From f016f256b5c86ddf74705c3d4614c52abe6a5ca6 Mon Sep 17 00:00:00 2001 From: Bowgo Tsai Date: Wed, 28 Aug 2019 17:56:51 +0800 Subject: [PATCH] Separate system_ext_sepolicy.cil out of system sepolicy Currently system sepolicy can be extended via: - BOARD_PLAT_PUBLIC_SEPOLICY_DIR - BOARD_PLAT_PRIVATE_SEPOLICY_DIR To support having a single shared core system sepolicy, those customization should be moved to the newly added system_ext partition. System-ext-specific sepolicy files will be installed into /system_ext/etc/selinux/*. system_ext_sepolicy.cil is merged into precompiled_sepolicy at build-time. In case precompiled_sepolicy can't be used (e.g. system-only-ota), the init will merge this file with the rest of the sepolicy at runtime. Bug: 137712473 Test: boot aosp_crosshatch with system_ext_sepolicy.cil Test: boot aosp_crosshatch without system_ext_sepolicy.cil Change-Id: Ib37622271b559d65462de99ff424be831004508a --- init/selinux.cpp | 54 +++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 10 deletions(-) diff --git a/init/selinux.cpp b/init/selinux.cpp index 4852cd0ac..a15d13649 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -36,16 +36,18 @@ // The split SEPolicy is loaded as described below: // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or // /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file -// are the sha256 hashes of the parts of the SEPolicy on /system and /product that were used to -// compile this precompiled policy. The system partition contains a similar sha256 of the parts -// of the SEPolicy that it currently contains. Symmetrically, product paritition contains a -// sha256 of its SEPolicy. System loads this precompiled_sepolicy directly if and only if hashes -// for system policy match and hashes for product policy match. -// 2) If these hashes do not match, then either /system or /product (or both) have been updated out -// of sync with /vendor and the init needs to compile the SEPolicy. /system contains the -// SEPolicy compiler, secilc, and it is used by the LoadSplitPolicy() function below to compile -// the SEPolicy to a temp directory and load it. That function contains even more documentation -// with the specific implementation details of how the SEPolicy is compiled if needed. +// are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that +// were used to compile this precompiled policy. The system partition contains a similar sha256 +// of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and +// product paritition contain sha256 hashes of their SEPolicy. The init loads this +// precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on +// /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively. +// 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them) +// have been updated out of sync with /vendor (or /odm if it is present) and the init needs to +// compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the +// LoadSplitPolicy() function below to compile the SEPolicy to a temp directory and load it. +// That function contains even more documentation with the specific implementation details of how +// the SEPolicy is compiled if needed. #include "selinux.h" @@ -228,6 +230,13 @@ bool FindPrecompiledSplitPolicy(std::string* file) { "/system/etc/selinux/plat_sepolicy_and_mapping.sha256"; return false; } + std::string actual_system_ext_id; + if (!ReadFirstLine("/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256", + &actual_system_ext_id)) { + PLOG(INFO) << "Failed to read " + "/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256"; + return false; + } std::string actual_product_id; if (!ReadFirstLine("/product/etc/selinux/product_sepolicy_and_mapping.sha256", &actual_product_id)) { @@ -243,6 +252,13 @@ bool FindPrecompiledSplitPolicy(std::string* file) { file->clear(); return false; } + std::string precompiled_system_ext_id; + std::string precompiled_system_ext_sha256 = *file + ".system_ext_sepolicy_and_mapping.sha256"; + if (!ReadFirstLine(precompiled_system_ext_sha256.c_str(), &precompiled_system_ext_id)) { + PLOG(INFO) << "Failed to read " << precompiled_system_ext_sha256; + file->clear(); + return false; + } std::string precompiled_product_id; std::string precompiled_product_sha256 = *file + ".product_sepolicy_and_mapping.sha256"; if (!ReadFirstLine(precompiled_product_sha256.c_str(), &precompiled_product_id)) { @@ -251,6 +267,7 @@ bool FindPrecompiledSplitPolicy(std::string* file) { return false; } if (actual_plat_id.empty() || actual_plat_id != precompiled_plat_id || + actual_system_ext_id.empty() || actual_system_ext_id != precompiled_system_ext_id || actual_product_id.empty() || actual_product_id != precompiled_product_id) { file->clear(); return false; @@ -336,6 +353,17 @@ bool LoadSplitPolicy() { plat_compat_cil_file.clear(); } + std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil"); + if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) { + system_ext_policy_cil_file.clear(); + } + + std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers + + ".cil"); + if (access(system_ext_mapping_file.c_str(), F_OK) == -1) { + system_ext_mapping_file.clear(); + } + std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil"); if (access(product_policy_cil_file.c_str(), F_OK) == -1) { product_policy_cil_file.clear(); @@ -384,6 +412,12 @@ bool LoadSplitPolicy() { if (!plat_compat_cil_file.empty()) { compile_args.push_back(plat_compat_cil_file.c_str()); } + if (!system_ext_policy_cil_file.empty()) { + compile_args.push_back(system_ext_policy_cil_file.c_str()); + } + if (!system_ext_mapping_file.empty()) { + compile_args.push_back(system_ext_mapping_file.c_str()); + } if (!product_policy_cil_file.empty()) { compile_args.push_back(product_policy_cil_file.c_str()); }