Merge "Separate system_ext_sepolicy.cil out of system sepolicy"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
34aba6a690
1 changed files with 44 additions and 10 deletions
|
|
@ -36,16 +36,18 @@
|
|||
// The split SEPolicy is loaded as described below:
|
||||
// 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
|
||||
// /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
|
||||
// are the sha256 hashes of the parts of the SEPolicy on /system and /product that were used to
|
||||
// compile this precompiled policy. The system partition contains a similar sha256 of the parts
|
||||
// of the SEPolicy that it currently contains. Symmetrically, product paritition contains a
|
||||
// sha256 of its SEPolicy. System loads this precompiled_sepolicy directly if and only if hashes
|
||||
// for system policy match and hashes for product policy match.
|
||||
// 2) If these hashes do not match, then either /system or /product (or both) have been updated out
|
||||
// of sync with /vendor and the init needs to compile the SEPolicy. /system contains the
|
||||
// SEPolicy compiler, secilc, and it is used by the LoadSplitPolicy() function below to compile
|
||||
// the SEPolicy to a temp directory and load it. That function contains even more documentation
|
||||
// with the specific implementation details of how the SEPolicy is compiled if needed.
|
||||
// are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
|
||||
// were used to compile this precompiled policy. The system partition contains a similar sha256
|
||||
// of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and
|
||||
// product paritition contain sha256 hashes of their SEPolicy. The init loads this
|
||||
// precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
|
||||
// /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
|
||||
// 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
|
||||
// have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
|
||||
// compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the
|
||||
// LoadSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
|
||||
// That function contains even more documentation with the specific implementation details of how
|
||||
// the SEPolicy is compiled if needed.
|
||||
|
||||
#include "selinux.h"
|
||||
|
||||
|
|
@ -228,6 +230,13 @@ bool FindPrecompiledSplitPolicy(std::string* file) {
|
|||
"/system/etc/selinux/plat_sepolicy_and_mapping.sha256";
|
||||
return false;
|
||||
}
|
||||
std::string actual_system_ext_id;
|
||||
if (!ReadFirstLine("/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
|
||||
&actual_system_ext_id)) {
|
||||
PLOG(INFO) << "Failed to read "
|
||||
"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256";
|
||||
return false;
|
||||
}
|
||||
std::string actual_product_id;
|
||||
if (!ReadFirstLine("/product/etc/selinux/product_sepolicy_and_mapping.sha256",
|
||||
&actual_product_id)) {
|
||||
|
|
@ -243,6 +252,13 @@ bool FindPrecompiledSplitPolicy(std::string* file) {
|
|||
file->clear();
|
||||
return false;
|
||||
}
|
||||
std::string precompiled_system_ext_id;
|
||||
std::string precompiled_system_ext_sha256 = *file + ".system_ext_sepolicy_and_mapping.sha256";
|
||||
if (!ReadFirstLine(precompiled_system_ext_sha256.c_str(), &precompiled_system_ext_id)) {
|
||||
PLOG(INFO) << "Failed to read " << precompiled_system_ext_sha256;
|
||||
file->clear();
|
||||
return false;
|
||||
}
|
||||
std::string precompiled_product_id;
|
||||
std::string precompiled_product_sha256 = *file + ".product_sepolicy_and_mapping.sha256";
|
||||
if (!ReadFirstLine(precompiled_product_sha256.c_str(), &precompiled_product_id)) {
|
||||
|
|
@ -251,6 +267,7 @@ bool FindPrecompiledSplitPolicy(std::string* file) {
|
|||
return false;
|
||||
}
|
||||
if (actual_plat_id.empty() || actual_plat_id != precompiled_plat_id ||
|
||||
actual_system_ext_id.empty() || actual_system_ext_id != precompiled_system_ext_id ||
|
||||
actual_product_id.empty() || actual_product_id != precompiled_product_id) {
|
||||
file->clear();
|
||||
return false;
|
||||
|
|
@ -336,6 +353,17 @@ bool LoadSplitPolicy() {
|
|||
plat_compat_cil_file.clear();
|
||||
}
|
||||
|
||||
std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
|
||||
if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
|
||||
system_ext_policy_cil_file.clear();
|
||||
}
|
||||
|
||||
std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
|
||||
".cil");
|
||||
if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
|
||||
system_ext_mapping_file.clear();
|
||||
}
|
||||
|
||||
std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
|
||||
if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
|
||||
product_policy_cil_file.clear();
|
||||
|
|
@ -384,6 +412,12 @@ bool LoadSplitPolicy() {
|
|||
if (!plat_compat_cil_file.empty()) {
|
||||
compile_args.push_back(plat_compat_cil_file.c_str());
|
||||
}
|
||||
if (!system_ext_policy_cil_file.empty()) {
|
||||
compile_args.push_back(system_ext_policy_cil_file.c_str());
|
||||
}
|
||||
if (!system_ext_mapping_file.empty()) {
|
||||
compile_args.push_back(system_ext_mapping_file.c_str());
|
||||
}
|
||||
if (!product_policy_cil_file.empty()) {
|
||||
compile_args.push_back(product_policy_cil_file.c_str());
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue