Merge "init selinux.cpp: use a better way to detect if we run in Microdroid"

    visibility: [":__subpackages__"],

}

cc_library_static {

    name: "libinit",

cc_defaults {

    name: "libinit_defaults",

    recovery_available: true,

    defaults: [

        "init_defaults",

            ],

        },

    },

    visibility: [

        "//system/apex/apexd",

        "//frameworks/native/cmds/installd",

    ],

}

cc_library_static {

    name: "libinit",

    defaults: ["libinit_defaults"],

}

cc_library_static {

    name: "libinit.microdroid",

    defaults: ["libinit_defaults"],

    cflags: ["-DMICRODROID=1"],

}

phony {

    recovery_available: true,

    stem: "init",

    defaults: ["init_defaults"],

    static_libs: ["libinit"],

    srcs: ["main.cpp"],

    symlinks: ["ueventd"],

    target: {

cc_binary {

    name: "init_second_stage",

    defaults: ["init_second_stage_defaults"],

    static_libs: ["libinit"],

}

cc_binary {

    name: "init_second_stage.microdroid",

    defaults: ["init_second_stage_defaults"],

    cflags: ["-DMICRODROID"],

    static_libs: ["libinit.microdroid"],

    cflags: ["-DMICRODROID=1"],

    installable: false,

    visibility: ["//packages/modules/Virtualization/microdroid"],

}

cc_binary {

    name: "init_first_stage.microdroid",

    defaults: ["init_first_stage_defaults"],

    cflags: ["-DMICRODROID"],

    cflags: ["-DMICRODROID=1"],

    installable: false,

}

}

cc_defaults {

    name: "libinit_defaults",

    name: "libinit_fuzzer_defaults",

    static_libs: [

        "libc++fs",

        "liblmkd_utils",

    ],

    shared_libs: ["libhidlmetadata",],

    defaults: [

        "libinit_defaults",

        "libinit_fuzzer_defaults",

    ],

}

    srcs: [

        "init_property_fuzzer.cpp",

    ],

    defaults: ["libinit_defaults"],

    defaults: ["libinit_fuzzer_defaults"],

}

cc_fuzz {

        "init_ueventHandler_fuzzer.cpp",

    ],

    defaults: [

        "libinit_defaults",

        "libinit_fuzzer_defaults",

    ],

}

}

constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";

constexpr const char kMicrodroidPrecompiledSepolicy[] =

        "/system/etc/selinux/microdroid_precompiled_sepolicy";

bool IsSplitPolicyDevice() {

    return access(plat_policy_cil_file, R_OK) != -1;

bool OpenMonolithicPolicy(PolicyFile* policy_file) {

    static constexpr char kSepolicyFile[] = "/sepolicy";

    // In Microdroid the precompiled sepolicy is located on /system, since there is no vendor code.

    // TODO(b/287206497): refactor once we start conditionally compiling init for Microdroid.

    std::string monolithic_policy_file = access(kMicrodroidPrecompiledSepolicy, R_OK) == 0

                                                 ? kMicrodroidPrecompiledSepolicy

                                                 : kSepolicyFile;

    LOG(INFO) << "Opening SELinux policy from monolithic file " << monolithic_policy_file;

    policy_file->fd.reset(open(monolithic_policy_file.c_str(), O_RDONLY | O_CLOEXEC | O_NOFOLLOW));

    LOG(INFO) << "Opening SELinux policy from monolithic file " << kSepolicyFile;

    policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));

    if (policy_file->fd < 0) {

        PLOG(ERROR) << "Failed to open monolithic SELinux policy";

        return false;

    }

    policy_file->path = monolithic_policy_file;

    policy_file->path = kSepolicyFile;

    return true;

}

}

int SelinuxGetVendorAndroidVersion() {

    if (IsMicrodroid()) {

        // As of now Microdroid doesn't have any vendor code.

        return __ANDROID_API_FUTURE__;

    }

    static int vendor_android_version = [] {

        if (!IsSplitPolicyDevice()) {

            // If this device does not split sepolicy files, it's not a Treble device and therefore,

    }

}

// Encapsulates steps to load SELinux policy in Microdroid.

