From fa33f85f522352be0b8766d88d1ff0abb76fd378 Mon Sep 17 00:00:00 2001 From: Nikita Ioffe Date: Wed, 14 Jun 2023 20:29:37 +0000 Subject: [PATCH] Reland "Treat Microdroid as OS with monolithic sepolicy" Bug: 285855150 Test: presubmit Change-Id: I477e1ef7268ac8e7d0fdae7ffcc611a69bb9d4fe --- init/selinux.cpp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/init/selinux.cpp b/init/selinux.cpp index 907eb80e3..a93653233 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -300,6 +300,8 @@ bool GetVendorMappingVersion(std::string* plat_vers) { } constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil"; +constexpr const char kMicrodroidPrecompiledSepolicy[] = + "/system/etc/selinux/microdroid_precompiled_sepolicy"; bool IsSplitPolicyDevice() { return access(plat_policy_cil_file, R_OK) != -1; @@ -497,14 +499,19 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { bool OpenMonolithicPolicy(PolicyFile* policy_file) { static constexpr char kSepolicyFile[] = "/sepolicy"; + // In Microdroid the precompiled sepolicy is located on /system, since there is no vendor code. + // TODO(b/287206497): refactor once we start conditionally compiling init for Microdroid. + std::string monolithic_policy_file = access(kMicrodroidPrecompiledSepolicy, R_OK) == 0 + ? kMicrodroidPrecompiledSepolicy + : kSepolicyFile; - LOG(VERBOSE) << "Opening SELinux policy from monolithic file"; - policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW)); + LOG(INFO) << "Opening SELinux policy from monolithic file " << monolithic_policy_file; + policy_file->fd.reset(open(monolithic_policy_file.c_str(), O_RDONLY | O_CLOEXEC | O_NOFOLLOW)); if (policy_file->fd < 0) { PLOG(ERROR) << "Failed to open monolithic SELinux policy"; return false; } - policy_file->path = kSepolicyFile; + policy_file->path = monolithic_policy_file; return true; }