static jclass gZygoteInitClass;
static jmethodID gCreateSystemServerClassLoader;
-static bool g_is_security_enforced = true;
+static bool gIsSecurityEnforced = true;
/**
* The maximum number of characters (not including a null terminator) that a
}
static void SetUpSeccompFilter(uid_t uid, bool is_child_zygote) {
- if (!g_is_security_enforced) {
+ if (!gIsSecurityEnforced) {
ALOGI("seccomp disabled by setenforce 0");
return;
}
return fd_vec;
}
-} // anonymous namespace
+static void UnmountStorageOnInit(JNIEnv* env) {
+ // Zygote process unmount root storage space initially before every child processes are forked.
+ // Every forked child processes (include SystemServer) only mount their own root storage space
+ // and no need unmount storage operation in MountEmulatedStorage method.
+ // Zygote process does not utilize root storage spaces and unshares its mount namespace below.
-namespace android {
+ // See storage config details at http://source.android.com/tech/storage/
+ // Create private mount namespace shared by all children
+ if (unshare(CLONE_NEWNS) == -1) {
+ RuntimeAbort(env, __LINE__, "Failed to unshare()");
+ return;
+ }
-static void com_android_internal_os_Zygote_nativeSecurityInit(JNIEnv*, jclass) {
- // security_getenforce is not allowed on app process. Initialize and cache
- // the value before zygote forks.
- g_is_security_enforced = security_getenforce();
+ // Mark rootfs as being a slave so that changes from default
+ // namespace only flow into our children.
+ if (mount("rootfs", "/", nullptr, (MS_SLAVE | MS_REC), nullptr) == -1) {
+ RuntimeAbort(env, __LINE__, "Failed to mount() rootfs as MS_SLAVE");
+ return;
+ }
- selinux_android_seapp_context_init();
+ // Create a staging tmpfs that is shared by our children; they will
+ // bind mount storage into their respective private namespaces, which
+ // are isolated from each other.
+ const char* target_base = getenv("EMULATED_STORAGE_TARGET");
+ if (target_base != nullptr) {
+#define STRINGIFY_UID(x) __STRING(x)
+ if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV,
+ "uid=0,gid=" STRINGIFY_UID(AID_SDCARD_R) ",mode=0751") == -1) {
+ ALOGE("Failed to mount tmpfs to %s", target_base);
+ RuntimeAbort(env, __LINE__, "Failed to mount tmpfs");
+ return;
+ }
+#undef STRINGIFY_UID
+ }
+
+ UnmountTree("/storage");
}
+} // anonymous namespace
+
+namespace android {
+
static void com_android_internal_os_Zygote_nativePreApplicationInit(JNIEnv*, jclass) {
PreApplicationInit();
}
FileDescriptorWhitelist::Get()->Allow(path_cstr);
}
-static void com_android_internal_os_Zygote_nativeUnmountStorageOnInit(JNIEnv* env, jclass) {
- // Zygote process unmount root storage space initially before every child processes are forked.
- // Every forked child processes (include SystemServer) only mount their own root storage space
- // and no need unmount storage operation in MountEmulatedStorage method.
- // Zygote process does not utilize root storage spaces and unshares its mount namespace below.
-
- // See storage config details at http://source.android.com/tech/storage/
- // Create private mount namespace shared by all children
- if (unshare(CLONE_NEWNS) == -1) {
- RuntimeAbort(env, __LINE__, "Failed to unshare()");
- return;
- }
-
- // Mark rootfs as being a slave so that changes from default
- // namespace only flow into our children.
- if (mount("rootfs", "/", nullptr, (MS_SLAVE | MS_REC), nullptr) == -1) {
- RuntimeAbort(env, __LINE__, "Failed to mount() rootfs as MS_SLAVE");
- return;
- }
-
- // Create a staging tmpfs that is shared by our children; they will
- // bind mount storage into their respective private namespaces, which
- // are isolated from each other.
- const char* target_base = getenv("EMULATED_STORAGE_TARGET");
- if (target_base != nullptr) {
-#define STRINGIFY_UID(x) __STRING(x)
- if (mount("tmpfs", target_base, "tmpfs", MS_NOSUID | MS_NODEV,
- "uid=0,gid=" STRINGIFY_UID(AID_SDCARD_R) ",mode=0751") == -1) {
- ALOGE("Failed to mount tmpfs to %s", target_base);
- RuntimeAbort(env, __LINE__, "Failed to mount tmpfs");
- return;
- }
-#undef STRINGIFY_UID
- }
-
- UnmountTree("/storage");
-}
-
static void com_android_internal_os_Zygote_nativeInstallSeccompUidGidFilter(
JNIEnv* env, jclass, jint uidGidMin, jint uidGidMax) {
- if (!g_is_security_enforced) {
+ if (!gIsSecurityEnforced) {
ALOGI("seccomp disabled by setenforce 0");
return;
}
* @param is_primary If this process is the primary or secondary Zygote; used to compute the name
* of the environment variable storing the file descriptors.
*/
-static void com_android_internal_os_Zygote_nativeGetSocketFDs(JNIEnv* env, jclass,
- jboolean is_primary) {
+static void com_android_internal_os_Zygote_nativeInitNativeState(JNIEnv* env, jclass,
+ jboolean is_primary) {
+ /*
+ * Obtain file descriptors created by init from the environment.
+ */
+
std::string android_socket_prefix(ANDROID_SOCKET_PREFIX);
std::string env_var_name = android_socket_prefix + (is_primary ? "zygote" : "zygote_secondary");
char* env_var_val = getenv(env_var_name.c_str());
} else {
ALOGE("Unable to fetch USAP pool socket file descriptor");
}
+
+ /*
+ * Security Initialization
+ */
+
+ // security_getenforce is not allowed on app process. Initialize and cache
+ // the value before zygote forks.
+ gIsSecurityEnforced = security_getenforce();
+
+ selinux_android_seapp_context_init();
+
+ /*
+ * Storage Initialization
+ */
+
+ UnmountStorageOnInit(env);
+
+ /*
+ * Performance Initialization
+ */
+
+ if (!SetTaskProfiles(0, {})) {
+ ZygoteFailure(env, "zygote", nullptr, "Zygote SetTaskProfiles failed");
+ }
}
/**
}
static const JNINativeMethod gMethods[] = {
- { "nativeSecurityInit", "()V",
- (void *) com_android_internal_os_Zygote_nativeSecurityInit },
{ "nativeForkAndSpecialize",
"(II[II[[IILjava/lang/String;Ljava/lang/String;[I[IZLjava/lang/String;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)I",
(void *) com_android_internal_os_Zygote_nativeForkAndSpecialize },
(void *) com_android_internal_os_Zygote_nativeForkSystemServer },
{ "nativeAllowFileAcrossFork", "(Ljava/lang/String;)V",
(void *) com_android_internal_os_Zygote_nativeAllowFileAcrossFork },
- { "nativeUnmountStorageOnInit", "()V",
- (void *) com_android_internal_os_Zygote_nativeUnmountStorageOnInit },
{ "nativePreApplicationInit", "()V",
(void *) com_android_internal_os_Zygote_nativePreApplicationInit },
{ "nativeInstallSeccompUidGidFilter", "(II)V",
{ "nativeSpecializeAppProcess",
"(II[II[[IILjava/lang/String;Ljava/lang/String;ZLjava/lang/String;Ljava/lang/String;Ljava/lang/String;[Ljava/lang/String;Ljava/lang/String;)V",
(void *) com_android_internal_os_Zygote_nativeSpecializeAppProcess },
- { "nativeGetSocketFDs", "(Z)V",
- (void *) com_android_internal_os_Zygote_nativeGetSocketFDs },
+ { "nativeInitNativeState", "(Z)V",
+ (void *) com_android_internal_os_Zygote_nativeInitNativeState },
{ "nativeGetUsapPipeFDs", "()[I",
(void *) com_android_internal_os_Zygote_nativeGetUsapPipeFDs },
{ "nativeRemoveUsapTableEntry", "(I)Z",