diff options
| author | Nikita Ioffe <ioffe@google.com> | 2024-04-08 11:20:39 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2024-04-08 11:20:39 +0000 |
| commit | c079a6c34f055de33ec204dda6bbf33bd16e0668 (patch) | |
| tree | 2885992ca138f265cd04cdb5a0cb980699c441ac | |
| parent | 20c3933ed4275e39fd4eba71d6dccfdf34d48ad5 (diff) | |
| parent | feb7e0ea9727a6b7847e26a1b017066f7ddc9031 (diff) | |
| download | core-c079a6c34f055de33ec204dda6bbf33bd16e0668.tar.gz | |
Merge "Restorecon /microdroid_resources in setup_selinux" into main
| -rw-r--r-- | init/Android.bp | 10 | ||||
| -rw-r--r-- | init/selinux.cpp | 10 |
2 files changed, 18 insertions, 2 deletions
diff --git a/init/Android.bp b/init/Android.bp index d4b7fabd0..ff82f7f18 100644 --- a/init/Android.bp +++ b/init/Android.bp @@ -255,7 +255,10 @@ cc_library_static { cc_library_static { name: "libinit.microdroid", - defaults: ["libinit_defaults"], + defaults: [ + "avf_build_flags_cc", + "libinit_defaults", + ], cflags: ["-DMICRODROID=1"], } @@ -315,7 +318,10 @@ cc_binary { cc_binary { name: "init_second_stage.microdroid", - defaults: ["init_second_stage_defaults"], + defaults: [ + "avf_build_flags_cc", + "init_second_stage_defaults", + ], static_libs: ["libinit.microdroid"], cflags: ["-DMICRODROID=1"], installable: false, diff --git a/init/selinux.cpp b/init/selinux.cpp index e191b60c0..c2d9b8d28 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -66,6 +66,7 @@ #include <android-base/result.h> #include <android-base/strings.h> #include <android-base/unique_fd.h> +#include <android/avf_cc_flags.h> #include <fs_avb/fs_avb.h> #include <fs_mgr.h> #include <libgsi/libgsi.h> @@ -702,6 +703,15 @@ int SetupSelinux(char** argv) { SelinuxSetEnforcement(); + if (IsMicrodroid() && android::virtualization::IsOpenDiceChangesFlagEnabled()) { + // We run restorecon of /microdroid_resources while we are still in kernel context to avoid + // granting init `tmpfs:file relabelfrom` capability. + const int flags = SELINUX_ANDROID_RESTORECON_RECURSE; + if (selinux_android_restorecon("/microdroid_resources", flags) == -1) { + PLOG(FATAL) << "restorecon of /microdroid_resources failed"; + } + } + // We're in the kernel domain and want to transition to the init domain. File systems that // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here, // but other file systems do. In particular, this is needed for ramdisks such as the |