From 1635afe83d1ebd6b5f1fac1e9c6c6b5cd1c93204 Mon Sep 17 00:00:00 2001 From: Jeff Sharkey Date: Fri, 15 Jul 2016 16:21:34 -0600 Subject: [PATCH] Only restorecon CE storage after unlocked. On FBE devices, the filenames inside credential-encrypted directories are mangled until the key is installed. This means the initial restorecon at boot needs to skip these directories until the keys are installed. This CL changes the implementation of the "restorecon_recursive" built-in command to use the new SKIPCE flag to avoid labeling files in CE directories. vold will request a restorecon when the keys are actually installed. Bug: 30126557 Change-Id: I320584574a4d712c493b5bbd8a79b56c0c04aa58 --- init/builtins.cpp | 6 +++++- init/util.cpp | 6 ++++++ init/util.h | 1 + 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/init/builtins.cpp b/init/builtins.cpp index 56318771f..70f919401 100644 --- a/init/builtins.cpp +++ b/init/builtins.cpp @@ -875,8 +875,12 @@ static int do_restorecon_recursive(const std::vector& args) { int ret = 0; for (auto it = std::next(args.begin()); it != args.end(); ++it) { - if (restorecon_recursive(it->c_str()) < 0) + /* The contents of CE paths are encrypted on FBE devices until user + * credentials are presented (filenames inside are mangled), so we need + * to delay restorecon of those until vold explicitly requests it. */ + if (restorecon_recursive_skipce(it->c_str()) < 0) { ret = -errno; + } } return ret; } diff --git a/init/util.cpp b/init/util.cpp index 683f6d88a..89d3276b8 100644 --- a/init/util.cpp +++ b/init/util.cpp @@ -471,6 +471,12 @@ int restorecon_recursive(const char* pathname) return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE); } +int restorecon_recursive_skipce(const char* pathname) +{ + return selinux_android_restorecon(pathname, + SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE); +} + /* * Writes hex_len hex characters (1/2 byte) to hex from bytes. */ diff --git a/init/util.h b/init/util.h index c2efb0145..af4b0981a 100644 --- a/init/util.h +++ b/init/util.h @@ -63,6 +63,7 @@ void import_kernel_cmdline(bool in_qemu, int make_dir(const char *path, mode_t mode); int restorecon(const char *pathname); int restorecon_recursive(const char *pathname); +int restorecon_recursive_skipce(const char *pathname); std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len); bool is_dir(const char* pathname); bool expand_props(const std::string& src, std::string* dst);