schedBoostFile, "100\0", 4);
445 write(schedBoostFile, "0\0", 2);
447 close(schedBoostFile);
451 // The list of open zygote file descriptors.
452 static FileDescriptorTable* gOpenFdTable = NULL;
454 // Utility routine to fork zygote and specialize the child process.
455 static pid_t ForkAndSpecializeCommon(JNIEnv* env, uid_t uid, gid_t gid, jintArray javaGids,
456 jint debug_flags, jobjectArray javaRlimits,
457 jlong permittedCapabilities, jlong effectiveCapabilities,
459 jstring java_se_info, jstring java_se_name,
460 bool is_system_server, jintArray fdsToClose,
461 jstring instructionSet, jstring dataDir) {
464 #ifdef ENABLE_SCHED_BOOST
468 // Close any logging related FDs before we start evaluating the list of
470 __android_log_close();
472 // If this is the first fork for this zygote, create the open FD table.
473 // If it isn't, we just need to check whether the list of open files has
474 // changed (and it shouldn't in the normal case).
475 if (gOpenFdTable == NULL) {
476 gOpenFdTable = FileDescriptorTable::Create();
477 if (gOpenFdTable == NULL) {
478 RuntimeAbort(env, __LINE__, "Unable to construct file descriptor table.");
480 } else if (!gOpenFdTable->Restat()) {
481 RuntimeAbort(env, __LINE__, "Unable to restat file descriptor table.");
487 // The child process.
488 gMallocLeakZygoteChild = 1;
490 // Clean up any descriptors which must be closed immediately
491 DetachDescriptors(env, fdsToClose);
493 // Re-open all remaining open file descriptors so that they aren't shared
494 // with the zygote across a fork.
495 if (!gOpenFdTable->ReopenOrDetach()) {
496 RuntimeAbort(env, __LINE__, "Unable to reopen whitelisted descriptors.");
499 // Keep capabilities across UID change, unless we're staying root.
501 EnableKeepCapabilities(env);
504 DropCapabilitiesBoundingSet(env);
506 bool use_native_bridge = !is_system_server && (instructionSet != NULL)
507 && android::NativeBridgeAvailable();
508 if (use_native_bridge) {
509 ScopedUtfChars isa_string(env, instructionSet);
510 use_native_bridge = android::NeedsNativeBridge(isa_string.c_str());
512 if (use_native_bridge && dataDir == NULL) {
513 // dataDir should never be null if we need to use a native bridge.
514 // In general, dataDir will never be null for normal applications. It can only happen in
515 // special cases (for isolated processes which are not associated with any app). These are
516 // launched by the framework and should not be emulated anyway.
517 use_native_bridge = false;
518 ALOGW("Native bridge will not be used because dataDir == NULL.");
521 if (!MountEmulatedStorage(uid, mount_external, use_native_bridge)) {
522 ALOGW("Failed to mount emulated storage: %s", strerror(errno));
523 if (errno == ENOTCONN || errno == EROFS) {
524 // When device is actively encrypting, we get ENOTCONN here
525 // since FUSE was mounted before the framework restarted.
526 // When encrypted device is booting, we get EROFS since
527 // FUSE hasn't been created yet by init.
528 // In either case, continue without external storage.
530 ALOGE("Cannot continue without emulated storage");
535 if (!is_system_server) {
536 int rc = createProcessGroup(uid, getpid());
539 ALOGW("createProcessGroup failed, kernel missing CONFIG_CGROUP_CPUACCT?");
541 ALOGE("createProcessGroup(%d, %d) failed: %s", uid, pid, strerror(-rc));
546 SetGids(env, javaGids);
548 SetRLimits(env, javaRlimits);
550 if (use_native_bridge) {
551 ScopedUtfChars isa_string(env, instructionSet);
552 ScopedUtfChars data_dir(env, dataDir);
553 android::PreInitializeNativeBridge(data_dir.c_str(), isa_string.c_str());
556 int rc = setresgid(gid, gid, gid);
558 ALOGE("setresgid(%d) failed: %s", gid, strerror(errno));
562 rc = setresuid(uid, uid, uid);
564 ALOGE("setresuid(%d) failed: %s", uid, strerror(errno));
568 if (NeedsNoRandomizeWorkaround()) {
569 // Work around ARM kernel ASLR lossage (http://b/5817320).
570 int old_personality = personality(0xffffffff);
571 int new_personality = personality(old_personality | ADDR_NO_RANDOMIZE);
572 if (new_personality == -1) {
573 ALOGW("personality(%d) failed: %s", new_personality, strerror(errno));
577 SetCapabilities(env, permittedCapabilities, effectiveCapabilities);
579 SetSchedulerPolicy(env);
581 const char* se_info_c_str = NULL;
582 ScopedUtfChars* se_info = NULL;
583 if (java_se_info != NULL) {
584 se_info = new ScopedUtfChars(env, java_se_info);
585 se_info_c_str = se_info->c_str();
586 if (se_info_c_str == NULL) {
587 ALOGE("se_info_c_str == NULL");
591 const char* se_name_c_str = NULL;
592 ScopedUtfChars* se_name = NULL;
593 if (java_se_name != NULL) {
594 se_name = new ScopedUtfChars(env, java_se_name);
595 se_name_c_str = se_name->c_str();
596 if (se_name_c_str == NULL) {
597 ALOGE("se_name_c_str == NULL");
601 rc = selinux_android_setcontext(uid, is_system_server, se_info_c_str, se_name_c_str);
603 ALOGE("selinux_android_setcontext(%d, %d, \"%s\", \"%s\") failed", uid,
604 is_system_server, se_info_c_str, se_name_c_str);
608 // Make it easier to debug audit logs by setting the main thread's name to the
609 // nice name rather than "app_process".
610 if (se_info_c_str == NULL && is_system_server) {
611 se_name_c_str = "system_server";
613 if (se_info_c_str != NULL) {
614 SetThreadName(se_name_c_str);
620 UnsetSigChldHandler();
622 env->CallStaticVoidMethod(gZygoteClass, gCallPostForkChildHooks, debug_flags,
623 is_system_server ? NULL : instructionSet);
624 if (env->ExceptionCheck()) {
625 ALOGE("Error calling post fork hooks.");
628 } else if (pid > 0) {
629 // the parent process
631 #ifdef ENABLE_SCHED_BOOST
632 // unset scheduler knob
639 } // anonymous namespace
643 static jint com_android_internal_os_Zygote_nativeForkAndSpecialize(
644 JNIEnv* env, jclass, jint uid, jint gid, jintArray gids,
645 jint debug_flags, jobjectArray rlimits,
646 jint mount_external, jstring se_info, jstring se_name,
647 jintArray fdsToClose, jstring instructionSet, jstring appDataDir) {
648 // Grant CAP_WAKE_ALARM to the Bluetooth process.
649 jlong capabilities = 0;
650 if (uid == AID_BLUETOOTH) {
651 capabilities |= (1LL << CAP_WAKE_ALARM);
654 return ForkAndSpecializeCommon(env, uid, gid, gids, debug_flags,
655 rlimits, capabilities, capabilities, mount_external, se_info,
656 se_name, false, fdsToClose, instructionSet, appDataDir);
659 static jint com_android_internal_os_Zygote_nativeForkSystemServer(
660 JNIEnv* env, jclass, uid_t uid, gid_t gid, jintArray gids,
661 jint debug_flags, jobjectArray rlimits, jlong permittedCapabilities,
662 jlong effectiveCapabilities) {
663 pid_t pid = ForkAndSpecializeCommon(env, uid, gid, gids,
664 debug_flags, rlimits,
665 permittedCapabilities, effectiveCapabilities,
666 MOUNT_EXTERNAL_DEFAULT, NULL, NULL, true, NULL,
669 // The zygote process checks whether the child process has died or not.
670 ALOGI("System server process %d has been created", pid);
671 gSystemServerPid = pid;
672 // There is a slight window that the system server process has crashed
673 // but it went unnoticed because we haven't published its pid yet. So
674 // we recheck here just to make sure that all is well.
676 if (waitpid(pid, &status, WNOHANG) == pid) {
677 ALOGE("System server process %d has died. Restarting Zygote!", pid);
684 static JNINativeMethod gMethods[] = {
685 { "nativeForkAndSpecialize",
686 "(II[II[[IILjava/lang/String;Ljava/lang/String;[ILjava/lang/String;Ljava/lang/String;)I",
687 (void *) com_android_internal_os_Zygote_nativeForkAndSpecialize },
688 { "nativeForkSystemServer", "(II[II[[IJJ)I",
689 (void *) com_android_internal_os_Zygote_nativeForkSystemServer }
692 int register_com_android_internal_os_Zygote(JNIEnv* env) {
693 gZygoteClass = MakeGlobalRefOrDie(env, FindClassOrDie(env, kZygoteClassName));
694 gCallPostForkChildHooks = GetStaticMethodIDOrDie(env, gZygoteClass, "callPostForkChildHooks",
695 "(ILjava/lang/String;)V");
697 return RegisterMethodsOrDie(env, "com/android/internal/os/Zygote", gMethods, NELEM(gMethods));
699 } // namespace android