tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Add flags to restorecon_recursive to traverse filesystems" am: 5fbd1cfd34 am: ffa3689107 am: a99490c813

Browse source 
am: e799e3317a

Change-Id: Icd4b867d450c7b84f86f9d91b39faf6792544cb1
This commit is contained in:
Paul Lawrence 2016-11-17 18:30:22 +00:00 committed by android-build-merger
commit 0705fcb2f4
7 changed files with 50 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
init/builtins.cpp
View file

@ -40,6 +40,7 @@
#include <thread>
#include <selinux/android.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
@ -909,25 +910,49 @@ static int do_chmod(const std::vector<std::string>& args) {
static int do_restorecon(const std::vector<std::string>& args) {
int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) {
if (restorecon(it->c_str()) < 0)
ret = -errno;
struct flag_type {const char* name; int value;};
static const flag_type flags[] = {
{"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
{"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
{"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
{0, 0}
};
int flag = 0;
bool in_flags = true;
for (size_t i = 1; i < args.size(); ++i) {
if (android::base::StartsWith(args[i], "--")) {
if (!in_flags) {
LOG(ERROR) << "restorecon - flags must precede paths";
return -1;
}
bool found = false;
for (size_t j = 0; flags[j].name; ++j) {
if (args[i] == flags[j].name) {
flag |= flags[j].value;
found = true;
break;
}
}
if (!found) {
LOG(ERROR) << "restorecon - bad flag " << args[i];
return -1;
}
} else {
in_flags = false;
if (restorecon(args[i].c_str(), flag) < 0) {
ret = -errno;
}
}
}
return ret;
}
static int do_restorecon_recursive(const std::vector<std::string>& args) {
int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) {
/* The contents of CE paths are encrypted on FBE devices until user
* credentials are presented (filenames inside are mangled), so we need
* to delay restorecon of those until vold explicitly requests it. */
if (restorecon_recursive_skipce(it->c_str()) < 0) {
ret = -errno;
}
}
return ret;
std::vector<std::string> non_const_args(args);
non_const_args.insert(std::next(non_const_args.begin()), "--recursive");
return do_restorecon(non_const_args);
}
static int do_loglevel(const std::vector<std::string>& args) {

2
init/devices.cpp
View file

@ -190,7 +190,7 @@ static void fixup_sys_perms(const char* upath, const char* subsystem) {
if (access(path.c_str(), F_OK) == 0) {
LOG(VERBOSE) << "restorecon_recursive: " << path;
restorecon_recursive(path.c_str());
restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_RECURSE);
}
}

4
init/init.cpp
View file

@ -759,8 +759,8 @@ int main(int argc, char** argv) {
restorecon("/dev/socket");
restorecon("/dev/__properties__");
restorecon("/property_contexts");
restorecon_recursive("/sys");
restorecon_recursive("/dev/block");
restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/device-mapper");
epoll_fd = epoll_create1(EPOLL_CLOEXEC);

3
init/property_service.cpp
View file

@ -42,6 +42,7 @@
#include <netinet/in.h>
#include <sys/mman.h>
#include <selinux/android.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
@ -175,7 +176,7 @@ static int property_set_impl(const char* name, const char* value) {
if (valuelen >= PROP_VALUE_MAX) return -1;
if (strcmp("selinux.restorecon_recursive", name) == 0 && valuelen > 0) {
if (restorecon_recursive(value) != 0) {
if (restorecon(value, SELINUX_ANDROID_RESTORECON_RECURSE) != 0) {
LOG(ERROR) << "Failed to restorecon_recursive " << value;
}
}

15
init/util.cpp
View file

@ -369,20 +369,9 @@ int make_dir(const char *path, mode_t mode)
return rc;
}
int restorecon(const char* pathname)
int restorecon(const char* pathname, int flags)
{
return selinux_android_restorecon(pathname, 0);
}
int restorecon_recursive(const char* pathname)
{
return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
}
int restorecon_recursive_skipce(const char* pathname)
{
return selinux_android_restorecon(pathname,
SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
return selinux_android_restorecon(pathname, flags);
}
/*

4
init/util.h
View file

@ -68,9 +68,7 @@ int wait_for_file(const char *filename, std::chrono::nanoseconds timeout);
void import_kernel_cmdline(bool in_qemu,
const std::function<void(const std::string&, const std::string&, bool)>&);
int make_dir(const char *path, mode_t mode);
int restorecon(const char *pathname);
int restorecon_recursive(const char *pathname);
int restorecon_recursive_skipce(const char *pathname);
int restorecon(const char *pathname, int flags = 0);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst);

9
rootdir/init.rc
View file

@ -306,11 +306,8 @@ on post-fs
mount none none /storage slave rec
# Make sure /sys/kernel/debug (if present) is labeled properly
restorecon_recursive /sys/kernel/debug
# On systems with tracefs, tracing is a separate mount, so make sure
# it too is correctly labeled
restorecon_recursive /sys/kernel/debug/tracing
# Note that tracefs may be mounted under debug, so we need to cross filesystems
restorecon --recursive --cross-filesystems /sys/kernel/debug
# We chown/chmod /cache again so because mount is run as root + defaults
chown system cache /cache
@ -484,7 +481,7 @@ on post-fs-data
init_user0
# Set SELinux security contexts on upgrade or policy update.
restorecon_recursive /data
restorecon --recursive --skip-ce /data
# Check any timezone data in /data is newer than the copy in /system, delete if not.
exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo