summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlex Vakulenko2017-05-01 19:54:24 -0500
committerAlex Vakulenko2017-05-10 10:59:01 -0500
commit4a7762afb4fa8495e711fcc2da322fc388e700bc (patch)
tree3c96a98be5d7f8a511aa9a291b2d611caf8913df
parent5aab4176932de5e899c03876f64cb6f09a999337 (diff)
downloadframeworks-native-4a7762afb4fa8495e711fcc2da322fc388e700bc.tar.gz
frameworks-native-4a7762afb4fa8495e711fcc2da322fc388e700bc.tar.xz
frameworks-native-4a7762afb4fa8495e711fcc2da322fc388e700bc.zip
Apply correct SELinux labels to PDX endpoint and channel sockets.
Bug: 37646189 Test: Compiled for sailfish-eng Device booted, normal 2D UI works as before Was able to run Daydream app and CubeSea (before O1 VR rendering path was disabled by recent change in HW composer). Change-Id: I1f7040324992d3c784f072ea6b64a65fa7ed0589
-rw-r--r--libs/vr/libpdx_uds/Android.bp3
-rw-r--r--libs/vr/libpdx_uds/service_endpoint.cpp33
-rw-r--r--services/surfaceflinger/surfaceflinger.rc6
-rw-r--r--services/vr/bufferhubd/bufferhubd.rc2
-rw-r--r--services/vr/performanced/performanced.rc2
5 files changed, 41 insertions, 5 deletions
diff --git a/libs/vr/libpdx_uds/Android.bp b/libs/vr/libpdx_uds/Android.bp
index cfc202222..82a5ea752 100644
--- a/libs/vr/libpdx_uds/Android.bp
+++ b/libs/vr/libpdx_uds/Android.bp
@@ -24,6 +24,9 @@ cc_library_static {
24 "libbase", 24 "libbase",
25 "libpdx", 25 "libpdx",
26 ], 26 ],
27 whole_static_libs: [
28 "libselinux",
29 ],
27} 30}
28 31
29cc_test { 32cc_test {
diff --git a/libs/vr/libpdx_uds/service_endpoint.cpp b/libs/vr/libpdx_uds/service_endpoint.cpp
index d96eeff23..27a56f9fe 100644
--- a/libs/vr/libpdx_uds/service_endpoint.cpp
+++ b/libs/vr/libpdx_uds/service_endpoint.cpp
@@ -11,6 +11,7 @@
11#include <android-base/strings.h> 11#include <android-base/strings.h>
12#include <cutils/sockets.h> 12#include <cutils/sockets.h>
13#include <pdx/service.h> 13#include <pdx/service.h>
14#include <selinux/selinux.h>
14#include <uds/channel_manager.h> 15#include <uds/channel_manager.h>
15#include <uds/client_channel_factory.h> 16#include <uds/client_channel_factory.h>
16#include <uds/ipc_helper.h> 17#include <uds/ipc_helper.h>
@@ -364,6 +365,36 @@ Status<void> Endpoint::ModifyChannelEvents(int channel_id, int clear_mask,
364Status<void> Endpoint::CreateChannelSocketPair(LocalHandle* local_socket, 365Status<void> Endpoint::CreateChannelSocketPair(LocalHandle* local_socket,
365 LocalHandle* remote_socket) { 366 LocalHandle* remote_socket) {
366 Status<void> status; 367 Status<void> status;
368 char* endpoint_context = nullptr;
369 // Make sure the channel socket has the correct SELinux label applied.
370 // Here we get the label from the endpoint file descriptor, which should be
371 // something like "u:object_r:pdx_service_endpoint_socket:s0" and replace
372 // "endpoint" with "channel" to produce the channel label such as this:
373 // "u:object_r:pdx_service_channel_socket:s0".
