diff options
author | Sandeep Patil <sspatil@google.com> | 2017-02-02 18:38:23 -0800 |
---|---|---|
committer | Jeffrey Vander Stoep <jeffv@google.com> | 2017-02-24 23:49:38 +0000 |
commit | 1443ec54072a24ef83770e908435a57a8b7d85b4 (patch) | |
tree | b90016fb11325f74e3540e3be7dfb69f235ca8ce | |
parent | 9a7e29fe91a6d3870ea64d381a6a909096f3ed15 (diff) | |
download | selinux-1443ec54072a24ef83770e908435a57a8b7d85b4.tar.gz |
libselinux: android: use new platform & non-platform file contexts
The file context digest is now made up of new files as well.
b/33746608
Test: Test full boot on angler with no new denialsi.
Test: Test sideloaded ota on angler to go from the build before the
changes to the build with the changes on master.
Todo: recovery / updater continue to use the file_contexts.bin since
they don't go through the API.
Change-Id: Ic88a9e9195297bea174d812bfa0943744c804a81
Signed-off-by: Sandeep Patil <sspatil@google.com>
-rw-r--r-- | libselinux/src/android/android.c | 98 |
1 files changed, 64 insertions, 34 deletions
diff --git a/libselinux/src/android/android.c b/libselinux/src/android/android.c index a5c5a6f0..78eab0e1 100644 --- a/libselinux/src/android/android.c +++ b/libselinux/src/android/android.c @@ -37,6 +37,8 @@ #define _REALLY_INCLUDE_SYS__SYSTEM_PROPERTIES_H_ #include <sys/_system_properties.h> +#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0])) + /* * XXX Where should this configuration file be located? * Needs to be accessible by zygote and installd when @@ -48,8 +50,10 @@ static char const * const seapp_contexts_files[] = { "/nonplat_seapp_contexts" // TODO, switch to diff partition when final }; -static const struct selinux_opt seopts = - { SELABEL_OPT_PATH, "/file_contexts.bin" }; +static const struct selinux_opt seopts_file[] = { + { SELABEL_OPT_PATH, "/plat_file_contexts" }, + { SELABEL_OPT_PATH, "/nonplat_file_contexts" } +}; static const char *const sepolicy_file = "/sepolicy"; @@ -1013,34 +1017,63 @@ static uint8_t fc_digest[FC_DIGEST_SIZE]; static bool compute_file_contexts_hash(uint8_t c_digest[]) { - int fd; + int fd = -1; + void *map = MAP_FAILED; + bool ret = false; + uint8_t *fc_data = NULL; + size_t total_size = 0; struct stat sb; - void *map; + size_t i; - fd = open(seopts.value, O_CLOEXEC | O_RDONLY | O_NOFOLLOW); - if (fd < 0) { - selinux_log(SELINUX_ERROR, "SELinux: Could not open %s: %s\n", - seopts.value, strerror(errno)); - return false; - } - if (fstat(fd, &sb) < 0) { - selinux_log(SELINUX_ERROR, "SELinux: Could not stat %s: %s\n", - seopts.value, strerror(errno)); + for (i = 0; i < ARRAY_SIZE(seopts_file); i++) { + fd = open(seopts_file[i].value, O_CLOEXEC | O_RDONLY | O_NOFOLLOW); + if (fd < 0) { + selinux_log(SELINUX_ERROR, "SELinux: Could not open %s: %s\n", + seopts_file[i].value, strerror(errno)); + goto cleanup; + } + + if (fstat(fd, &sb) < 0) { + selinux_log(SELINUX_ERROR, "SELinux: Could not stat %s: %s\n", + seopts_file[i].value, strerror(errno)); + goto cleanup; + } + + map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + if (map == MAP_FAILED) { + selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n", + seopts_file[i].value, strerror(errno)); + goto cleanup; + } + + fc_data = realloc(fc_data, total_size + sb.st_size); + if (!fc_data) { + selinux_log(SELINUX_ERROR, "SELinux: Count not re-alloc for %s: %s\n", + seopts_file[i].value, strerror(errno)); + goto cleanup; + } + + memcpy(fc_data + total_size, map, sb.st_size); + total_size += sb.st_size; + + /* reset everything for next file */ + munmap(map, sb.st_size); close(fd); - return false; + map = MAP_FAILED; + fd = -1; } - map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n", - seopts.value, strerror(errno)); + + SHA1(fc_data, total_size, c_digest); + ret = true; + +cleanup: + if (map != MAP_FAILED) + munmap(map, sb.st_size); + if (fd >= 0) close(fd); - return false; - } - SHA1(map, sb.st_size, c_digest); - munmap(map, sb.st_size); - close(fd); + free(fc_data); - return true; + return ret; } static void file_context_init(void) @@ -1528,17 +1561,14 @@ int selinux_android_restorecon_pkgdir(const char *pkgdir, struct selabel_handle* selinux_android_file_context_handle(void) { - char *path = NULL; struct selabel_handle *sehandle; - struct selinux_opt fc_opts[] = { - { SELABEL_OPT_PATH, path }, - { SELABEL_OPT_BASEONLY, (char *)1 } - }; + struct selinux_opt fc_opts[ARRAY_SIZE(seopts_file) + 1]; - fc_opts[0].value = seopts.value; - - sehandle = selabel_open(SELABEL_CTX_FILE, fc_opts, 2); + memcpy(fc_opts, seopts_file, sizeof(seopts_file)); + fc_opts[ARRAY_SIZE(seopts_file)].type = SELABEL_OPT_BASEONLY; + fc_opts[ARRAY_SIZE(seopts_file)].value = (char *)1; + sehandle = selabel_open(SELABEL_CTX_FILE, fc_opts, ARRAY_SIZE(fc_opts)); if (!sehandle) { selinux_log(SELINUX_ERROR, "%s: Error getting file context handle (%s)\n", __FUNCTION__, strerror(errno)); @@ -1548,8 +1578,8 @@ struct selabel_handle* selinux_android_file_context_handle(void) selabel_close(sehandle); return NULL; } - selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts contexts from %s.\n", - fc_opts[0].value); + + selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts\n"); return sehandle; } |