2017-08-11 03:22:44 +08:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2017 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
// This file contains the functions that initialize SELinux during boot as well as helper functions
|
|
|
|
// for SELinux operation for init.
|
|
|
|
|
|
|
|
// When the system boots, there is no SEPolicy present and init is running in the kernel domain.
|
2018-11-07 06:12:05 +08:00
|
|
|
// Init loads the SEPolicy from the file system, restores the context of /system/bin/init based on
|
|
|
|
// this SEPolicy, and finally exec()'s itself to run in the proper domain.
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
// The SEPolicy on Android comes in two variants: monolithic and split.
|
|
|
|
|
|
|
|
// The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy
|
|
|
|
// file located at /sepolicy and is directly loaded into the kernel SELinux subsystem.
|
|
|
|
|
|
|
|
// The split policy is for supporting treble devices. It splits the SEPolicy across files on
|
|
|
|
// /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'nonplat'
|
|
|
|
// portion of the policy). This is necessary to allow the system image to be updated independently
|
|
|
|
// of the vendor image, while maintaining contributions from both partitions in the SEPolicy. This
|
|
|
|
// is especially important for VTS testing, where the SEPolicy on the Google System Image may not be
|
|
|
|
// identical to the system image shipped on a vendor's device.
|
|
|
|
|
|
|
|
// The split SEPolicy is loaded as described below:
|
2019-01-23 10:22:25 +08:00
|
|
|
// 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
|
|
|
|
// /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
|
2019-08-28 17:56:51 +08:00
|
|
|
// are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
|
|
|
|
// were used to compile this precompiled policy. The system partition contains a similar sha256
|
|
|
|
// of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and
|
|
|
|
// product paritition contain sha256 hashes of their SEPolicy. The init loads this
|
|
|
|
// precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
|
|
|
|
// /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
|
|
|
|
// 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
|
|
|
|
// have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
|
|
|
|
// compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
// OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
|
2019-08-28 17:56:51 +08:00
|
|
|
// That function contains even more documentation with the specific implementation details of how
|
|
|
|
// the SEPolicy is compiled if needed.
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
#include "selinux.h"
|
|
|
|
|
2018-08-02 04:41:12 +08:00
|
|
|
#include <android/api-level.h>
|
2017-08-11 03:22:44 +08:00
|
|
|
#include <fcntl.h>
|
2019-08-27 04:57:51 +08:00
|
|
|
#include <linux/audit.h>
|
|
|
|
#include <linux/netlink.h>
|
2017-08-11 03:22:44 +08:00
|
|
|
#include <stdlib.h>
|
|
|
|
#include <sys/wait.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
|
|
|
#include <android-base/chrono_utils.h>
|
|
|
|
#include <android-base/file.h>
|
|
|
|
#include <android-base/logging.h>
|
2018-05-03 14:33:52 +08:00
|
|
|
#include <android-base/parseint.h>
|
2020-03-21 12:47:10 +08:00
|
|
|
#include <android-base/strings.h>
|
2017-08-11 03:22:44 +08:00
|
|
|
#include <android-base/unique_fd.h>
|
2019-03-04 17:53:34 +08:00
|
|
|
#include <fs_avb/fs_avb.h>
|
2020-03-21 12:47:10 +08:00
|
|
|
#include <fs_mgr.h>
|
2020-01-20 18:03:58 +08:00
|
|
|
#include <libgsi/libgsi.h>
|
2020-02-21 09:54:57 +08:00
|
|
|
#include <libsnapshot/snapshot.h>
|
2017-08-11 03:22:44 +08:00
|
|
|
#include <selinux/android.h>
|
|
|
|
|
2020-03-21 12:47:10 +08:00
|
|
|
#include "block_dev_initializer.h"
|
2019-04-11 23:57:24 +08:00
|
|
|
#include "debug_ramdisk.h"
|
2018-11-07 06:12:05 +08:00
|
|
|
#include "reboot_utils.h"
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
#include "snapuserd_transition.h"
|
2017-08-11 03:22:44 +08:00
|
|
|
#include "util.h"
|
|
|
|
|
2019-03-04 17:53:34 +08:00
|
|
|
using namespace std::string_literals;
|
|
|
|
|
2018-05-03 14:33:52 +08:00
|
|
|
using android::base::ParseInt;
|
2017-08-11 03:22:44 +08:00
|
|
|
using android::base::Timer;
|
|
|
|
using android::base::unique_fd;
|
2019-03-04 17:53:34 +08:00
|
|
|
using android::fs_mgr::AvbHandle;
|
2020-02-21 09:54:57 +08:00
|
|
|
using android::snapshot::SnapshotManager;
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
namespace android {
|
|
|
|
namespace init {
|
|
|
|
|
|
|
|
namespace {
|
|
|
|
|
|
|
|
enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
|
|
|
|
|
|
|
|
EnforcingStatus StatusFromCmdline() {
|
|
|
|
EnforcingStatus status = SELINUX_ENFORCING;
|
|
|
|
|
2019-08-20 06:21:25 +08:00
|
|
|
ImportKernelCmdline([&](const std::string& key, const std::string& value) {
|
|
|
|
if (key == "androidboot.selinux" && value == "permissive") {
|
|
|
|
status = SELINUX_PERMISSIVE;
|
|
|
|
}
|
|
|
|
});
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
return status;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool IsEnforcing() {
|
|
|
|
if (ALLOW_PERMISSIVE_SELINUX) {
|
|
|
|
return StatusFromCmdline() == SELINUX_ENFORCING;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Forks, executes the provided program in the child, and waits for the completion in the parent.
