From d1d3bdd16fbaae87e0cfdb8d412f226e4aa390cf Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Fri, 15 Jul 2016 16:21:34 -0600 Subject: [PATCH] Only restorecon CE storage after unlocked. On FBE devices, the filenames inside credential-encrypted directories are mangled until the key is installed. This means the initial restorecon at boot needs to skip these directories until the keys are installed. This CL changes the implementation of the "restorecon_recursive" built-in command to use the new SKIPCE flag to avoid labeling files in CE directories. vold will request a restorecon when the keys are actually installed. (cherrypicked from commit 1635afe83d1ebd6b5f1fac1e9c6c6b5cd1c93204) Bug: 30126557 Test: Cherry-picked from master Change-Id: I320584574a4d712c493b5bbd8a79b56c0c04aa58 --- init/builtins.cpp | 6 +++++- init/util.cpp | 6 ++++++ init/util.h | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/init/builtins.cpp b/init/builtins.cpp index ebdc8c993..08b591b5c 100644 --- a/init/builtins.cpp +++ b/init/builtins.cpp @@ -915,8 +915,12 @@ static int do_restorecon_recursive(const std::vector& args) { int ret = 0; for (auto it = std::next(args.begin()); it != args.end(); ++it) { - if (restorecon_recursive(it->c_str()) < 0) + /* The contents of CE paths are encrypted on FBE devices until user + * credentials are presented (filenames inside are mangled), so we need + * to delay restorecon of those until vold explicitly requests it. */ + if (restorecon_recursive_skipce(it->c_str()) < 0) { ret = -errno; + } } return ret; } diff --git a/init/util.cpp b/init/util.cpp index cb5a094e3..65b238b29 100644 --- a/init/util.cpp +++ b/init/util.cpp @@ -379,6 +379,12 @@ int restorecon_recursive(const char* pathname) return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE); } +int restorecon_recursive_skipce(const char* pathname) +{ + return selinux_android_restorecon(pathname, + SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE); +} + /* * Writes hex_len hex characters (1/2 byte) to hex from bytes. */ diff --git a/init/util.h b/init/util.h index dccec0438..ef40748cb 100644 --- a/init/util.h +++ b/init/util.h @@ -70,6 +70,7 @@ void import_kernel_cmdline(bool in_qemu, int make_dir(const char *path, mode_t mode); int restorecon(const char *pathname); int restorecon_recursive(const char *pathname); +int restorecon_recursive_skipce(const char *pathname); std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len); bool is_dir(const char* pathname); bool expand_props(const std::string& src, std::string* dst);