ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

init: explicitly label all selinux files in rootfs

Browse source 
With system and vendor split, the files under them get labelled
differently as part of b/36527360. These files also include selinux
policy files if the policy is split. In order to consistently label
them, all sepolicy files on rootfs also are labelled with labels
matching to that of the ones in system and vendor. So, this now requires
init to explicitly label *all* selinux files in rootfs after
initializing selinux.

Test: Boot angler and ensure servicemananger continues to work (uses
      /{plat,nonplat}_service_contexts).
Test: Sideloaded OTA to angler to ensure recovery continues to work.
Test: Launch and load a website in Chrome.
Test: Launch camera and take picture, record video.

Change-Id: I4134eae80b5b51f381b549eb18e604cf271f9eb5
Signed-off-by: Sandeep Patil <sspatil@google.com>
This commit is contained in:
Sandeep Patil 2017-03-29 10:33:41 -07:00
parent 74df5bab16
commit f5b99d4fe2
1 changed files with 10 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
init/init.cpp
View file

@ -907,8 +907,18 @@ static void selinux_restore_context() {
restorecon("/dev/random");
restorecon("/dev/urandom");
restorecon("/dev/__properties__");
restorecon("/file_contexts.bin");
restorecon("/plat_file_contexts");
restorecon("/nonplat_file_contexts");
restorecon("/plat_property_contexts");
restorecon("/nonplat_property_contexts");
restorecon("/plat_seapp_contexts");
restorecon("/nonplat_seapp_contexts");
restorecon("/plat_service_contexts");
restorecon("/nonplat_service_contexts");
restorecon("/sepolicy");
restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/device-mapper");