|
|
|
|
// Child's stderr is captured and logged using LOG(ERROR).
|
|
|
|
bool ForkExecveAndWaitForCompletion(const char* filename, char* const argv[]) {
|
|
|
|
// Create a pipe used for redirecting child process's output.
|
|
|
|
// * pipe_fds[0] is the FD the parent will use for reading.
|
|
|
|
// * pipe_fds[1] is the FD the child will use for writing.
|
|
|
|
int pipe_fds[2];
|
|
|
|
if (pipe(pipe_fds) == -1) {
|
|
|
|
PLOG(ERROR) << "Failed to create pipe";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
pid_t child_pid = fork();
|
|
|
|
if (child_pid == -1) {
|
|
|
|
PLOG(ERROR) << "Failed to fork for " << filename;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (child_pid == 0) {
|
|
|
|
// fork succeeded -- this is executing in the child process
|
|
|
|
|
|
|
|
// Close the pipe FD not used by this process
|
2017-10-25 01:45:48 +08:00
|
|
|
close(pipe_fds[0]);
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
// Redirect stderr to the pipe FD provided by the parent
|
|
|
|
if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) {
|
|
|
|
PLOG(ERROR) << "Failed to redirect stderr of " << filename;
|
|
|
|
_exit(127);
|
|
|
|
return false;
|
|
|
|
}
|
2017-10-25 01:45:48 +08:00
|
|
|
close(pipe_fds[1]);
|
2017-08-11 03:22:44 +08:00
|
|
|
|
2017-08-23 06:41:03 +08:00
|
|
|
if (execv(filename, argv) == -1) {
|
2017-08-11 03:22:44 +08:00
|
|
|
PLOG(ERROR) << "Failed to execve " << filename;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
// Unreachable because execve will have succeeded and replaced this code
|
|
|
|
// with child process's code.
|
|
|
|
_exit(127);
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
// fork succeeded -- this is executing in the original/parent process
|
|
|
|
|
|
|
|
// Close the pipe FD not used by this process
|
2017-10-25 01:45:48 +08:00
|
|
|
close(pipe_fds[1]);
|
2017-08-11 03:22:44 +08:00
|
|
|
|
|
|
|
// Log the redirected output of the child process.
|
|
|
|
// It's unfortunate that there's no standard way to obtain an istream for a file descriptor.
|
|
|
|
// As a result, we're buffering all output and logging it in one go at the end of the
|
|
|
|
// invocation, instead of logging it as it comes in.
