Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8d276818 authored by Roland Levillain's avatar Roland Levillain
Browse files

Restore security context of `/postinstall/apex` earlier in otapreopt_chroot. 

Invoke `selinux_android_restorecon` on `/postinstall/apex` just after
mounting a tmpfs filesystem in it, so that this directory is correctly
labeled (with type `postinstall_apex_mnt_dir`) and may be manipulated
in following operations (`chmod`, `chown`, etc.) following updated
policies restricted to `postinstall_apex_mnt_dir` (instead of
`tmpfs`).

Test: m otapreopt_chroot
Test: A/B OTA update test (asit/dexoptota/self_full).
Bug: 113373927
Bug: 120796514
Change-Id: I0b243a00e0443e439afda055d3b12aa9eefe0503
parent 50ef7e0d

cmds/installd/otapreopt_chroot.cpp

+15 −4
Original line number Diff line number Diff line
@@ -151,11 +151,26 @@ static int otapreopt_chroot(const int argc, char **arg) { 
    //   chown root root /apex

    //   restorecon /apex

    //

    // except we perform the `restorecon` step just after mounting the tmpfs

    // filesystem in /postinstall/apex, so that this directory is correctly

    // labeled (with type `postinstall_apex_mnt_dir`) and may be manipulated in

    // following operations (`chmod`, `chown`, etc.) following policies

    // restricted to `postinstall_apex_mnt_dir`:

    //

    //   mount tmpfs tmpfs /postinstall/apex nodev noexec nosuid

    //   restorecon /postinstall/apex

    //   chmod 0755 /postinstall/apex

    //   chown root root /postinstall/apex

    //

    if (mount("tmpfs", kPostinstallApexDir, "tmpfs", MS_NODEV | MS_NOEXEC | MS_NOSUID, nullptr)

        != 0) {

        PLOG(ERROR) << "Failed to mount tmpfs in " << kPostinstallApexDir;

        exit(209);

    }

    if (selinux_android_restorecon(kPostinstallApexDir, 0) < 0) {

        PLOG(ERROR) << "Failed to restorecon " << kPostinstallApexDir;

        exit(214);

    }

    if (chmod(kPostinstallApexDir, 0755) != 0) {

        PLOG(ERROR) << "Failed to chmod " << kPostinstallApexDir << " to 0755";

        exit(210);
@@ -164,10 +179,6 @@ static int otapreopt_chroot(const int argc, char **arg) { 
        PLOG(ERROR) << "Failed to chown " << kPostinstallApexDir << " to root:root";

        exit(211);

    }

    if (selinux_android_restorecon(kPostinstallApexDir, 0) < 0) {

        PLOG(ERROR) << "Failed to restorecon " << kPostinstallApexDir;

        exit(212);

    }



    // Chdir into /postinstall.

    if (chdir("/postinstall") != 0) {