diff options
author | Treehugger Robot | 2017-09-03 23:45:33 -0500 |
---|---|---|
committer | Gerrit Code Review | 2017-09-03 23:45:33 -0500 |
commit | f899548cdb18a56db9ad0c0c5ecd1941a6b23255 (patch) | |
tree | 50b92f1a2ab192fbb2b4a29cc57435e344270fbb | |
parent | d97a1710b8efafe2b3a7b3e05e679ee091327fc6 (diff) | |
parent | eef4cd7d08db22a93503936b58f3ed372a383dad (diff) | |
download | platform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.tar.gz platform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.tar.xz platform-system-core-f899548cdb18a56db9ad0c0c5ecd1941a6b23255.zip |
Merge "Add odm sepolicy support to selinux.cpp"
-rw-r--r-- | init/selinux.cpp | 67 |
1 files changed, 53 insertions, 14 deletions
diff --git a/init/selinux.cpp b/init/selinux.cpp index ef59164e3..3f7ad13e8 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp | |||
@@ -198,9 +198,18 @@ bool ReadFirstLine(const char* file, std::string* line) { | |||
198 | 198 | ||
199 | bool FindPrecompiledSplitPolicy(std::string* file) { | 199 | bool FindPrecompiledSplitPolicy(std::string* file) { |
200 | file->clear(); | 200 | file->clear(); |
201 | 201 | // If there is an odm partition, precompiled_sepolicy will be in | |
202 | static constexpr const char precompiled_sepolicy[] = "/vendor/etc/selinux/precompiled_sepolicy"; | 202 | // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux. |
203 | if (access(precompiled_sepolicy, R_OK) == -1) { | 203 | static constexpr const char vendor_precompiled_sepolicy[] = |
204 | "/vendor/etc/selinux/precompiled_sepolicy"; | ||
205 | static constexpr const char odm_precompiled_sepolicy[] = | ||
206 | "/odm/etc/selinux/precompiled_sepolicy"; | ||
207 | if (access(odm_precompiled_sepolicy, R_OK) == 0) { | ||
208 | *file = odm_precompiled_sepolicy; | ||
209 | } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) { | ||
210 | *file = vendor_precompiled_sepolicy; | ||
211 | } else { | ||
212 | PLOG(INFO) << "No precompiled sepolicy"; | ||
204 | return false; | 213 | return false; |
205 | } | 214 | } |
206 | std::string actual_plat_id; | 215 | std::string actual_plat_id; |
@@ -209,19 +218,18 @@ bool FindPrecompiledSplitPolicy(std::string* file) { | |||
209 | "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256"; | 218 | "/system/etc/selinux/plat_and_mapping_sepolicy.cil.sha256"; |
210 | return false; | 219 | return false; |
211 | } | 220 | } |
221 | |||
212 | std::string precompiled_plat_id; | 222 | std::string precompiled_plat_id; |
213 | if (!ReadFirstLine("/vendor/etc/selinux/precompiled_sepolicy.plat_and_mapping.sha256", | 223 | std::string precompiled_sha256 = *file + ".plat_and_mapping.sha256"; |
214 | &precompiled_plat_id)) { | 224 | if (!ReadFirstLine(precompiled_sha256.c_str(), &precompiled_plat_id)) { |
215 | PLOG(INFO) << "Failed to read " | 225 | PLOG(INFO) << "Failed to read " << precompiled_sha256; |
216 | "/vendor/etc/selinux/" | 226 | file->clear(); |
217 | "precompiled_sepolicy.plat_and_mapping.sha256"; | ||
218 | return false; | 227 | return false; |
219 | } | 228 | } |
220 | if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) { | 229 | if ((actual_plat_id.empty()) || (actual_plat_id != precompiled_plat_id)) { |
230 | file->clear(); | ||
221 | return false; | 231 | return false; |
222 | } | 232 | } |
223 | |||
224 | *file = precompiled_sepolicy; | ||
225 | return true; | 233 | return true; |
226 | } | 234 | } |
227 | 235 | ||
@@ -293,24 +301,55 @@ bool LoadSplitPolicy() { | |||
293 | return false; | 301 | return false; |
294 | } | 302 | } |
295 | std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); | 303 | std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); |
304 | |||
305 | // vendor_sepolicy.cil and nonplat_declaration.cil are the new design to replace | ||
306 | // nonplat_sepolicy.cil. | ||
307 | std::string nonplat_declaration_cil_file("/vendor/etc/selinux/nonplat_declaration.cil"); | ||
308 | std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil"); | ||
309 | |||
310 | if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) { | ||
311 | // For backward compatibility. | ||
312 | // TODO: remove this after no device is using nonplat_sepolicy.cil. | ||
313 | vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil"; | ||
314 | nonplat_declaration_cil_file.clear(); | ||
315 | } else if (access(nonplat_declaration_cil_file.c_str(), F_OK) == -1) { | ||
316 | LOG(ERROR) << "Missing " << nonplat_declaration_cil_file; | ||
317 | return false; | ||
318 | } | ||
319 | |||
320 | // odm_sepolicy.cil is default but optional. | ||
321 | std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil"); | ||
322 | if (access(odm_policy_cil_file.c_str(), F_OK) == -1) { | ||
323 | odm_policy_cil_file.clear(); | ||
324 | } | ||
296 | const std::string version_as_string = std::to_string(max_policy_version); | 325 | const std::string version_as_string = std::to_string(max_policy_version); |
297 | 326 | ||
298 | // clang-format off | 327 | // clang-format off |
299 | const char* compile_args[] = { | 328 | std::vector<const char*> compile_args { |
300 | "/system/bin/secilc", | 329 | "/system/bin/secilc", |
301 | plat_policy_cil_file, | 330 | plat_policy_cil_file, |
302 | "-M", "true", "-G", "-N", | 331 | "-M", "true", "-G", "-N", |
303 | // Target the highest policy language version supported by the kernel | 332 | // Target the highest policy language version supported by the kernel |
304 | "-c", version_as_string.c_str(), | 333 | "-c", version_as_string.c_str(), |
305 | mapping_file.c_str(), | 334 | mapping_file.c_str(), |
306 | "/vendor/etc/selinux/nonplat_sepolicy.cil", | ||
307 | "-o", compiled_sepolicy, | 335 | "-o", compiled_sepolicy, |
308 | // We don't care about file_contexts output by the compiler | 336 | // We don't care about file_contexts output by the compiler |
309 | "-f", "/sys/fs/selinux/null", // /dev/null is not yet available | 337 | "-f", "/sys/fs/selinux/null", // /dev/null is not yet available |
310 | nullptr}; | 338 | }; |
311 | // clang-format on | 339 | // clang-format on |
312 | 340 | ||
313 | if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args)) { | 341 | if (!nonplat_declaration_cil_file.empty()) { |
342 | compile_args.push_back(nonplat_declaration_cil_file.c_str()); | ||
343 | } | ||
344 | if (!vendor_policy_cil_file.empty()) { | ||
345 | compile_args.push_back(vendor_policy_cil_file.c_str()); | ||
346 | } | ||
347 | if (!odm_policy_cil_file.empty()) { | ||
348 | compile_args.push_back(odm_policy_cil_file.c_str()); | ||
349 | } | ||
350 | compile_args.push_back(nullptr); | ||
351 | |||
352 | if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) { | ||
314 | unlink(compiled_sepolicy); | 353 | unlink(compiled_sepolicy); |
315 | return false; | 354 | return false; |
316 | } | 355 | } |