|
|
|
|
const int child_out_fd = pipe_fds[0];
|
|
|
|
std::string child_output;
|
|
|
|
if (!android::base::ReadFdToString(child_out_fd, &child_output)) {
|
|
|
|
PLOG(ERROR) << "Failed to capture full output of " << filename;
|
|
|
|
}
|
2017-10-25 01:45:48 +08:00
|
|
|
close(child_out_fd);
|
2017-08-11 03:22:44 +08:00
|
|
|
if (!child_output.empty()) {
|
|
|
|
// Log captured output, line by line, because LOG expects to be invoked for each line
|
|
|
|
std::istringstream in(child_output);
|
|
|
|
std::string line;
|
|
|
|
while (std::getline(in, line)) {
|
|
|
|
LOG(ERROR) << filename << ": " << line;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// Wait for child to terminate
|
|
|
|
int status;
|
|
|
|
if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) {
|
|
|
|
PLOG(ERROR) << "Failed to wait for " << filename;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (WIFEXITED(status)) {
|
|
|
|
int status_code = WEXITSTATUS(status);
|
|
|
|
if (status_code == 0) {
|
|
|
|
return true;
|
|
|
|
} else {
|
|
|
|
LOG(ERROR) << filename << " exited with status " << status_code;
|
|
|
|
}
|
|
|
|
} else if (WIFSIGNALED(status)) {
|
|
|
|
LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status);
|
|
|
|
} else if (WIFSTOPPED(status)) {
|
|
|
|
LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status);
|
|
|
|
} else {
|
|
|
|
LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
bool ReadFirstLine(const char* file, std::string* line) {
|
|
|
|
line->clear();
|
|
|
|
|
|
|
|
std::string contents;
|
|
|
|
if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
std::istringstream in(contents);
|
|
|
|
std::getline(in, *line);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool FindPrecompiledSplitPolicy(std::string* file) {
|
|
|
|
file->clear();
|
2017-08-31 22:07:19 +08:00
|
|
|
// If there is an odm partition, precompiled_sepolicy will be in
|
|
|
|
// odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
|
|
|
|
static constexpr const char vendor_precompiled_sepolicy[] =
|
|
|
|
"/vendor/etc/selinux/precompiled_sepolicy";
|
|
|
|
static constexpr const char odm_precompiled_sepolicy[] =
|
|
|
|
"/odm/etc/selinux/precompiled_sepolicy";
|
|
|
|
if (access(odm_precompiled_sepolicy, R_OK) == 0) {
|
|
|
|
*file = odm_precompiled_sepolicy;
|
|
|
|
} else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
|
|
|
|
*file = vendor_precompiled_sepolicy;
|
|
|
|
} else {
|
|
|
|
PLOG(INFO) << "No precompiled sepolicy";
|
2017-08-11 03:22:44 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
std::string actual_plat_id;
|
2019-01-23 10:22:25 +08:00
|
|
|
if (!ReadFirstLine("/system/etc/selinux/plat_sepolicy_and_mapping.sha256", &actual_plat_id)) {
|
2017-08-11 03:22:44 +08:00
|
|
|
PLOG(INFO) << "Failed to read "
|
2019-01-23 10:22:25 +08:00
|
|
|
"/system/etc/selinux/plat_sepolicy_and_mapping.sha256";
|
|
|
|
return false;
|
|
|
|
}
|
2019-08-28 17:56:51 +08:00
|
|
|
std::string actual_system_ext_id;
|
|
|
|
if (!ReadFirstLine("/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
|
|
|
|
&actual_system_ext_id)) {
|
|
|
|
PLOG(INFO) << "Failed to read "
|
|
|
|
"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256";
|
|
|
|
return false;
|
|
|
|
}
|
2019-01-23 10:22:25 +08:00
|
|
|
std::string actual_product_id;
|
|
|
|
if (!ReadFirstLine("/product/etc/selinux/product_sepolicy_and_mapping.sha256",
|
|
|
|
&actual_product_id)) {
|
|
|
|
PLOG(INFO) << "Failed to read "
|
|
|
|
"/product/etc/selinux/product_sepolicy_and_mapping.sha256";
|
2017-08-11 03:22:44 +08:00
|
|
|
return false;
|
|
|
|
}
|
2017-08-31 22:07:19 +08:00
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
std::string precompiled_plat_id;
|
2019-01-23 10:22:25 +08:00
|
|
|
std::string precompiled_plat_sha256 = *file + ".plat_sepolicy_and_mapping.sha256";
|
|
|
|
if (!ReadFirstLine(precompiled_plat_sha256.c_str(), &precompiled_plat_id)) {
|
|
|
|
PLOG(INFO) << "Failed to read " << precompiled_plat_sha256;
|
|
|
|
file->clear();
|
|
|
|
return false;
|
|
|
|
}
|
2019-08-28 17:56:51 +08:00
|
|
|
std::string precompiled_system_ext_id;
|
|
|
|
std::string precompiled_system_ext_sha256 = *file + ".system_ext_sepolicy_and_mapping.sha256";
|
|
|
|
if (!ReadFirstLine(precompiled_system_ext_sha256.c_str(), &precompiled_system_ext_id)) {
|
|
|
|
PLOG(INFO) << "Failed to read " << precompiled_system_ext_sha256;
