From 2fae5d65d503a9487438a107caa01265c61d23c5 Mon Sep 17 00:00:00 2001
From: dcashman <dcashman@google.com>
Date: Wed, 30 Nov 2016 15:29:20 -0800
Subject: [PATCH] Compile sepolicy on-device at early boot.

Compile policy from disparate sources at beginning of init and use to load
rather than relying on prebuilt policy.

Bug: 31363362
Test: Policy builds on-device and boots.
Change-Id: I681ec3f7da351d0b24d1f1e81e8a6b00c9c9d20c
---
 init/Android.mk |  1 +
 init/init.cpp   | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/init/Android.mk b/init/Android.mk
index ecdf5db70..4999e581b 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -95,6 +95,7 @@ LOCAL_STATIC_LIBRARIES := \
     libext4_utils_static \
     libbase \
     libc \
+    libsepol \
     libselinux \
     liblog \
     libcrypto_utils \
diff --git a/init/init.cpp b/init/init.cpp
index 2d474c730..5bf806938 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -36,6 +36,8 @@
 #include <sys/wait.h>
 #include <unistd.h>
 
+#include <cil/android.h>
+#include <cil/cil.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
 #include <selinux/android.h>
@@ -517,6 +519,13 @@ static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_
     return 0;
 }
 
+/* policy is a combination of platform, non-platform and mapping policy files */
+static constexpr const char* pol_files[]  = {
+    "/plat_sepolicy.cil",
+    "/mapping_sepolicy.cil",
+    "/nonplat_sepolicy.cil"  // TODO, switch to different partition when final.
+};
+
 static void selinux_initialize(bool in_kernel_domain) {
     Timer t;
 
@@ -525,13 +534,24 @@ static void selinux_initialize(bool in_kernel_domain) {
     selinux_set_callback(SELINUX_CB_LOG, cb);
     cb.func_audit = audit_callback;
     selinux_set_callback(SELINUX_CB_AUDIT, cb);
+    cil_set_log_handler((void (*)(int, char*))selinux_klog_callback);
 
     if (in_kernel_domain) {
+        void* pol_data = NULL;
+        size_t pol_len = 0;
+
+        LOG(INFO) << "Compiling SELinux policy...";
+        if (cil_android_compile_policy(&pol_data, &pol_len, pol_files,
+                arraysize(pol_files)) < 0) {
+            LOG(ERROR) << "failed to compile policy";
+            security_failure();
+        }
         LOG(INFO) << "Loading SELinux policy...";
-        if (selinux_android_load_policy() < 0) {
+        if (selinux_android_load_policy(pol_data, pol_len) < 0) {
             PLOG(ERROR) << "failed to load policy";
             security_failure();
         }
+        free(pol_data);
 
         bool kernel_enforcing = (security_getenforce() == 1);
         bool is_enforcing = selinux_is_enforcing();