Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1eee419e authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Modify init.rc and init.goldfish.rc for SE Android. 



Set the security context for the init process.
Restore the security contexts of /cache and /data in case they were reset.
Specify the security context for services launched from the rootfs since
we cannot label their executables.
If on the emulator, set a policy boolean and restore the context of
/sys/qemu_trace to allow accesses not normally permitted on a device.

Change-Id: I166ffc267e8e0543732e7118eb0fd4b031efac3b
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent ff856a2b

rootdir/etc/init.goldfish.rc

+4 −0
Original line number Diff line number Diff line
@@ -5,6 +5,10 @@ on early-init 
    symlink /mnt/sdcard /sdcard



on boot

    setsebool in_qemu=1

    restorecon /sys/qemu_trace/process_name

    restorecon /sys/qemu_trace/state

    restorecon /sys/qemu_trace/symbol

    setprop ARGH ARGH

    setprop net.eth0.gw 10.0.2.2

    setprop net.eth0.dns1 10.0.2.3

rootdir/init.rc

+12 −0
Original line number Diff line number Diff line
@@ -4,6 +4,10 @@ on early-init 
    # Set init and its forked children's oom_adj.

    write /proc/1/oom_adj -16



    # Set the security context for the init process.

    # This should occur before anything else (e.g. ueventd) is started.

    setcon u:r:init:s0



    start ueventd



# create mountpoints
@@ -109,10 +113,14 @@ on post-fs 
    # We chown/chmod /cache again so because mount is run as root + defaults

    chown system cache /cache

    chmod 0770 /cache

    # We restorecon /cache in case the cache partition has been reset.

    restorecon /cache



    # This may have been created by the recovery system with odd permissions

    chown system cache /cache/recovery

    chmod 0770 /cache/recovery

    # This may have been created by the recovery system with the wrong context.

    restorecon /cache/recovery



    #change permissions on vmallocinfo so we can grab it from bugreports

    chown root log /proc/vmallocinfo
@@ -131,6 +139,8 @@ on post-fs-data 
    # We chown/chmod /data again so because mount is run as root + defaults

    chown system system /data

    chmod 0771 /data

    # We restorecon /data in case the userdata partition has been reset.

    restorecon /data



    # Create dump dir and collect dumps.

    # Do this before we mount cache so eventually we can use cache for
@@ -344,6 +354,7 @@ on property:persist.sys.usb.config=* 
service ueventd /sbin/ueventd

    class core

    critical

    seclabel u:r:ueventd:s0



service console /system/bin/sh

    class core
@@ -359,6 +370,7 @@ on property:ro.debuggable=1 
service adbd /sbin/adbd

    class core

    disabled

    seclabel u:r:adbd:s0



# adbd on at boot in emulator

on property:ro.kernel.qemu=1