From f5b99d4fe27bbb1f89888637203c1bf033bf6351 Mon Sep 17 00:00:00 2001 From: Sandeep Patil Date: Wed, 29 Mar 2017 10:33:41 -0700 Subject: [PATCH] init: explicitly label all selinux files in rootfs With system and vendor split, the files under them get labelled differently as part of b/36527360. These files also include selinux policy files if the policy is split. In order to consistently label them, all sepolicy files on rootfs also are labelled with labels matching to that of the ones in system and vendor. So, this now requires init to explicitly label *all* selinux files in rootfs after initializing selinux. Test: Boot angler and ensure servicemananger continues to work (uses /{plat,nonplat}_service_contexts). Test: Sideloaded OTA to angler to ensure recovery continues to work. Test: Launch and load a website in Chrome. Test: Launch camera and take picture, record video. Change-Id: I4134eae80b5b51f381b549eb18e604cf271f9eb5 Signed-off-by: Sandeep Patil --- init/init.cpp | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/init/init.cpp b/init/init.cpp index 79be97152..34de279d3 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -907,8 +907,18 @@ static void selinux_restore_context() { restorecon("/dev/random"); restorecon("/dev/urandom"); restorecon("/dev/__properties__"); + + restorecon("/file_contexts.bin"); + restorecon("/plat_file_contexts"); + restorecon("/nonplat_file_contexts"); restorecon("/plat_property_contexts"); restorecon("/nonplat_property_contexts"); + restorecon("/plat_seapp_contexts"); + restorecon("/nonplat_seapp_contexts"); + restorecon("/plat_service_contexts"); + restorecon("/nonplat_service_contexts"); + restorecon("/sepolicy"); + restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE); restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE); restorecon("/dev/device-mapper");