Loading init/init.cpp +45 −14 Original line number Original line Diff line number Diff line Loading @@ -940,7 +940,13 @@ static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_ return 0; return 0; } } static void selinux_initialize() { static void security_failure() { ERROR("Security failure; rebooting into recovery mode...\n"); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); while (true) { pause(); } // never reached } static void selinux_initialize(bool in_kernel_domain) { Timer t; Timer t; selinux_callback cb; selinux_callback cb; Loading @@ -953,19 +959,27 @@ static void selinux_initialize() { return; return; } } if (in_kernel_domain) { if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) { ERROR("couldn't write to /sys/fs/selinux/checkreqprot: %s\n", strerror(errno)); security_failure(); } INFO("Loading SELinux policy...\n"); INFO("Loading SELinux policy...\n"); if (selinux_android_load_policy() < 0) { if (selinux_android_load_policy() < 0) { ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n"); ERROR("failed to load policy: %s\n", strerror(errno)); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); security_failure(); while (1) { pause(); } // never reached } } selinux_init_all_handles(); bool is_enforcing = selinux_is_enforcing(); bool is_enforcing = selinux_is_enforcing(); INFO("SELinux: security_setenforce(%d)\n", is_enforcing); security_setenforce(is_enforcing); security_setenforce(is_enforcing); NOTICE("(Initializing SELinux took %.2fs.)\n", t.duration()); NOTICE("(Initializing SELinux %s took %.2fs.)\n", is_enforcing ? "enforcing" : "non-enforcing", t.duration()); } else { selinux_init_all_handles(); } } } int main(int argc, char** argv) { int main(int argc, char** argv) { Loading Loading @@ -1006,7 +1020,8 @@ int main(int argc, char** argv) { klog_init(); klog_init(); klog_set_level(KLOG_NOTICE_LEVEL); klog_set_level(KLOG_NOTICE_LEVEL); NOTICE("init started!\n"); bool is_first_stage = (argc == 1) || (strcmp(argv[1], "--second-stage") != 0); NOTICE("init%s started!\n", is_first_stage ? "" : " second stage"); property_init(); property_init(); Loading @@ -1019,7 +1034,23 @@ int main(int argc, char** argv) { // used by init as well as the current required properties. // used by init as well as the current required properties. export_kernel_boot_props(); export_kernel_boot_props(); selinux_initialize(); // Set up SELinux, including loading the SELinux policy if we're in the kernel domain. selinux_initialize(is_first_stage); // If we're in the kernel domain, re-exec init to transition to the init domain now // that the SELinux policy has been loaded. if (is_first_stage) { if (restorecon("/init") == -1) { ERROR("restorecon failed: %s\n", strerror(errno)); security_failure(); } char* path = argv[0]; char* args[] = { path, const_cast<char*>("--second-stage"), nullptr }; if (execv(path, args) == -1) { ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno)); security_failure(); } } // These directories were necessarily created before initial policy load // These directories were necessarily created before initial policy load // and therefore need their security context restored to the proper value. // and therefore need their security context restored to the proper value. Loading rootdir/init.rc +0 −7 Original line number Original line Diff line number Diff line Loading @@ -14,13 +14,6 @@ on early-init # Set init and its forked children's oom_adj. # Set init and its forked children's oom_adj. write /proc/1/oom_score_adj -1000 write /proc/1/oom_score_adj -1000 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. write /sys/fs/selinux/checkreqprot 0 # Set the security context for the init process. # This should occur before anything else (e.g. ueventd) is started. setcon u:r:init:s0 # Set the security context of /adb_keys if present. # Set the security context of /adb_keys if present. restorecon /adb_keys restorecon /adb_keys Loading Loading
init/init.cpp +45 −14 Original line number Original line Diff line number Diff line Loading @@ -940,7 +940,13 @@ static int audit_callback(void *data, security_class_t /*cls*/, char *buf, size_ return 0; return 0; } } static void selinux_initialize() { static void security_failure() { ERROR("Security failure; rebooting into recovery mode...\n"); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); while (true) { pause(); } // never reached } static void selinux_initialize(bool in_kernel_domain) { Timer t; Timer t; selinux_callback cb; selinux_callback cb; Loading @@ -953,19 +959,27 @@ static void selinux_initialize() { return; return; } } if (in_kernel_domain) { if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) { ERROR("couldn't write to /sys/fs/selinux/checkreqprot: %s\n", strerror(errno)); security_failure(); } INFO("Loading SELinux policy...\n"); INFO("Loading SELinux policy...\n"); if (selinux_android_load_policy() < 0) { if (selinux_android_load_policy() < 0) { ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n"); ERROR("failed to load policy: %s\n", strerror(errno)); android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); security_failure(); while (1) { pause(); } // never reached } } selinux_init_all_handles(); bool is_enforcing = selinux_is_enforcing(); bool is_enforcing = selinux_is_enforcing(); INFO("SELinux: security_setenforce(%d)\n", is_enforcing); security_setenforce(is_enforcing); security_setenforce(is_enforcing); NOTICE("(Initializing SELinux took %.2fs.)\n", t.duration()); NOTICE("(Initializing SELinux %s took %.2fs.)\n", is_enforcing ? "enforcing" : "non-enforcing", t.duration()); } else { selinux_init_all_handles(); } } } int main(int argc, char** argv) { int main(int argc, char** argv) { Loading Loading @@ -1006,7 +1020,8 @@ int main(int argc, char** argv) { klog_init(); klog_init(); klog_set_level(KLOG_NOTICE_LEVEL); klog_set_level(KLOG_NOTICE_LEVEL); NOTICE("init started!\n"); bool is_first_stage = (argc == 1) || (strcmp(argv[1], "--second-stage") != 0); NOTICE("init%s started!\n", is_first_stage ? "" : " second stage"); property_init(); property_init(); Loading @@ -1019,7 +1034,23 @@ int main(int argc, char** argv) { // used by init as well as the current required properties. // used by init as well as the current required properties. export_kernel_boot_props(); export_kernel_boot_props(); selinux_initialize(); // Set up SELinux, including loading the SELinux policy if we're in the kernel domain. selinux_initialize(is_first_stage); // If we're in the kernel domain, re-exec init to transition to the init domain now // that the SELinux policy has been loaded. if (is_first_stage) { if (restorecon("/init") == -1) { ERROR("restorecon failed: %s\n", strerror(errno)); security_failure(); } char* path = argv[0]; char* args[] = { path, const_cast<char*>("--second-stage"), nullptr }; if (execv(path, args) == -1) { ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno)); security_failure(); } } // These directories were necessarily created before initial policy load // These directories were necessarily created before initial policy load // and therefore need their security context restored to the proper value. // and therefore need their security context restored to the proper value. Loading
rootdir/init.rc +0 −7 Original line number Original line Diff line number Diff line Loading @@ -14,13 +14,6 @@ on early-init # Set init and its forked children's oom_adj. # Set init and its forked children's oom_adj. write /proc/1/oom_score_adj -1000 write /proc/1/oom_score_adj -1000 # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls. write /sys/fs/selinux/checkreqprot 0 # Set the security context for the init process. # This should occur before anything else (e.g. ueventd) is started. setcon u:r:init:s0 # Set the security context of /adb_keys if present. # Set the security context of /adb_keys if present. restorecon /adb_keys restorecon /adb_keys Loading
