From 4ba548d845c0306a46d7cc8cf483caac5756159c Mon Sep 17 00:00:00 2001
From: Jiyong Park <jiyong@google.com>
Date: Fri, 22 Feb 2019 16:04:35 +0900
Subject: [PATCH] mount /apex during first_stage init

/apex is not mounted via init.rc but directly by the first_stage init
before the mount namespaces are configured.

This allows us to change the propagation type for /apex mount point to
private to isolate APEX activatesions across post- and pre-apexd
processes.

Bug: 125549215
Test: m; device boots to the UI

Change-Id: I10e056cd30d64cb702b6c237acd8dab326162884
---
 init/first_stage_init.cpp | 4 ++++
 init/selinux.cpp          | 2 ++
 rootdir/init.rc           | 6 ------
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp
index e11d89768..7cf4c3fbd 100644
--- a/init/first_stage_init.cpp
+++ b/init/first_stage_init.cpp
@@ -155,6 +155,10 @@ int FirstStageMain(int argc, char** argv) {
     // part of the product partition, e.g. because they are mounted read-write.
     CHECKCALL(mkdir("/mnt/product", 0755));
 
+    // /apex is used to mount APEXes
+    CHECKCALL(mount("tmpfs", "/apex", "tmpfs", MS_NOEXEC | MS_NOSUID | MS_NODEV,
+                    "mode=0755,uid=0,gid=0"));
+
 #undef CHECKCALL
 
     // Now that tmpfs is mounted on /dev and we have /dev/kmsg, we can actually
diff --git a/init/selinux.cpp b/init/selinux.cpp
index ee302c168..3fadfedbe 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -459,6 +459,8 @@ void SelinuxRestoreContext() {
 
     selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
     selinux_android_restorecon("/dev/device-mapper", 0);
+
+    selinux_android_restorecon("/apex", 0);
 }
 
 int SelinuxKlogCallback(int type, const char* fmt, ...) {
diff --git a/rootdir/init.rc b/rootdir/init.rc
index ce4b380f2..52afec95a 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -278,12 +278,6 @@ on init
     write /dev/cpu_variant:${ro.bionic.2nd_arch} ${ro.bionic.2nd_cpu_variant}
     chmod 0444 /dev/cpu_variant:${ro.bionic.2nd_arch}
 
-    # Setup APEX mount point and its security context
-    mount tmpfs tmpfs /apex nodev noexec nosuid
-    chmod 0755 /apex
-    chown root root /apex
-    restorecon /apex
-
     # Start logd before any other services run to ensure we capture all of their logs.
     start logd