From 692c3e4d38b338bfac3d1b81fc0c6db4dcb789f0 Mon Sep 17 00:00:00 2001
From: Dan Cashman <dcashman@google.com>
Date: Mon, 10 Apr 2017 12:20:01 -0700
Subject: [PATCH] init: use platform sepolicy version indicated by /vendor.

It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based.  In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.

Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6
---
 init/init.cpp | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/init/init.cpp b/init/init.cpp
index 94bf37aa4..e6932d930 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -736,6 +736,18 @@ static bool selinux_find_precompiled_split_policy(std::string* file) {
     return true;
 }
 
+static bool selinux_get_vendor_mapping_version(std::string* plat_vers) {
+    if (!read_first_line("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
+        PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
+        return false;
+    }
+    if (plat_vers->empty()) {
+        LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
+        return false;
+    }
+    return true;
+}
+
 static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
 
 static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; }
@@ -790,6 +802,12 @@ static bool selinux_load_split_policy() {
         return false;
     }
 
+    // Determine which mapping file to include
+    std::string vend_plat_vers;
+    if (!selinux_get_vendor_mapping_version(&vend_plat_vers)) {
+        return false;
+    }
+    std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
     // clang-format off
     const char* compile_args[] = {
         "/system/bin/secilc",
@@ -797,7 +815,7 @@ static bool selinux_load_split_policy() {
         "-M", "true",
         // Target the highest policy language version supported by the kernel
         "-c", std::to_string(max_policy_version).c_str(),
-        "/system/etc/selinux/mapping_sepolicy.cil",
+        mapping_file.c_str(),
         "/vendor/etc/selinux/nonplat_sepolicy.cil",
         "-o", compiled_sepolicy,
         // We don't care about file_contexts output by the compiler