From be09a1e643d27833c2a49a2523e4f8ec35dc9382 Mon Sep 17 00:00:00 2001 From: Santiago Seifert Date: Thu, 23 Sep 2021 13:07:25 +0000 Subject: [PATCH] Revert "Add /system_ext/etc/selinux/ to the debug policy search ..." Revert "Add a copy of debug policy to GSI system image" Revert "Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT" Revert "Add system_ext_userdebug_plat_sepolicy.cil for GSI" Revert submission 1824717-gsi_debug_policy Reason for revert: Breaks the build (see b/200933187). Reverted Changes: I37ef02628:Add a copy of debug policy to GSI system image I9c3dad8bb:Add PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT I43adc6ada:Add system_ext_userdebug_plat_sepolicy.cil for GSI... I4d6235c73:Add /system_ext/etc/selinux/ to the debug policy s... Change-Id: I2eb3b00abb981c25514b75b2e7b4b7b203653390 --- init/Android.bp | 23 +---------------------- init/first_stage_init.cpp | 19 ++++++------------- init/selinux.cpp | 30 +++++++----------------------- 3 files changed, 14 insertions(+), 58 deletions(-) diff --git a/init/Android.bp b/init/Android.bp index a0fe01742..5d0968717 100644 --- a/init/Android.bp +++ b/init/Android.bp @@ -89,19 +89,7 @@ init_host_sources = [ "host_init_verifier.cpp", ] -soong_config_module_type { - name: "libinit_cc_defaults", - module_type: "cc_defaults", - config_namespace: "ANDROID", - bool_variables: [ - "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", - ], - properties: [ - "cflags", - ], -} - -libinit_cc_defaults { +cc_defaults { name: "init_defaults", sanitize: { misc_undefined: ["signed-integer-overflow"], @@ -121,7 +109,6 @@ libinit_cc_defaults { "-DDUMP_ON_UMOUNT_FAILURE=0", "-DSHUTDOWN_ZERO_TIMEOUT=0", "-DINIT_FULL_SOURCES", - "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0", ], product_variables: { debuggable: { @@ -150,14 +137,6 @@ libinit_cc_defaults { cppflags: ["-DUSER_MODE_LINUX"], }, }, - soong_config_variables: { - PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: { - cflags: [ - "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT", - "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1", - ], - }, - }, static_libs: [ "libavb", "libc++fs", diff --git a/init/first_stage_init.cpp b/init/first_stage_init.cpp index c7b7b0c13..78e5b60a1 100644 --- a/init/first_stage_init.cpp +++ b/init/first_stage_init.cpp @@ -330,21 +330,14 @@ int FirstStageMain(int argc, char** argv) { // If "/force_debuggable" is present, the second-stage init will use a userdebug // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked. if (access("/force_debuggable", F_OK) == 0) { - constexpr const char adb_debug_prop_src[] = "/adb_debug.prop"; - constexpr const char userdebug_plat_sepolicy_cil_src[] = "/userdebug_plat_sepolicy.cil"; std::error_code ec; // to invoke the overloaded copy_file() that won't throw. - if (access(adb_debug_prop_src, F_OK) == 0 && - !fs::copy_file(adb_debug_prop_src, kDebugRamdiskProp, ec)) { - LOG(WARNING) << "Can't copy " << adb_debug_prop_src << " to " << kDebugRamdiskProp - << ": " << ec.message(); + if (!fs::copy_file("/adb_debug.prop", kDebugRamdiskProp, ec) || + !fs::copy_file("/userdebug_plat_sepolicy.cil", kDebugRamdiskSEPolicy, ec)) { + LOG(ERROR) << "Failed to setup debug ramdisk"; + } else { + // setenv for second-stage init to read above kDebugRamdisk* files. + setenv("INIT_FORCE_DEBUGGABLE", "true", 1); } - if (access(userdebug_plat_sepolicy_cil_src, F_OK) == 0 && - !fs::copy_file(userdebug_plat_sepolicy_cil_src, kDebugRamdiskSEPolicy, ec)) { - LOG(WARNING) << "Can't copy " << userdebug_plat_sepolicy_cil_src << " to " - << kDebugRamdiskSEPolicy << ": " << ec.message(); - } - // setenv for second-stage init to read above kDebugRamdisk* files. - setenv("INIT_FORCE_DEBUGGABLE", "true", 1); } if (ForceNormalBoot(cmdline, bootconfig)) { diff --git a/init/selinux.cpp b/init/selinux.cpp index 29c0ff3ba..42d302324 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -295,25 +295,6 @@ bool IsSplitPolicyDevice() { return access(plat_policy_cil_file, R_OK) != -1; } -std::optional GetUserdebugPlatformPolicyFile() { - // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. - const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); - if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) { - const std::vector debug_policy_candidates = { -#if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1 - "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil", -#endif - kDebugRamdiskSEPolicy, - }; - for (const char* debug_policy : debug_policy_candidates) { - if (access(debug_policy, F_OK) == 0) { - return debug_policy; - } - } - } - return std::nullopt; -} - struct PolicyFile { unique_fd fd; std::string path; @@ -329,10 +310,13 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // secilc is invoked to compile the above three policy files into a single monolithic policy // file. This file is then loaded into the kernel. - const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile(); - const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value(); + // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. + const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); + bool use_userdebug_policy = + ((force_debuggable_env && "true"s == force_debuggable_env) && + AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0); if (use_userdebug_policy) { - LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy; + LOG(WARNING) << "Using userdebug system sepolicy"; } // Load precompiled policy from vendor image, if a matching policy is found there. The policy @@ -429,7 +413,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // clang-format off std::vector compile_args { "/system/bin/secilc", - use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file, + use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file, "-m", "-M", "true", "-G", "-N", "-c", version_as_string.c_str(), plat_mapping_file.c_str(),