tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

init: use platform sepolicy version indicated by /vendor.

Browse source 
It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based.  In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.

Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6
This commit is contained in:
Dan Cashman 2017-04-10 12:20:01 -07:00
parent 585e6a89d7
commit 692c3e4d38
1 changed files with 19 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
init/init.cpp
View file

@ -736,6 +736,18 @@ static bool selinux_find_precompiled_split_policy(std::string* file) {
return true;
}
static bool selinux_get_vendor_mapping_version(std::string* plat_vers) {
if (!read_first_line("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
return false;
}
if (plat_vers->empty()) {
LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
return false;
}
return true;
}
static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; }
@ -790,6 +802,12 @@ static bool selinux_load_split_policy() {
return false;
}
// Determine which mapping file to include
std::string vend_plat_vers;
if (!selinux_get_vendor_mapping_version(&vend_plat_vers)) {
return false;
}
std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
// clang-format off
const char* compile_args[] = {
"/system/bin/secilc",
@ -797,7 +815,7 @@ static bool selinux_load_split_policy() {
"-M", "true",
// Target the highest policy language version supported by the kernel
"-c", std::to_string(max_policy_version).c_str(),
"/system/etc/selinux/mapping_sepolicy.cil",
mapping_file.c_str(),
"/vendor/etc/selinux/nonplat_sepolicy.cil",
"-o", compiled_sepolicy,
// We don't care about file_contexts output by the compiler