374 if (fgetfilecon_raw(socket_fd_.Get(), &endpoint_context) > 0) {
375 std::string channel_context = endpoint_context;
376 freecon(endpoint_context);
377 const std::string suffix = "_endpoint_socket";
378 auto pos = channel_context.find(suffix);
379 if (pos != std::string::npos) {
380 channel_context.replace(pos, suffix.size(), "_channel_socket");
381 } else {
382 ALOGW(
383 "Endpoint::CreateChannelSocketPair: Endpoint security context '%s' "
384 "does not contain expected substring '%s'",
385 channel_context.c_str(), suffix.c_str());
386 }
387 ALOGE_IF(setsockcreatecon_raw(channel_context.c_str()) == -1,
388 "Endpoint::CreateChannelSocketPair: Failed to set channel socket "
389 "security context: %s",
390 strerror(errno));
391 } else {
392 ALOGE(
393 "Endpoint::CreateChannelSocketPair: Failed to obtain the endpoint "
394 "socket's security context: %s",
395 strerror(errno));
396 }
397
367 int channel_pair[2] = {}; 398 int channel_pair[2] = {};
368 if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, channel_pair) == -1) { 399 if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, channel_pair) == -1) {
369 ALOGE("Endpoint::CreateChannelSocketPair: Failed to create socket pair: %s", 400 ALOGE("Endpoint::CreateChannelSocketPair: Failed to create socket pair: %s",
@@ -372,6 +403,8 @@ Status<void> Endpoint::CreateChannelSocketPair(LocalHandle* local_socket,
372 return status; 403 return status;
373 } 404 }
374 405
406 setsockcreatecon_raw(nullptr);
407
375 local_socket->Reset(channel_pair[0]); 408 local_socket->Reset(channel_pair[0]);
376 remote_socket->Reset(channel_pair[1]); 409 remote_socket->Reset(channel_pair[1]);
377 410
diff --git a/services/surfaceflinger/surfaceflinger.rc b/services/surfaceflinger/surfaceflinger.rc
index ff6be81e4..aea602bba 100644
--- a/services/surfaceflinger/surfaceflinger.rc
+++ b/services/surfaceflinger/surfaceflinger.rc
@@ -4,6 +4,6 @@ service surfaceflinger /system/bin/surfaceflinger
4 group graphics drmrpc readproc 4 group graphics drmrpc readproc
5 onrestart restart zygote 5 onrestart restart zygote
6 writepid /dev/stune/foreground/tasks 6 writepid /dev/stune/foreground/tasks
7 socket pdx/system/vr/display/client stream 0666 system graphics 7 socket pdx/system/vr/display/client stream 0666 system graphics u:object_r:pdx_display_client_endpoint_socket:s0
8 socket pdx/system/vr/display/manager stream 0666 system graphics 8 socket pdx/system/vr/display/manager stream 0666 system graphics u:object_r:pdx_display_manager_endpoint_socket:s0
9 socket pdx/system/vr/display/vsync stream 0666 system graphics 9 socket pdx/system/vr/display/vsync stream 0666 system graphics u:object_r:pdx_display_vsync_endpoint_socket:s0
diff --git a/services/vr/bufferhubd/bufferhubd.rc b/services/vr/bufferhubd/bufferhubd.rc
index 8d5772399..46fe5f95c 100644
--- a/services/vr/bufferhubd/bufferhubd.rc
+++ b/services/vr/bufferhubd/bufferhubd.rc
@@ -3,4 +3,4 @@ service bufferhubd /system/bin/bufferhubd
3 user system 3 user system
4 group system 4 group system
5 writepid /dev/cpuset/tasks 5 writepid /dev/cpuset/tasks
6 socket pdx/system/buffer_hub/client stream 0660 system system 6 socket pdx/system/buffer_hub/client stream 0660 system system u:object_r:pdx_bufferhub_client_endpoint_socket:s0
diff --git a/services/vr/performanced/performanced.rc b/services/vr/performanced/performanced.rc
index 6283f3717..2605a4758 100644
--- a/services/vr/performanced/performanced.rc
+++ b/services/vr/performanced/performanced.rc
@@ -3,4 +3,4 @@ service performanced /system/bin/performanced
3 user root 3 user root
4 group system readproc 4 group system readproc
5 writepid /dev/cpuset/tasks 5 writepid /dev/cpuset/tasks
6 socket pdx/system/performance/client stream 0666 system system 6 socket pdx/system/performance/client stream 0666 system system u:object_r:pdx_performance_client_endpoint_socket:s0