ACPR/android_system_core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Add odm sepolicy support to selinux.cpp"

Browse source
This commit is contained in:
Treehugger Robot 2017-09-04 04:45:33 +00:00 committed by Gerrit Code Review
commit f899548cdb
1 changed files with 53 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

67
init/selinux.cpp
View file

@ -198,9 +198,18 @@ bool ReadFirstLine(const char* file, std::string* line) {
bool FindPrecompiledSplitPolicy(std::string* file) { bool FindPrecompiledSplitPolicy(std::string* file) {
file->clear(); file->clear();
// If there is an odm partition, precompiled_sepolicy will be in
static constexpr const char precompiled_sepolicy[] = "/vendor/etc/selinux/precompiled_sepolicy"; // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
if (access(precompiled_sepolicy, R_OK) == -1) { static constexpr const char vendor_precompiled_sepolicy[] =
"/vendor/etc/selinux/precompiled_sepolicy";
static constexpr const char odm_precompiled_sepolicy[] =
"/odm/etc/selinux/precompiled_sepolicy";
if (access(odm_precompiled_sepolicy, R_OK) == 0) {
*file = odm_precompiled_sepolicy;
} else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
*file = vendor_precompiled_sepolicy;
} else {
PLOG(INFO) << "No precompiled sepolicy";
return false; return false;
} }
std::string actual_plat_id; std::string actual_plat_id;
@ -209,19 +218,18 @@ bool FindPrecompiledSplitPolicy(std::string* file) {
"/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256"; "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256";
return false; return false;
} }
std::string precompiled_plat_id; std::string precompiled_plat_id;
if (!ReadFirstLine("/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256", std::string precompiled_sha256 = *file + ".plat_and_mapping.sha256";
&precompiled_plat_id)) { if (!ReadFirstLine(precompiled_sha256.c_str(), &precompiled_plat_id)) {
PLOG(INFO) << "Failed to read " PLOG(INFO) << "Failed to read " << precompiled_sha256;
"/vendor/etc/selinux/" file->clear();
"precompiled_sepolicy.plat_and_mapping.sha256";
return false; return false;
} }
if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) { if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) {
file->clear();
return false; return false;
} }
*file = precompiled_sepolicy;
return true; return true;
} }
@ -293,24 +301,55 @@ bool LoadSplitPolicy() {
return false; return false;
} }
std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
// vendor_sepolicy.cil and nonplat_declaration.cil are the new design to replace
// nonplat_sepolicy.cil.
std::string nonplat_declaration_cil_file("/vendor/etc/selinux/nonplat_declaration.cil");
std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
// For backward compatibility.
// TODO: remove this after no device is using nonplat_sepolicy.cil.
vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil";
nonplat_declaration_cil_file.clear();
} else if (access(nonplat_declaration_cil_file.c_str(), F_OK) == -1) {
LOG(ERROR) << "Missing " << nonplat_declaration_cil_file;
return false;
}
// odm_sepolicy.cil is default but optional.
std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
odm_policy_cil_file.clear();
}
const std::string version_as_string = std::to_string(max_policy_version); const std::string version_as_string = std::to_string(max_policy_version);
// clang-format off // clang-format off
const char* compile_args[] = { std::vector<const char*> compile_args {
"/system/bin/secilc", "/system/bin/secilc",
plat_policy_cil_file, plat_policy_cil_file,
"-M", "true", "-G", "-N", "-M", "true", "-G", "-N",
// Target the highest policy language version supported by the kernel // Target the highest policy language version supported by the kernel
"-c", version_as_string.c_str(), "-c", version_as_string.c_str(),
mapping_file.c_str(), mapping_file.c_str(),
"/vendor/etc/selinux/nonplat_sepolicy.cil",
"-o", compiled_sepolicy, "-o", compiled_sepolicy,
// We don't care about file_contexts output by the compiler // We don't care about file_contexts output by the compiler
"-f", "/sys/fs/selinux/null", // /dev/null is not yet available "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
nullptr}; };
// clang-format on // clang-format on
if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args)) { if (!nonplat_declaration_cil_file.empty()) {
compile_args.push_back(nonplat_declaration_cil_file.c_str());
}
if (!vendor_policy_cil_file.empty()) {
compile_args.push_back(vendor_policy_cil_file.c_str());
}
if (!odm_policy_cil_file.empty()) {
compile_args.push_back(odm_policy_cil_file.c_str());
}
compile_args.push_back(nullptr);
if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
unlink(compiled_sepolicy); unlink(compiled_sepolicy);
return false; return false;
} }