Loading init/devices.c +5 −6 Original line number Original line Diff line number Diff line Loading @@ -33,6 +33,7 @@ #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX #include <selinux/selinux.h> #include <selinux/selinux.h> #include <selinux/label.h> #include <selinux/label.h> #include <selinux/android.h> #endif #endif #include <private/android_filesystem_config.h> #include <private/android_filesystem_config.h> Loading Loading @@ -879,12 +880,10 @@ void device_init(void) struct stat info; struct stat info; int fd; int fd; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX struct selinux_opt seopts[] = { sehandle = NULL; { SELABEL_OPT_PATH, "/file_contexts" } if (is_selinux_enabled() > 0) { }; sehandle = selinux_android_file_context_handle(); } if (is_selinux_enabled() > 0) sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1); #endif #endif /* is 64K enough? udev uses 16MB! */ /* is 64K enough? udev uses 16MB! */ device_fd = uevent_open_socket(64*1024, true); device_fd = uevent_open_socket(64*1024, true); Loading init/init.c +26 −85 Original line number Original line Diff line number Diff line Loading @@ -33,9 +33,9 @@ #include <sys/un.h> #include <sys/un.h> #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX #include <sys/mman.h> #include <selinux/selinux.h> #include <selinux/selinux.h> #include <selinux/label.h> #include <selinux/label.h> #include <selinux/android.h> #endif #endif #include <libgen.h> #include <libgen.h> Loading Loading @@ -78,7 +78,6 @@ static char qemu[32]; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX static int selinux_enabled = 1; static int selinux_enabled = 1; static int selinux_enforcing = 0; #endif #endif static struct action *cur_action = NULL; static struct action *cur_action = NULL; Loading Loading @@ -605,9 +604,7 @@ static void import_kernel_nv(char *name, int for_emulator) if (name_len == 0) return; if (name_len == 0) return; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX if (!strcmp(name,"enforcing")) { if (!strcmp(name,"selinux")) { selinux_enforcing = atoi(value); } else if (!strcmp(name,"selinux")) { selinux_enabled = atoi(value); selinux_enabled = atoi(value); } } #endif #endif Loading Loading @@ -759,93 +756,28 @@ static int bootchart_init_action(int nargs, char **args) #endif #endif #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX void selinux_load_policy(void) void selinux_init_all_handles(void) { { const char path_prefix[] = "/sepolicy"; sehandle = selinux_android_file_context_handle(); struct selinux_opt seopts[] = { { SELABEL_OPT_PATH, "/file_contexts" } }; char path[PATH_MAX]; int fd, rc, vers; struct stat sb; void *map; sehandle = NULL; if (!selinux_enabled) { INFO("SELinux: Disabled by command line option\n"); return; } mkdir(SELINUXMNT, 0755); if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, NULL)) { if (errno == ENODEV) { /* SELinux not enabled in kernel */ return; } ERROR("SELinux: Could not mount selinuxfs: %s\n", strerror(errno)); return; } } set_selinuxmnt(SELINUXMNT); vers = security_policyvers(); int selinux_reload_policy(void) if (vers <= 0) { { ERROR("SELinux: Unable to read policy version\n"); if (!selinux_enabled) { return; return -1; } INFO("SELinux: Maximum supported policy version: %d\n", vers); snprintf(path, sizeof(path), "%s.%d", path_prefix, vers); fd = open(path, O_RDONLY); while (fd < 0 && errno == ENOENT && --vers) { snprintf(path, sizeof(path), "%s.%d", path_prefix, vers); fd = open(path, O_RDONLY); } if (fd < 0) { ERROR("SELinux: Could not open %s: %s\n", path, strerror(errno)); return; } if (fstat(fd, &sb) < 0) { ERROR("SELinux: Could not stat %s: %s\n", path, strerror(errno)); return; } map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { ERROR("SELinux: Could not map %s: %s\n", path, strerror(errno)); return; } } rc = security_load_policy(map, sb.st_size); INFO("SELinux: Attempting to reload policy files\n"); if (rc < 0) { ERROR("SELinux: Could not load policy: %s\n", strerror(errno)); return; } rc = security_setenforce(selinux_enforcing); if (selinux_android_reload_policy() == -1) { if (rc < 0) { return -1; ERROR("SELinux: Could not set enforcing mode to %s: %s\n", selinux_enforcing ? "enforcing" : "permissive", strerror(errno)); return; } } munmap(map, sb.st_size); if (sehandle) close(fd); selabel_close(sehandle); INFO("SELinux: Loaded policy from %s\n", path); sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1); selinux_init_all_handles(); if (!sehandle) { return 0; ERROR("SELinux: Could not load file_contexts: %s\n", strerror(errno)); return; } INFO("SELinux: Loaded file contexts from %s\n", seopts[0].value); return; } } #endif #endif Loading Loading @@ -904,8 +836,17 @@ int main(int argc, char **argv) #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX INFO("loading selinux policy\n"); INFO("loading selinux policy\n"); selinux_load_policy(); if (selinux_enabled) { /* These directories were necessarily created before policy load if (selinux_android_load_policy() < 0) { selinux_enabled = 0; INFO("SELinux: Disabled due to failed policy load\n"); } else { selinux_init_all_handles(); } } else { INFO("SELinux: Disabled by command line option\n"); } /* These directories were necessarily created before initial policy load * and therefore need their security context restored to the proper value. * and therefore need their security context restored to the proper value. * This must happen before /dev is populated by ueventd. * This must happen before /dev is populated by ueventd. */ */ Loading init/init.