Merge "init: split security functions out of init.cpp"

        "log.cpp",

        "parser.cpp",

        "property_service.cpp",

        "security.cpp",

        "selinux.cpp",

        "service.cpp",

        "tokenizer.cpp",

        "uevent_listener.cpp",

    return insmod(filename.c_str(), options.c_str(), flags);

}

// mkdir <path> [mode] [owner] [group]

static int do_mkdir(const std::vector<std::string>& args) {

    mode_t mode = 0755;

    int ret;

    /* mkdir <path> [mode] [owner] [group] */

    if (args.size() >= 3) {

        mode = std::strtoul(args[2].c_str(), 0, 8);

    }

    ret = make_dir(args[1].c_str(), mode, sehandle);

    if (!make_dir(args[1], mode)) {

        /* chmod in case the directory already exists */

    if (ret == -1 && errno == EEXIST) {

        ret = fchmodat(AT_FDCWD, args[1].c_str(), mode, AT_SYMLINK_NOFOLLOW);

        if (errno == EEXIST) {

            if (fchmodat(AT_FDCWD, args[1].c_str(), mode, AT_SYMLINK_NOFOLLOW) == -1) {

                return -errno;

            }

    if (ret == -1) {

        } else {

            return -errno;

        }

    }

    if (args.size() >= 4) {

        uid_t uid;

        /* chown may have cleared S_ISUID and S_ISGID, chmod again */

        if (mode & (S_ISUID | S_ISGID)) {

            ret = fchmodat(AT_FDCWD, args[1].c_str(), mode, AT_SYMLINK_NOFOLLOW);

            if (ret == -1) {

            if (fchmodat(AT_FDCWD, args[1].c_str(), mode, AT_SYMLINK_NOFOLLOW) == -1) {

                return -errno;

            }

        }

    return 0;

}

/*

 * Callback to make a directory from the ext4 code

 */

static int do_installkeys_ensure_dir_exists(const char* dir) {

    if (make_dir(dir, 0700, sehandle) && errno != EEXIST) {

        return -1;

    }

    return 0;

}

static bool is_file_crypto() {

    return android::base::GetProperty("ro.crypto.type", "") == "file";

}

        return 0;

    }

    auto unencrypted_dir = args[1] + e4crypt_unencrypted_folder;

    if (do_installkeys_ensure_dir_exists(unencrypted_dir.c_str())) {

    if (!make_dir(unencrypted_dir, 0700) && errno != EEXIST) {

        PLOG(ERROR) << "Failed to create " << unencrypted_dir;

        return -1;

    }

    int flags =

        ((types[0] == "stream" ? SOCK_STREAM : (types[0] == "dgram" ? SOCK_DGRAM : SOCK_SEQPACKET)));

    bool passcred = types.size() > 1 && types[1] == "passcred";

    return CreateSocket(name().c_str(), flags, passcred, perm(), uid(), gid(), context.c_str(),

                        sehandle);

    return CreateSocket(name().c_str(), flags, passcred, perm(), uid(), gid(), context.c_str());

}

const std::string SocketInfo::key() const {

#include <selinux/android.h>

#include <selinux/selinux.h>

#include "selinux.h"

#include "ueventd.h"

#include "util.h"

    auto[mode, uid, gid] = GetDevicePermissions(path, links);

    mode |= (block ? S_IFBLK : S_IFCHR);

    char* secontext = nullptr;

    if (sehandle_) {

        std::vector<const char*> c_links;

        for (const auto& link : links) {

            c_links.emplace_back(link.c_str());

        }

        c_links.emplace_back(nullptr);

        if (selabel_lookup_best_match(sehandle_, &secontext, path.c_str(), &c_links[0], mode)) {

    std::string secontext;

    if (!SelabelLookupFileContextBestMatch(path, links, mode, &secontext)) {

        PLOG(ERROR) << "Device '" << path << "' not created; cannot find SELinux label";

        return;

    }

        setfscreatecon(secontext);

    if (!secontext.empty()) {

        setfscreatecon(secontext.c_str());

    }

    dev_t dev = makedev(major, minor);

    }

    /* If the node already exists update its SELinux label to handle cases when

     * it was created with the wrong context during coldboot procedure. */

    if (mknod(path.c_str(), mode, dev) && (errno == EEXIST) && secontext) {

    if (mknod(path.c_str(), mode, dev) && (errno == EEXIST) && !secontext.empty()) {

        char* fcon = nullptr;

        int rc = lgetfilecon(path.c_str(), &fcon);

        if (rc < 0) {

            goto out;

        }

        bool different = strcmp(fcon, secontext) != 0;

        bool different = fcon != secontext;

        freecon(fcon);

        if (different && lsetfilecon(path.c_str(), secontext)) {

        if (different && lsetfilecon(path.c_str(), secontext.c_str())) {

            PLOG(ERROR) << "Cannot set '" << secontext << "' SELinux label on '" << path

                        << "' device";

        }

        PLOG(FATAL) << "setegid(AID_ROOT) failed";

    }

    if (secontext) {

        freecon(secontext);

    if (!secontext.empty()) {

        setfscreatecon(nullptr);

    }

}

    if (action == "add") {

        MakeDevice(devpath, block, major, minor, links);

        for (const auto& link : links) {

            if (mkdir_recursive(Dirname(link), 0755, sehandle_)) {

            if (!mkdir_recursive(Dirname(link), 0755)) {

                PLOG(ERROR) << "Failed to create directory " << Dirname(link);

            }

        devpath = "/dev/" + Basename(uevent.path);

    }

    mkdir_recursive(Dirname(devpath), 0755, sehandle_);

    mkdir_recursive(Dirname(devpath), 0755);

    HandleDevice(uevent.action, devpath, block, uevent.major, uevent.minor, links);

}

    : dev_permissions_(std::move(dev_permissions)),

      sysfs_permissions_(std::move(sysfs_permissions)),

      subsystems_(std::move(subsystems)),

      sehandle_(selinux_android_file_context_handle()),

      skip_restorecon_(skip_restorecon),

      sysfs_mount_point_("/sys") {}

    std::vector<Permissions> dev_permissions_;

    std::vector<SysfsPermissions> sysfs_permissions_;

    std::vector<Subsystem> subsystems_;

    selabel_handle* sehandle_;

    bool skip_restorecon_;

    std::string sysfs_mount_point_;

};