From 28fdb6794cbee7bbfa1f261466acb7c3f6689904 Mon Sep 17 00:00:00 2001 From: Inseob Kim Date: Thu, 29 Apr 2021 19:48:27 +0900 Subject: [PATCH] Fix precompiled sepolicy logic If precompiled vendor policy has system_ext hash, system_ext also has to have its hash, to use precompiled sepolicy. Bug: 186727553 Test: remove system_ext's hash and see sepolicy compiled in runtime Change-Id: I4af3418d614156b5e9cd0b0116c2814ba994ee81 --- init/selinux.cpp | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/init/selinux.cpp b/init/selinux.cpp index 35a96f9f4..42d302324 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -240,25 +240,25 @@ Result FindPrecompiledSplitPolicy() { } // Use precompiled sepolicy only when all corresponding hashes are equal. - // plat_sepolicy is always checked, while system_ext and product are checked only when they - // exist. std::vector> sepolicy_hashes{ {"/system/etc/selinux/plat_sepolicy_and_mapping.sha256", precompiled_sepolicy + ".plat_sepolicy_and_mapping.sha256"}, + {"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256", + precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"}, + {"/product/etc/selinux/product_sepolicy_and_mapping.sha256", + precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"}, }; - if (access("/system_ext/etc/selinux/system_ext_sepolicy.cil", F_OK) == 0) { - sepolicy_hashes.emplace_back( - "/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256", - precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"); - } - - if (access("/product/etc/selinux/product_sepolicy.cil", F_OK) == 0) { - sepolicy_hashes.emplace_back("/product/etc/selinux/product_sepolicy_and_mapping.sha256", - precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"); - } - for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) { + // Both of them should exist or both of them shouldn't exist. + if (access(actual_id_path.c_str(), R_OK) != 0) { + if (access(precompiled_id_path.c_str(), R_OK) == 0) { + return Error() << precompiled_id_path << " exists but " << actual_id_path + << " doesn't"; + } + continue; + } + std::string actual_id; if (!ReadFirstLine(actual_id_path.c_str(), &actual_id)) { return ErrnoError() << "Failed to read " << actual_id_path;