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -138,6 +138,7 @@ int load_565rle_image( char *file_name ); #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX extern struct selabel_handle *sehandle; extern struct selabel_handle *sehandle; extern int selinux_reload_policy(void); #endif #endif #endif /* _INIT_INIT_H */ #endif /* _INIT_INIT_H */ init/property_service.c +6 −0 Original line number Original line Diff line number Diff line Loading @@ -88,6 +88,7 @@ struct { { "persist.service.", AID_SYSTEM, 0 }, { "persist.service.", AID_SYSTEM, 0 }, { "persist.security.", AID_SYSTEM, 0 }, { "persist.security.", AID_SYSTEM, 0 }, { "persist.service.bdroid.", AID_BLUETOOTH, 0 }, { "persist.service.bdroid.", AID_BLUETOOTH, 0 }, { "selinux." , AID_SYSTEM, 0 }, { NULL, 0, 0 } { NULL, 0, 0 } }; }; Loading Loading @@ -336,6 +337,11 @@ int property_set(const char *name, const char *value) * to prevent them from being overwritten by default values. * to prevent them from being overwritten by default values. */ */ write_persistent_property(name, value); write_persistent_property(name, value); #ifdef HAVE_SELINUX } else if (strcmp("selinux.reload_policy", name) == 0 && strcmp("1", value) == 0) { selinux_reload_policy(); #endif } } property_changed(name, value); property_changed(name, value); return 0; return 0; Loading rootdir/init.rc +4 −0 Original line number Original line Diff line number Diff line Loading @@ -359,6 +359,10 @@ service ueventd /sbin/ueventd critical critical seclabel u:r:ueventd:s0 seclabel u:r:ueventd:s0 on property:selinux.reload_policy=1 restart ueventd restart installd service console /system/bin/sh service console /system/bin/sh class core class core console console Loading Loading
init/devices.c +5 −6 Original line number Original line Diff line number Diff line Loading @@ -33,6 +33,7 @@ #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX #include <selinux/selinux.h> #include <selinux/selinux.h> #include <selinux/label.h> #include <selinux/label.h> #include <selinux/android.h> #endif #endif #include <private/android_filesystem_config.h> #include <private/android_filesystem_config.h> Loading Loading @@ -879,12 +880,10 @@ void device_init(void) struct stat info; struct stat info; int fd; int fd; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX struct selinux_opt seopts[] = { sehandle = NULL; { SELABEL_OPT_PATH, "/file_contexts" } if (is_selinux_enabled() > 0) { }; sehandle = selinux_android_file_context_handle(); } if (is_selinux_enabled() > 0) sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1); #endif #endif /* is 64K enough? udev uses 16MB! */ /* is 64K enough? udev uses 16MB! */ device_fd = uevent_open_socket(64*1024, true); device_fd = uevent_open_socket(64*1024, true); Loading
init/init.c +26 −85 Original line number Original line Diff line number Diff line Loading @@ -33,9 +33,9 @@ #include <sys/un.h> #include <sys/un.h> #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX #include <sys/mman.h> #include <selinux/selinux.h> #include <selinux/selinux.h> #include <selinux/label.h> #include <selinux/label.h> #include <selinux/android.h> #endif #endif #include <libgen.h> #include <libgen.h> Loading Loading @@ -78,7 +78,6 @@ static char qemu[32]; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX static int selinux_enabled = 1; static int selinux_enabled = 1; static int selinux_enforcing = 0; #endif #endif static struct action *cur_action = NULL; static struct action *cur_action = NULL; Loading Loading @@ -605,9 +604,7 @@ static void import_kernel_nv(char *name, int for_emulator) if (name_len == 0) return; if (name_len == 0) return; #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX if (!strcmp(name,"enforcing")) { if (!strcmp(name,"selinux")) { selinux_enforcing = atoi(value); } else if (!strcmp(name,"selinux")) { selinux_enabled = atoi(value); selinux_enabled = atoi(value); } } #endif #endif Loading Loading @@ -759,93 +756,28 @@ static int bootchart_init_action(int nargs, char **args) #endif #endif #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX void selinux_load_policy(void) void selinux_init_all_handles(void) { { const