Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0b58e6a1 authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Modify installd to set the SELinux security context on package directories. 

installd already sets the UID/GID/mode for package directories.
Extend it to also call libselinux to set the SELinux security context.

Change-Id: I22d38e3e7facdfcee20a34bf30f1412dbb87761f
parent d80cbb8c

cmds/installd/Android.mk

+6 −0
Original line number Original line Diff line number Diff line
@@ -34,6 +34,12 @@ LOCAL_SHARED_LIBRARIES := \ 
LOCAL_STATIC_LIBRARIES := \

LOCAL_STATIC_LIBRARIES := \

    libdiskusage

    libdiskusage





ifeq ($(HAVE_SELINUX),true)

LOCAL_C_INCLUDES += external/libselinux/include

LOCAL_SHARED_LIBRARIES += libselinux

LOCAL_CFLAGS := -DHAVE_SELINUX

endif # HAVE_SELINUX



LOCAL_MODULE := installd

LOCAL_MODULE := installd





LOCAL_MODULE_TAGS := optional

LOCAL_MODULE_TAGS := optional

cmds/installd/commands.c

+39 −1
Original line number Original line Diff line number Diff line
@@ -17,6 +17,10 @@ 
#include "installd.h"

#include "installd.h"

#include <diskusage/dirsize.h>

#include <diskusage/dirsize.h>





#ifdef HAVE_SELINUX

#include <selinux/android.h>

#endif



/* Directory records that are used in execution of commands. */

/* Directory records that are used in execution of commands. */

dir_rec_t android_data_dir;

dir_rec_t android_data_dir;

dir_rec_t android_asec_dir;

dir_rec_t android_asec_dir;
@@ -58,6 +62,15 @@ int install(const char *pkgname, uid_t uid, gid_t gid) 
        unlink(pkgdir);

        unlink(pkgdir);

        return -errno;

        return -errno;

    }

    }



#ifdef HAVE_SELINUX

    if (selinux_android_setfilecon(pkgdir, pkgname, uid) < 0) {

        LOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));

        unlink(pkgdir);

        return -errno;

    }

#endif



    if (mkdir(libdir, 0755) < 0) {

    if (mkdir(libdir, 0755) < 0) {

        ALOGE("cannot create dir '%s': %s\n", libdir, strerror(errno));

        ALOGE("cannot create dir '%s': %s\n", libdir, strerror(errno));

        unlink(pkgdir);

        unlink(pkgdir);
@@ -75,6 +88,16 @@ int install(const char *pkgname, uid_t uid, gid_t gid) 
        unlink(pkgdir);

        unlink(pkgdir);

        return -errno;

        return -errno;

    }

    }



#ifdef HAVE_SELINUX

    if (selinux_android_setfilecon(libdir, pkgname, AID_SYSTEM) < 0) {

        LOGE("cannot setfilecon dir '%s': %s\n", libdir, strerror(errno));

        unlink(libdir);

        unlink(pkgdir);

        return -errno;

    }

#endif



    return 0;

    return 0;

}

}
@@ -135,6 +158,15 @@ int make_user_data(const char *pkgname, uid_t uid, uid_t persona) 
        unlink(pkgdir);

        unlink(pkgdir);

        return -errno;

        return -errno;

    }

    }



#ifdef HAVE_SELINUX

    if (selinux_android_setfilecon(pkgdir, pkgname, uid) < 0) {

        LOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));

        unlink(pkgdir);

        return -errno;

    }

#endif



    return 0;

    return 0;

}

}
@@ -284,12 +316,18 @@ int protect(char *pkgname, gid_t gid) 
        ALOGE("failed to chgrp '%s': %s\n", pkgpath, strerror(errno));

        ALOGE("failed to chgrp '%s': %s\n", pkgpath, strerror(errno));

        return -1;

        return -1;

    }

    }



    if (chmod(pkgpath, S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

    if (chmod(pkgpath, S_IRUSR|S_IWUSR|S_IRGRP) < 0) {

        ALOGE("failed to chmod '%s': %s\n", pkgpath, strerror(errno));

        ALOGE("failed to chmod '%s': %s\n", pkgpath, strerror(errno));

        return -1;

        return -1;

    }

    }





#ifdef HAVE_SELINUX

    if (selinux_android_setfilecon(pkgpath, pkgname, s.st_uid) < 0) {

        LOGE("cannot setfilecon dir '%s': %s\n", pkgpath, strerror(errno));

        return -1;

    }

#endif



    return 0;

    return 0;

}

}