Add a restorecon_recursive built-in command to init.

Functionally equivalent to the restorecon -R toolbox command. A use case is given by: I48eaa2b9901ac8c978192c14493ba1058a089423 Also, fix error handling and documentation for restorecon command. Change-Id: Ia7fbcc82645baf52c6bff0490d3492f458881cbb Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-09 16:02:09 -04:00 · 2013-10-09 16:02:09 -04:00 · 726e8f7a8f
commit 726e8f7a8f
parent 7dbe96602c
4 changed files with 24 additions and 3 deletions
--- a/init/builtins.c
+++ b/init/builtins.c
@ -747,12 +747,24 @@ int do_chmod(int nargs, char **args) {

 int do_restorecon(int nargs, char **args) {
    int i;
+    int ret = 0;

    for (i = 1; i < nargs; i++) {
        if (restorecon(args[i]) < 0)
-            return -errno;
+            ret = -errno;
    }
-    return 0;
+    return ret;
+}
+
+int do_restorecon_recursive(int nargs, char **args) {
+    int i;
+    int ret = 0;
+
+    for (i = 1; i < nargs; i++) {
+        if (restorecon_recursive(args[i]) < 0)
+            ret = -errno;
+    }
+    return ret;
 }

 int do_setsebool(int nargs, char **args) {
--- a/init/init_parser.c
+++ b/init/init_parser.c
@ -133,6 +133,7 @@ int lookup_keyword(const char *s)
    case 'r':
        if (!strcmp(s, "estart")) return K_restart;
        if (!strcmp(s, "estorecon")) return K_restorecon;
+        if (!strcmp(s, "estorecon_recursive")) return K_restorecon_recursive;
        if (!strcmp(s, "mdir")) return K_rmdir;
        if (!strcmp(s, "m")) return K_rm;
        break;
--- a/init/keywords.h
+++ b/init/keywords.h
@ -16,6 +16,7 @@ int do_mount_all(int nargs, char **args);
 int do_mount(int nargs, char **args);
 int do_restart(int nargs, char **args);
 int do_restorecon(int nargs, char **args);
+int do_restorecon_recursive(int nargs, char **args);
 int do_rm(int nargs, char **args);
 int do_rmdir(int nargs, char **args);
 int do_setcon(int nargs, char **args);
@ -68,6 +69,7 @@ enum {
    KEYWORD(onrestart,   OPTION,  0, 0)
    KEYWORD(restart,     COMMAND, 1, do_restart)
    KEYWORD(restorecon,  COMMAND, 1, do_restorecon)
+    KEYWORD(restorecon_recursive,  COMMAND, 1, do_restorecon_recursive)
    KEYWORD(rm,          COMMAND, 1, do_rm)
    KEYWORD(rmdir,       COMMAND, 1, do_rmdir)
    KEYWORD(seclabel,    OPTION,  0, 0)
--- a/init/readme.txt
+++ b/init/readme.txt
@ -192,12 +192,18 @@ mount <type> <device> <dir> [ <mountoption> ]*
   device by name.
   <mountoption>s include "ro", "rw", "remount", "noatime", ...

-restorecon <path>
+restorecon <path> [ <path> ]*
   Restore the file named by <path> to the security context specified
   in the file_contexts configuration.
   Not required for directories created by the init.rc as these are
   automatically labeled correctly by init.

+restorecon_recursive <path> [ <path> ]*
+   Recursively restore the directory tree named by <path> to the
+   security contexts specified in the file_contexts configuration.
+   Do NOT use this with paths leading to shell-writable or app-writable
+   directories, e.g. /data/local/tmp, /data/data or any prefix thereof.
+
 setcon <securitycontext>
   Set the current process security context to the specified string.
   This is typically only used from early-init to set the init context