char path_prefix[] = "/sepolicy"; sehandle = selinux_android_file_context_handle(); struct selinux_opt seopts[] = { { SELABEL_OPT_PATH, "/file_contexts" } }; char path[PATH_MAX]; int fd, rc, vers; struct stat sb; void *map; sehandle = NULL; if (!selinux_enabled) { INFO("SELinux: Disabled by command line option\n"); return; } mkdir(SELINUXMNT, 0755); if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, NULL)) { if (errno == ENODEV) { /* SELinux not enabled in kernel */ return; } ERROR("SELinux: Could not mount selinuxfs: %s\n", strerror(errno)); return; } } set_selinuxmnt(SELINUXMNT); vers = security_policyvers(); int selinux_reload_policy(void) if (vers <= 0) { { ERROR("SELinux: Unable to read policy version\n"); if (!selinux_enabled) { return; return -1; } INFO("SELinux: Maximum supported policy version: %d\n", vers); snprintf(path, sizeof(path), "%s.%d", path_prefix, vers); fd = open(path, O_RDONLY); while (fd < 0 && errno == ENOENT && --vers) { snprintf(path, sizeof(path), "%s.%d", path_prefix, vers); fd = open(path, O_RDONLY); } if (fd < 0) { ERROR("SELinux: Could not open %s: %s\n", path, strerror(errno)); return; } if (fstat(fd, &sb) < 0) { ERROR("SELinux: Could not stat %s: %s\n", path, strerror(errno)); return; } map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { ERROR("SELinux: Could not map %s: %s\n", path, strerror(errno)); return; } } rc = security_load_policy(map, sb.st_size); INFO("SELinux: Attempting to reload policy files\n"); if (rc < 0) { ERROR("SELinux: Could not load policy: %s\n", strerror(errno)); return; } rc = security_setenforce(selinux_enforcing); if (selinux_android_reload_policy() == -1) { if (rc < 0) { return -1; ERROR("SELinux: Could not set enforcing mode to %s: %s\n", selinux_enforcing ? "enforcing" : "permissive", strerror(errno)); return; } } munmap(map, sb.st_size); if (sehandle) close(fd); selabel_close(sehandle); INFO("SELinux: Loaded policy from %s\n", path); sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1); selinux_init_all_handles(); if (!sehandle) { return 0; ERROR("SELinux: Could not load file_contexts: %s\n", strerror(errno)); return; } INFO("SELinux: Loaded file contexts from %s\n", seopts[0].value); return; } } #endif #endif Loading Loading @@ -904,8 +836,17 @@ int main(int argc, char **argv) #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX INFO("loading selinux policy\n"); INFO("loading selinux policy\n"); selinux_load_policy(); if (selinux_enabled) { /* These directories were necessarily created before policy load if (selinux_android_load_policy() < 0) { selinux_enabled = 0; INFO("SELinux: Disabled due to failed policy load\n"); } else { selinux_init_all_handles(); } } else { INFO("SELinux: Disabled by command line option\n"); } /* These directories were necessarily created before initial policy load * and therefore need their security context restored to the proper value. * and therefore need their security context restored to the proper value. * This must happen before /dev is populated by ueventd. * This must happen before /dev is populated by ueventd. */ */ Loading
init/init.h +1 −0 Original line number Original line Diff line number Diff line Loading @@ -138,6 +138,7 @@ int load_565rle_image( char *file_name ); #ifdef HAVE_SELINUX #ifdef HAVE_SELINUX extern struct selabel_handle *sehandle; extern struct selabel_handle *sehandle; extern int selinux_reload_policy(void); #endif #endif #endif /* _INIT_INIT_H */ #endif /* _INIT_INIT_H */
init/property_service.c +6 −0 Original line number Original line Diff line number Diff line Loading @@ -88,6 +88,7 @@ struct { { "persist.service.", AID_SYSTEM, 0 }, { "persist.service.", AID_SYSTEM, 0 }, { "persist.security.", AID_SYSTEM, 0 }, { "persist.security.", AID_SYSTEM, 0 }, { "persist.service.bdroid.", AID_BLUETOOTH, 0 }, { "persist.service.bdroid.", AID_BLUETOOTH, 0 }, { "selinux." , AID_SYSTEM, 0 }, { NULL, 0, 0 } { NULL, 0, 0 } }; }; Loading Loading @@ -336,6 +337,11 @@ int property_set(const char *name, const char *value) * to prevent them from being overwritten by default values. * to prevent them from being overwritten by default values. */ */ write_persistent_property(name, value); write_persistent_property(name, value); #ifdef HAVE_SELINUX } else if (strcmp("selinux.reload_policy", name) == 0 && strcmp("1", value) == 0) { selinux_reload_policy(); #endif } } property_changed(name, value); property_changed(name, value); return 0; return 0; Loading
rootdir/init.rc +4 −0 Original line number Original line Diff line number Diff line Loading @@ -359,6 +359,10 @@ service ueventd /sbin/ueventd critical critical seclabel u:r:ueventd:s0 seclabel u:r:ueventd:s0 on property:selinux.reload_policy=1 restart ueventd restart installd service console /system/bin/sh service console /system/bin/sh class core class core console console Loading
