Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a477e2bf authored by Yi-Yo Chiang's avatar Yi-Yo Chiang Committed by Automerger Merge Worker
Browse files

Merge "Add /system_ext/etc/selinux/ to the debug policy search path for GSI"... 

Merge "Add /system_ext/etc/selinux/ to the debug policy search path for GSI" am: d7f8cf48 am: 1e27e4b5 am: 4b15636b

Original change: https://android-review.googlesource.com/c/platform/system/core/+/1824634

Change-Id: Ib55a2a7a79c7a2103fb89232e334c2c6dfddf30b
parents f712d8ad 4b15636b

init/Android.bp

+22 −1
Original line number Diff line number Diff line
@@ -89,7 +89,19 @@ init_host_sources = [ 
    "host_init_verifier.cpp",

]



cc_defaults {

soong_config_module_type {

    name: "libinit_cc_defaults",

    module_type: "cc_defaults",

    config_namespace: "ANDROID",

    bool_variables: [

        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",

    ],

    properties: [

        "cflags",

    ],

}



libinit_cc_defaults {

    name: "init_defaults",

    sanitize: {

        misc_undefined: ["signed-integer-overflow"],
@@ -109,6 +121,7 @@ cc_defaults { 
        "-DDUMP_ON_UMOUNT_FAILURE=0",

        "-DSHUTDOWN_ZERO_TIMEOUT=0",

        "-DINIT_FULL_SOURCES",

        "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0",

    ],

    product_variables: {

        debuggable: {
@@ -137,6 +150,14 @@ cc_defaults { 
            cppflags: ["-DUSER_MODE_LINUX"],

        },

    },

    soong_config_variables: {

        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {

            cflags: [

                "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",

                "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1",

            ],

        },

    },

    static_libs: [

        "libavb",

        "libc++fs",

init/first_stage_init.cpp

+13 −6
Original line number Diff line number Diff line
@@ -330,15 +330,22 @@ int FirstStageMain(int argc, char** argv) { 
    // If "/force_debuggable" is present, the second-stage init will use a userdebug

    // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked.

    if (access("/force_debuggable", F_OK) == 0) {

        constexpr const char adb_debug_prop_src[] = "/adb_debug.prop";

        constexpr const char userdebug_plat_sepolicy_cil_src[] = "/userdebug_plat_sepolicy.cil";

        std::error_code ec;  // to invoke the overloaded copy_file() that won't throw.

        if (!fs::copy_file("/adb_debug.prop", kDebugRamdiskProp, ec) ||

            !fs::copy_file("/userdebug_plat_sepolicy.cil", kDebugRamdiskSEPolicy, ec)) {

            LOG(ERROR) << "Failed to setup debug ramdisk";

        } else {

        if (access(adb_debug_prop_src, F_OK) == 0 &&

            !fs::copy_file(adb_debug_prop_src, kDebugRamdiskProp, ec)) {

            LOG(WARNING) << "Can't copy " << adb_debug_prop_src << " to " << kDebugRamdiskProp

                         << ": " << ec.message();

        }

        if (access(userdebug_plat_sepolicy_cil_src, F_OK) == 0 &&

            !fs::copy_file(userdebug_plat_sepolicy_cil_src, kDebugRamdiskSEPolicy, ec)) {

            LOG(WARNING) << "Can't copy " << userdebug_plat_sepolicy_cil_src << " to "

                         << kDebugRamdiskSEPolicy << ": " << ec.message();

        }

        // setenv for second-stage init to read above kDebugRamdisk* files.

        setenv("INIT_FORCE_DEBUGGABLE", "true", 1);

    }

    }



    if (ForceNormalBoot(cmdline, bootconfig)) {

        mkdir("/first_stage_ramdisk", 0755);

init/selinux.cpp

+23 −7
Original line number Diff line number Diff line
@@ -295,6 +295,25 @@ bool IsSplitPolicyDevice() { 
    return access(plat_policy_cil_file, R_OK) != -1;

}



std::optional<const char*> GetUserdebugPlatformPolicyFile() {

    // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.

    const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");

    if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) {

        const std::vector<const char*> debug_policy_candidates = {

#if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1

            "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil",

#endif

            kDebugRamdiskSEPolicy,

        };

        for (const char* debug_policy : debug_policy_candidates) {

            if (access(debug_policy, F_OK) == 0) {

                return debug_policy;

            }

        }

    }

    return std::nullopt;

}



struct PolicyFile {

    unique_fd fd;

    std::string path;
@@ -310,13 +329,10 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { 
    // secilc is invoked to compile the above three policy files into a single monolithic policy

    // file. This file is then loaded into the kernel.



    // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.

    const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");

    bool use_userdebug_policy =

            ((force_debuggable_env && "true"s == force_debuggable_env) &&

             AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0);

    const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile();

    const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value();

    if (use_userdebug_policy) {

        LOG(WARNING) << "Using userdebug system sepolicy";

        LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy;

    }



    // Load precompiled policy from vendor image, if a matching policy is found there. The policy
@@ -413,7 +429,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { 
    // clang-format off

    std::vector<const char*> compile_args {

        "/system/bin/secilc",

        use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file,

        use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file,

        "-m", "-M", "true", "-G", "-N",

        "-c", version_as_string.c_str(),

        plat_mapping_file.c_str(),