Zygote: relabel to either system_userdir_file or system_data_file (54543793) · Commits · e / os / android_frameworks_base

core/jni/com_android_internal_os_Zygote.cpp

+25 −16

Original line number	Diff line number	Diff line
		@@ -1153,8 +1153,8 @@ static void relabelDir(const char* path, const char* context, fail_fn_t fail_fn)
		}
		}

		// Relabel all directories under a path non-recursively.
		static void relabelAllDirs(const char* path, const char* context, fail_fn_t fail_fn) {
		// Relabel the subdirectories and symlinks in the given directory, non-recursively.
		static void relabelSubdirs(const char* path, const char* context, fail_fn_t fail_fn) {
		DIR* dir = opendir(path);
		if (dir == nullptr) {
		fail_fn(CREATE_ERROR("Failed to opendir %s", path));
		@@ -1231,11 +1231,19 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d
		snprintf(internalDePath, PATH_MAX, "/data/user_de");
		snprintf(externalPrivateMountPath, PATH_MAX, "/mnt/expand");

		char* dataDataContext = nullptr;
		if (getfilecon(internalDePath, &dataDataContext) < 0) {
		fail_fn(CREATE_ERROR("Unable to getfilecon on %s %s", internalDePath,
		// Get the "u:object_r:system_userdir_file:s0" security context. This can be
		// gotten from several different places; we use /data/user.
		char* dataUserdirContext = nullptr;
		if (getfilecon(internalCePath, &dataUserdirContext) < 0) {
		fail_fn(CREATE_ERROR("Unable to getfilecon on %s %s", internalCePath,
		strerror(errno)));
		}
		// Get the "u:object_r:system_data_file:s0" security context. This can be
		// gotten from several different places; we use /data/misc.
		char* dataFileContext = nullptr;
		if (getfilecon("/data/misc", &dataFileContext) < 0) {
		fail_fn(CREATE_ERROR("Unable to getfilecon on /data/misc %s", strerror(errno)));
		}

		MountAppDataTmpFs(internalLegacyCePath, fail_fn);
		MountAppDataTmpFs(internalCePath, fail_fn);
		@@ -1330,19 +1338,19 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d
		// the file operations on tmpfs. If we set the label when we mount
		// tmpfs, SELinux will not happy as we are changing system_data_files.
		// Relabel dir under /data/user, including /data/user/0
		relabelAllDirs(internalCePath, dataDataContext, fail_fn);
		relabelSubdirs(internalCePath, dataFileContext, fail_fn);

		// Relabel /data/user
		relabelDir(internalCePath, dataDataContext, fail_fn);
		relabelDir(internalCePath, dataUserdirContext, fail_fn);

		// Relabel /data/data
		relabelDir(internalLegacyCePath, dataDataContext, fail_fn);
		relabelDir(internalLegacyCePath, dataFileContext, fail_fn);

		// Relabel dir under /data/user_de
		relabelAllDirs(internalDePath, dataDataContext, fail_fn);
		// Relabel subdirectories of /data/user_de
		relabelSubdirs(internalDePath, dataFileContext, fail_fn);

		// Relabel /data/user_de
		relabelDir(internalDePath, dataDataContext, fail_fn);
		relabelDir(internalDePath, dataUserdirContext, fail_fn);

		// Relabel CE and DE dirs under /mnt/expand
		dir = opendir(externalPrivateMountPath);
		@@ -1355,14 +1363,15 @@ static void isolateAppData(JNIEnv* env, const std::vector<std::string>& merged_d
		auto cePath = StringPrintf("%s/user", volPath.c_str());
		auto dePath = StringPrintf("%s/user_de", volPath.c_str());

		relabelAllDirs(cePath.c_str(), dataDataContext, fail_fn);
		relabelDir(cePath.c_str(), dataDataContext, fail_fn);
		relabelAllDirs(dePath.c_str(), dataDataContext, fail_fn);
		relabelDir(dePath.c_str(), dataDataContext, fail_fn);
		relabelSubdirs(cePath.c_str(), dataFileContext, fail_fn);
		relabelDir(cePath.c_str(), dataUserdirContext, fail_fn);
		relabelSubdirs(dePath.c_str(), dataFileContext, fail_fn);
		relabelDir(dePath.c_str(), dataUserdirContext, fail_fn);
		}
		closedir(dir);

		freecon(dataDataContext);
		freecon(dataUserdirContext);
		freecon(dataFileContext);
		}

		static void insertPackagesToMergedList(JNIEnv* env,