// So far the process is very straightforward - just load the precompiled policy from /system.

void LoadSelinuxPolicyMicrodroid() {

    constexpr const char kMicrodroidPrecompiledSepolicy[] =

            "/system/etc/selinux/microdroid_precompiled_sepolicy";

    LOG(INFO) << "Opening SELinux policy from " << kMicrodroidPrecompiledSepolicy;

    unique_fd policy_fd(open(kMicrodroidPrecompiledSepolicy, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));

    if (policy_fd < 0) {

        PLOG(FATAL) << "Failed to open " << kMicrodroidPrecompiledSepolicy;

    }

    std::string policy;

    if (!android::base::ReadFdToString(policy_fd, &policy)) {

        PLOG(FATAL) << "Failed to read policy file: " << kMicrodroidPrecompiledSepolicy;

    }

    LoadSelinuxPolicy(policy);

}

// The SELinux setup process is carefully orchestrated around snapuserd. Policy

// must be loaded off dynamic partitions, and during an OTA, those partitions

// cannot be read without snapuserd. But, with kernel-privileged snapuserd

//  (5) Re-launch snapuserd and attach it to the dm-user devices from step (2).

//

// After this sequence, it is safe to enable enforcing mode and continue booting.

int SetupSelinux(char** argv) {

    SetStdioToDevNull(argv);

    InitKernelLogging(argv);

    if (REBOOT_BOOTLOADER_ON_PANIC) {

        InstallRebootSignalHandlers();

    }

    boot_clock::time_point start_time = boot_clock::now();

void LoadSelinuxPolicyAndroid() {

    MountMissingSystemPartitions();

    SelinuxSetupKernelLogging();

    LOG(INFO) << "Opening SELinux policy";

    PrepareApexSepolicy();

    auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();

    if (snapuserd_helper) {

        // Kill the old snapused to avoid audit messages. After this we cannot

        // read from /system (or other dynamic partitions) until we call

        // FinishTransition().

        // Kill the old snapused to avoid audit messages. After this we cannot read from /system

        // (or other dynamic partitions) until we call FinishTransition().

        snapuserd_helper->StartTransition();

    }

    if (selinux_android_restorecon("/dev/selinux/", SELINUX_ANDROID_RESTORECON_RECURSE) == -1) {

        PLOG(FATAL) << "restorecon failed of /dev/selinux failed";

    }

}

int SetupSelinux(char** argv) {

    SetStdioToDevNull(argv);

    InitKernelLogging(argv);

    if (REBOOT_BOOTLOADER_ON_PANIC) {

        InstallRebootSignalHandlers();

    }

    boot_clock::time_point start_time = boot_clock::now();

    SelinuxSetupKernelLogging();

    // TODO(b/287206497): refactor into different headers to only include what we need.

    if (IsMicrodroid()) {

        LoadSelinuxPolicyMicrodroid();

    } else {

        LoadSelinuxPolicyAndroid();

    }

    SelinuxSetEnforcement();

    is_default_mount_namespace_ready = true;

}

bool IsMicrodroid() {

    static bool is_microdroid = android::base::GetProperty("ro.hardware", "") == "microdroid";

    return is_microdroid;

}

bool Has32BitAbi() {

    static bool has = !android::base::GetProperty("ro.product.cpu.abilist32", "").empty();

    return has;

bool IsDefaultMountNamespaceReady();

void SetDefaultMountNamespaceReady();

bool IsMicrodroid();

inline constexpr bool IsMicrodroid() {

#ifdef MICRODROID

    return MICRODROID;

#else

    return false;

#endif

}

bool Has32BitAbi();

std::string GetApexNameFromFileName(const std::string& path);