ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Add flags to restorecon_recursive to traverse filesystems" am: 5fbd1cfd34

Browse source 
am: ffa3689107

Change-Id: Ib56202ae76ea431f60aba8135ec9c2762e79097e
This commit is contained in:
Paul Lawrence 2016-11-17 18:03:05 +00:00 committed by android-build-merger
commit a99490c813
7 changed files with 50 additions and 40 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
init/builtins.cpp
View file

@ -40,6 +40,7 @@
#include <thread> #include <thread>
#include <selinux/android.h>
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/label.h> #include <selinux/label.h>
@ -909,25 +910,49 @@ static int do_chmod(const std::vector<std::string>& args) {
static int do_restorecon(const std::vector<std::string>& args) { static int do_restorecon(const std::vector<std::string>& args) {
int ret = 0; int ret = 0;
for (auto it = std::next(args.begin()); it != args.end(); ++it) { struct flag_type {const char* name; int value;};
if (restorecon(it->c_str()) < 0) static const flag_type flags[] = {
ret = -errno; {"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
{"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
{"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
{0, 0}
};
int flag = 0;
bool in_flags = true;
for (size_t i = 1; i < args.size(); ++i) {
if (android::base::StartsWith(args[i], "--")) {
if (!in_flags) {
LOG(ERROR) << "restorecon - flags must precede paths";
return -1;
}
bool found = false;
for (size_t j = 0; flags[j].name; ++j) {
if (args[i] == flags[j].name) {
flag |= flags[j].value;
found = true;
break;
}
}
if (!found) {
LOG(ERROR) << "restorecon - bad flag " << args[i];
return -1;
}
} else {
in_flags = false;
if (restorecon(args[i].c_str(), flag) < 0) {
ret = -errno;
}
}
} }
return ret; return ret;
} }
static int do_restorecon_recursive(const std::vector<std::string>& args) { static int do_restorecon_recursive(const std::vector<std::string>& args) {
int ret = 0; std::vector<std::string> non_const_args(args);
non_const_args.insert(std::next(non_const_args.begin()), "--recursive");
for (auto it = std::next(args.begin()); it != args.end(); ++it) { return do_restorecon(non_const_args);
/* The contents of CE paths are encrypted on FBE devices until user
* credentials are presented (filenames inside are mangled), so we need
* to delay restorecon of those until vold explicitly requests it. */
if (restorecon_recursive_skipce(it->c_str()) < 0) {
ret = -errno;
}
}
return ret;
} }
static int do_loglevel(const std::vector<std::string>& args) { static int do_loglevel(const std::vector<std::string>& args) {

2
init/devices.cpp
View file

@ -190,7 +190,7 @@ static void fixup_sys_perms(const char* upath, const char* subsystem) {
if (access(path.c_str(), F_OK) == 0) { if (access(path.c_str(), F_OK) == 0) {
LOG(VERBOSE) << "restorecon_recursive: " << path; LOG(VERBOSE) << "restorecon_recursive: " << path;
restorecon_recursive(path.c_str()); restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_RECURSE);
} }
} }

4
init/init.cpp
View file

@ -657,8 +657,8 @@ int main(int argc, char** argv) {
restorecon("/dev/socket"); restorecon("/dev/socket");
restorecon("/dev/__properties__"); restorecon("/dev/__properties__");
restorecon("/property_contexts"); restorecon("/property_contexts");
restorecon_recursive("/sys"); restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon_recursive("/dev/block"); restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/device-mapper"); restorecon("/dev/device-mapper");
epoll_fd = epoll_create1(EPOLL_CLOEXEC); epoll_fd = epoll_create1(EPOLL_CLOEXEC);

3
init/property_service.cpp
View file

@ -42,6 +42,7 @@
#include <netinet/in.h> #include <netinet/in.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <selinux/android.h>
#include <selinux/selinux.h> #include <selinux/selinux.h>
#include <selinux/label.h> #include <selinux/label.h>
@ -175,7 +176,7 @@ static int property_set_impl(const char* name, const char* value) {
if (valuelen >= PROP_VALUE_MAX) return -1; if (valuelen >= PROP_VALUE_MAX) return -1;
if (strcmp("selinux.restorecon_recursive", name) == 0 && valuelen > 0) { if (strcmp("selinux.restorecon_recursive", name) == 0 && valuelen > 0) {
if (restorecon_recursive(value) != 0) { if (restorecon(value, SELINUX_ANDROID_RESTORECON_RECURSE) != 0) {
LOG(ERROR) << "Failed to restorecon_recursive " << value; LOG(ERROR) << "Failed to restorecon_recursive " << value;
} }
} }

15
init/util.cpp
View file

@ -369,20 +369,9 @@ int make_dir(const char *path, mode_t mode)
return rc; return rc;
} }
int restorecon(const char* pathname) int restorecon(const char* pathname, int flags)
{ {
return selinux_android_restorecon(pathname, 0); return selinux_android_restorecon(pathname, flags);
}
int restorecon_recursive(const char* pathname)
{
return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
}
int restorecon_recursive_skipce(const char* pathname)
{
return selinux_android_restorecon(pathname,
SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
} }
/* /*

4
init/util.h
View file

@ -68,9 +68,7 @@ int wait_for_file(const char *filename, std::chrono::nanoseconds timeout);
void import_kernel_cmdline(bool in_qemu, void import_kernel_cmdline(bool in_qemu,
const std::function<void(const std::string&, const std::string&, bool)>&); const std::function<void(const std::string&, const std::string&, bool)>&);
int make_dir(const char *path, mode_t mode); int make_dir(const char *path, mode_t mode);
int restorecon(const char *pathname); int restorecon(const char *pathname, int flags = 0);
int restorecon_recursive(const char *pathname);
int restorecon_recursive_skipce(const char *pathname);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len); std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname); bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst); bool expand_props(const std::string& src, std::string* dst);

9
rootdir/init.rc
View file

@ -305,11 +305,8 @@ on post-fs
mount none /mnt/runtime/default /storage slave bind rec mount none /mnt/runtime/default /storage slave bind rec
# Make sure /sys/kernel/debug (if present) is labeled properly # Make sure /sys/kernel/debug (if present) is labeled properly
restorecon_recursive /sys/kernel/debug # Note that tracefs may be mounted under debug, so we need to cross filesystems
restorecon --recursive --cross-filesystems /sys/kernel/debug
# On systems with tracefs, tracing is a separate mount, so make sure
# it too is correctly labeled
restorecon_recursive /sys/kernel/debug/tracing
# We chown/chmod /cache again so because mount is run as root + defaults # We chown/chmod /cache again so because mount is run as root + defaults
chown system cache /cache chown system cache /cache
@ -483,7 +480,7 @@ on post-fs-data
init_user0 init_user0
# Set SELinux security contexts on upgrade or policy update. # Set SELinux security contexts on upgrade or policy update.
restorecon_recursive /data restorecon --recursive --skip-ce /data
# Check any timezone data in /data is newer than the copy in /system, delete if not. # Check any timezone data in /data is newer than the copy in /system, delete if not.
exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo