summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTreehugger Robot2017-09-03 23:45:33 -0500
committerGerrit Code Review2017-09-03 23:45:33 -0500
commitf899548cdb18a56db9ad0c0c5ecd1941a6b23255 (patch)
tree50b92f1a2ab192fbb2b4a29cc57435e344270fbb
parentd97a1710b8efafe2b3a7b3e05e679ee091327fc6 (diff)
parenteef4cd7d08db22a93503936b58f3ed372a383dad (diff)
downloadplatform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.tar.gz
platform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.tar.xz
platform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.zip
Merge "Add odm sepolicy support to selinux.cpp"
-rw-r--r--init/selinux.cpp67
1 files changed, 53 insertions, 14 deletions
diff --git a/init/selinux.cpp b/init/selinux.cpp
index ef59164e3..3f7ad13e8 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -198,9 +198,18 @@ bool ReadFirstLine(const char* file, std::string* line) {
198 198
199bool FindPrecompiledSplitPolicy(std::string* file) { 199bool FindPrecompiledSplitPolicy(std::string* file) {
200 file->clear(); 200 file->clear();
201 201 // If there is an odm partition, precompiled_sepolicy will be in
202 static constexpr const char precompiled_sepolicy[] = "/vendor/etc/selinux/precompiled_sepolicy"; 202 // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
203 if (access(precompiled_sepolicy, R_OK) == -1) { 203 static constexpr const char vendor_precompiled_sepolicy[] =
204 "/vendor/etc/selinux/precompiled_sepolicy";
205 static constexpr const char odm_precompiled_sepolicy[] =
206 "/odm/etc/selinux/precompiled_sepolicy";
207 if (access(odm_precompiled_sepolicy, R_OK) == 0) {
208 *file = odm_precompiled_sepolicy;
209 } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
210 *file = vendor_precompiled_sepolicy;
211 } else {
212 PLOG(INFO) << "No precompiled sepolicy";
204 return false; 213 return false;
205 } 214 }
206 std::string actual_plat_id; 215 std::string actual_plat_id;
@@ -209,19 +218,18 @@ bool FindPrecompiledSplitPolicy(std::string* file) {
209 "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256"; 218 "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256";
210 return false; 219 return false;
211 } 220 }
221
212 std::string precompiled_plat_id; 222 std::string precompiled_plat_id;
213 if (!ReadFirstLine("/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256", 223 std::string precompiled_sha256 = *file + ".plat_and_mapping.sha256";
214 &precompiled_plat_id)) { 224 if (!ReadFirstLine(precompiled_sha256.c_str(), &precompiled_plat_id)) {
215 PLOG(INFO) << "Failed to read " 225 PLOG(INFO) << "Failed to read " << precompiled_sha256;
216 "/vendor/etc/selinux/" 226 file->clear();
217 "precompiled_sepolicy.plat_and_mapping.sha256";
218 return false; 227 return false;
219 } 228 }
220 if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) { 229 if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) {
230 file->clear();
221 return false; 231 return false;
222 } 232 }
223
224 *file = precompiled_sepolicy;
225 return true; 233 return true;
226} 234}
227 235
@@ -293,24 +301,55 @@ bool LoadSplitPolicy() {
293 return false; 301 return false;
294 } 302 }
295 std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); 303 std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
304
305 // vendor_sepolicy.cil and nonplat_declaration.cil are the new design to replace
306 // nonplat_sepolicy.cil.
307 std::string nonplat_declaration_cil_file("/vendor/etc/selinux/nonplat_declaration.cil");
308 std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
309
310 if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
311 // For backward compatibility.
312 // TODO: remove this after no device is using nonplat_sepolicy.cil.
313 vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil";
314 nonplat_declaration_cil_file.clear();
315 } else if (access(nonplat_declaration_cil_file.c_str(), F_OK) == -1) {
316 LOG(ERROR) << "Missing " << nonplat_declaration_cil_file;
317 return false;
318 }
319
320 // odm_sepolicy.cil is default but optional.
321 std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
322 if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
323 odm_policy_cil_file.clear();
324 }
296 const std::string version_as_string = std::to_string(max_policy_version); 325 const std::string version_as_string = std::to_string(max_policy_version);
297 326
298 // clang-format off 327 // clang-format off
299 const char* compile_args[] = { 328 std::vector<const char*> compile_args {
300 "/system/bin/secilc", 329 "/system/bin/secilc",
301 plat_policy_cil_file, 330 plat_policy_cil_file,
302 "-M", "true", "-G", "-N", 331 "-M", "true", "-G", "-N",
303 // Target the highest policy language version supported by the kernel 332 // Target the highest policy language version supported by the kernel
304 "-c", version_as_string.c_str(), 333 "-c", version_as_string.c_str(),
305 mapping_file.c_str(), 334 mapping_file.c_str(),
306 "/vendor/etc/selinux/nonplat_sepolicy.cil",
307 "-o", compiled_sepolicy, 335 "-o", compiled_sepolicy,
308 // We don't care about file_contexts output by the compiler 336 // We don't care about file_contexts output by the compiler
309 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available 337 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
310 nullptr}; 338 };
311 // clang-format on 339 // clang-format on
312 340
313 if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args)) { 341 if (!nonplat_declaration_cil_file.empty()) {
342 compile_args.push_back(nonplat_declaration_cil_file.c_str());
343 }
344 if (!vendor_policy_cil_file.empty()) {
345 compile_args.push_back(vendor_policy_cil_file.c_str());
346 }
347 if (!odm_policy_cil_file.empty()) {
348 compile_args.push_back(odm_policy_cil_file.c_str());
349 }
350 compile_args.push_back(nullptr);
351
352 if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
314 unlink(compiled_sepolicy); 353 unlink(compiled_sepolicy);
315 return false; 354 return false;
316 } 355 }