Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 724eda55 authored by Jeff Vander Stoep's avatar Jeff Vander Stoep
Browse files

selinux: use the policy version defined in sepolicy 

In the current setup, init uses the highest policy version supported
by the kernel, instead of the policy version defined in policy. This
results in inconsistency between precompiled (version 30) and
on-device compiled policy (version 30 or 31). Make these consistent.

Bug: 124499219
Test: build and boot a device. Try both precompiled and on-device
compiled policy.

Change-Id: I0ce181916f43db17244c4d80f5cf5a91bbb58d3a
parent cd67fa9c

init/Android.bp

+1 −1
Original line number Diff line number Diff line
@@ -91,7 +91,7 @@ cc_defaults { 
cc_library_static {

    name: "libinit",

    recovery_available: true,

    defaults: ["init_defaults"],

    defaults: ["init_defaults", "selinux_policy_version"],

    srcs: [

        "action.cpp",

        "action_manager.cpp",

init/Android.mk

+4 −1
Original line number Diff line number Diff line
@@ -2,6 +2,8 @@ 


LOCAL_PATH:= $(call my-dir)



include system/sepolicy/policy_version.mk



# --



ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
@@ -28,7 +30,8 @@ init_options += \ 
    -DSHUTDOWN_ZERO_TIMEOUT=0

endif



init_options += -DLOG_UEVENTS=0

init_options += -DLOG_UEVENTS=0 \

    -DSEPOLICY_VERSION=$(POLICYVERS)



init_cflags += \

    $(init_options) \

init/selinux.cpp

+1 −10
Original line number Diff line number Diff line
@@ -299,14 +299,6 @@ bool LoadSplitPolicy() { 


    LOG(INFO) << "Compiling SELinux policy";



    // Determine the highest policy language version supported by the kernel

    set_selinuxmnt("/sys/fs/selinux");

    int max_policy_version = security_policyvers();

    if (max_policy_version == -1) {

        PLOG(ERROR) << "Failed to determine highest policy version supported by kernel";

        return false;

    }



    // We store the output of the compilation on /dev because this is the most convenient tmpfs

    // storage mount available this early in the boot sequence.

    char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
@@ -353,14 +345,13 @@ bool LoadSplitPolicy() { 
    if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {

        odm_policy_cil_file.clear();

    }

    const std::string version_as_string = std::to_string(max_policy_version);

    const std::string version_as_string = std::to_string(SEPOLICY_VERSION);



    // clang-format off

    std::vector<const char*> compile_args {

        "/system/bin/secilc",

        plat_policy_cil_file,

        "-m", "-M", "true", "-G", "-N",

        // Target the highest policy language version supported by the kernel

        "-c", version_as_string.c_str(),

        plat_mapping_file.c_str(),

        "-o", compiled_sepolicy,