Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ebe015d7 authored by Santiago Seifert's avatar Santiago Seifert Committed by Automerger Merge Worker
Browse files

Merge "Revert "Add /system_ext/etc/selinux/ to the debug policy search ...""... 

Merge "Revert "Add /system_ext/etc/selinux/ to the debug policy search ..."" am: 2b324f56 am: f60946a2 am: e67f2961

Original change: https://android-review.googlesource.com/c/platform/system/core/+/1834618

Change-Id: Ia8e73a2889156c0004fa9edda6ff22344d08e948
parents a477e2bf e67f2961

init/Android.bp

+1 −22
Original line number Original line Diff line number Diff line
@@ -89,19 +89,7 @@ init_host_sources = [ 
    "host_init_verifier.cpp",

    "host_init_verifier.cpp",

]

]





soong_config_module_type {

cc_defaults {

    name: "libinit_cc_defaults",

    module_type: "cc_defaults",

    config_namespace: "ANDROID",

    bool_variables: [

        "PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",

    ],

    properties: [

        "cflags",

    ],

}



libinit_cc_defaults {

    name: "init_defaults",

    name: "init_defaults",

    sanitize: {

    sanitize: {

        misc_undefined: ["signed-integer-overflow"],

        misc_undefined: ["signed-integer-overflow"],
@@ -121,7 +109,6 @@ libinit_cc_defaults { 
        "-DDUMP_ON_UMOUNT_FAILURE=0",

        "-DDUMP_ON_UMOUNT_FAILURE=0",

        "-DSHUTDOWN_ZERO_TIMEOUT=0",

        "-DSHUTDOWN_ZERO_TIMEOUT=0",

        "-DINIT_FULL_SOURCES",

        "-DINIT_FULL_SOURCES",

        "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=0",

    ],

    ],

    product_variables: {

    product_variables: {

        debuggable: {

        debuggable: {
@@ -150,14 +137,6 @@ libinit_cc_defaults { 
            cppflags: ["-DUSER_MODE_LINUX"],

            cppflags: ["-DUSER_MODE_LINUX"],

        },

        },

    },

    },

    soong_config_variables: {

        PRODUCT_INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT: {

            cflags: [

                "-UINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT",

                "-DINSTALL_DEBUG_POLICY_TO_SYSTEM_EXT=1",

            ],

        },

    },

    static_libs: [

    static_libs: [

        "libavb",

        "libavb",

        "libc++fs",

        "libc++fs",

init/first_stage_init.cpp

+6 −13
Original line number Original line Diff line number Diff line
@@ -330,22 +330,15 @@ int FirstStageMain(int argc, char** argv) { 
    // If "/force_debuggable" is present, the second-stage init will use a userdebug

    // If "/force_debuggable" is present, the second-stage init will use a userdebug

    // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked.

    // sepolicy and load adb_debug.prop to allow adb root, if the device is unlocked.

    if (access("/force_debuggable", F_OK) == 0) {

    if (access("/force_debuggable", F_OK) == 0) {

        constexpr const char adb_debug_prop_src[] = "/adb_debug.prop";

        constexpr const char userdebug_plat_sepolicy_cil_src[] = "/userdebug_plat_sepolicy.cil";

        std::error_code ec;  // to invoke the overloaded copy_file() that won't throw.

        std::error_code ec;  // to invoke the overloaded copy_file() that won't throw.

        if (access(adb_debug_prop_src, F_OK) == 0 &&

        if (!fs::copy_file("/adb_debug.prop", kDebugRamdiskProp, ec) ||

            !fs::copy_file(adb_debug_prop_src, kDebugRamdiskProp, ec)) {

            !fs::copy_file("/userdebug_plat_sepolicy.cil", kDebugRamdiskSEPolicy, ec)) {

            LOG(WARNING) << "Can't copy " << adb_debug_prop_src << " to " << kDebugRamdiskProp

            LOG(ERROR) << "Failed to setup debug ramdisk";

                         << ": " << ec.message();

        } else {

        }

        if (access(userdebug_plat_sepolicy_cil_src, F_OK) == 0 &&

            !fs::copy_file(userdebug_plat_sepolicy_cil_src, kDebugRamdiskSEPolicy, ec)) {

            LOG(WARNING) << "Can't copy " << userdebug_plat_sepolicy_cil_src << " to "

                         << kDebugRamdiskSEPolicy << ": " << ec.message();

        }

            // setenv for second-stage init to read above kDebugRamdisk* files.

            // setenv for second-stage init to read above kDebugRamdisk* files.

            setenv("INIT_FORCE_DEBUGGABLE", "true", 1);

            setenv("INIT_FORCE_DEBUGGABLE", "true", 1);

        }

        }

    }





    if (ForceNormalBoot(cmdline, bootconfig)) {

    if (ForceNormalBoot(cmdline, bootconfig)) {

        mkdir("/first_stage_ramdisk", 0755);

        mkdir("/first_stage_ramdisk", 0755);

init/selinux.cpp

+7 −23
Original line number Original line Diff line number Diff line
@@ -295,25 +295,6 @@ bool IsSplitPolicyDevice() { 
    return access(plat_policy_cil_file, R_OK) != -1;

    return access(plat_policy_cil_file, R_OK) != -1;

}

}





std::optional<const char*> GetUserdebugPlatformPolicyFile() {

    // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.

    const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");

    if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) {

        const std::vector<const char*> debug_policy_candidates = {

#if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1

            "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil",

#endif

            kDebugRamdiskSEPolicy,

        };

        for (const char* debug_policy : debug_policy_candidates) {

            if (access(debug_policy, F_OK) == 0) {

                return debug_policy;

            }

        }

    }

    return std::nullopt;

}



struct PolicyFile {

struct PolicyFile {

    unique_fd fd;

    unique_fd fd;

    std::string path;

    std::string path;
@@ -329,10 +310,13 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { 
    // secilc is invoked to compile the above three policy files into a single monolithic policy

    // secilc is invoked to compile the above three policy files into a single monolithic policy

    // file. This file is then loaded into the kernel.

    // file. This file is then loaded into the kernel.





    const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile();

    // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.

    const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value();

    const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");

    bool use_userdebug_policy =

            ((force_debuggable_env && "true"s == force_debuggable_env) &&

             AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0);

    if (use_userdebug_policy) {

    if (use_userdebug_policy) {

        LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy;

        LOG(WARNING) << "Using userdebug system sepolicy";

    }

    }





    // Load precompiled policy from vendor image, if a matching policy is found there. The policy

    // Load precompiled policy from vendor image, if a matching policy is found there. The policy
@@ -429,7 +413,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { 
    // clang-format off

    // clang-format off

    std::vector<const char*> compile_args {

    std::vector<const char*> compile_args {

        "/system/bin/secilc",

        "/system/bin/secilc",

        use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file,

        use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file,

        "-m", "-M", "true", "-G", "-N",

        "-m", "-M", "true", "-G", "-N",

        "-c", version_as_string.c_str(),

        "-c", version_as_string.c_str(),

        plat_mapping_file.c_str(),

        plat_mapping_file.c_str(),