|
|
|
|
file->clear();
|
|
|
|
return false;
|
|
|
|
}
|
2019-01-23 10:22:25 +08:00
|
|
|
std::string precompiled_product_id;
|
|
|
|
std::string precompiled_product_sha256 = *file + ".product_sepolicy_and_mapping.sha256";
|
|
|
|
if (!ReadFirstLine(precompiled_product_sha256.c_str(), &precompiled_product_id)) {
|
|
|
|
PLOG(INFO) << "Failed to read " << precompiled_product_sha256;
|
2017-08-31 22:07:19 +08:00
|
|
|
file->clear();
|
2017-08-11 03:22:44 +08:00
|
|
|
return false;
|
|
|
|
}
|
2019-01-23 10:22:25 +08:00
|
|
|
if (actual_plat_id.empty() || actual_plat_id != precompiled_plat_id ||
|
2019-08-28 17:56:51 +08:00
|
|
|
actual_system_ext_id.empty() || actual_system_ext_id != precompiled_system_ext_id ||
|
2019-01-23 10:22:25 +08:00
|
|
|
actual_product_id.empty() || actual_product_id != precompiled_product_id) {
|
2017-08-31 22:07:19 +08:00
|
|
|
file->clear();
|
2017-08-11 03:22:44 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool GetVendorMappingVersion(std::string* plat_vers) {
|
|
|
|
if (!ReadFirstLine("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
|
|
|
|
PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (plat_vers->empty()) {
|
|
|
|
LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
|
|
|
|
|
|
|
|
bool IsSplitPolicyDevice() {
|
|
|
|
return access(plat_policy_cil_file, R_OK) != -1;
|
|
|
|
}
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
struct PolicyFile {
|
|
|
|
unique_fd fd;
|
|
|
|
std::string path;
|
|
|
|
};
|
|
|
|
|
|
|
|
bool OpenSplitPolicy(PolicyFile* policy_file) {
|
2017-08-11 03:22:44 +08:00
|
|
|
// IMPLEMENTATION NOTE: Split policy consists of three CIL files:
|
|
|
|
// * platform -- policy needed due to logic contained in the system image,
|
|
|
|
// * non-platform -- policy needed due to logic contained in the vendor image,
|
|
|
|
// * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
|
|
|
|
// with newer versions of platform policy.
|
|
|
|
//
|
|
|
|
// secilc is invoked to compile the above three policy files into a single monolithic policy
|
|
|
|
// file. This file is then loaded into the kernel.
|
|
|
|
|
2019-03-04 17:53:34 +08:00
|
|
|
// See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.
|
|
|
|
const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");
|
|
|
|
bool use_userdebug_policy =
|
|
|
|
((force_debuggable_env && "true"s == force_debuggable_env) &&
|
2019-04-11 23:57:24 +08:00
|
|
|
AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0);
|
2019-03-04 17:53:34 +08:00
|
|
|
if (use_userdebug_policy) {
|
|
|
|
LOG(WARNING) << "Using userdebug system sepolicy";
|
|
|
|
}
|
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
// Load precompiled policy from vendor image, if a matching policy is found there. The policy
|
|
|
|
// must match the platform policy on the system image.
|
|
|
|
std::string precompiled_sepolicy_file;
|
2019-03-04 17:53:34 +08:00
|
|
|
// use_userdebug_policy requires compiling sepolicy with userdebug_plat_sepolicy.cil.
|
|
|
|
// Thus it cannot use the precompiled policy from vendor image.
|
|
|
|
if (!use_userdebug_policy && FindPrecompiledSplitPolicy(&precompiled_sepolicy_file)) {
|
2017-08-11 03:22:44 +08:00
|
|
|
unique_fd fd(open(precompiled_sepolicy_file.c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
|
|
|
|
if (fd != -1) {
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
policy_file->fd = std::move(fd);
|
|
|
|
policy_file->path = std::move(precompiled_sepolicy_file);
|
2017-08-11 03:22:44 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// No suitable precompiled policy could be loaded
|
|
|
|
|
|
|
|
LOG(INFO) << "Compiling SELinux policy";
|
|
|
|
|
|
|
|
// We store the output of the compilation on /dev because this is the most convenient tmpfs
|
|
|
|
// storage mount available this early in the boot sequence.
|
|
|
|
char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
|
|
|
|
unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
|
|
|
|
if (compiled_sepolicy_fd < 0) {
|
|
|
|
PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Determine which mapping file to include
|
|
|
|
std::string vend_plat_vers;
|
|
|
|
if (!GetVendorMappingVersion(&vend_plat_vers)) {
|
|
|
|
return false;
|
|
|
|
}
|
2019-01-17 03:57:19 +08:00
|
|
|
std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
|
2017-08-31 22:07:19 +08:00
|
|
|
|
2019-05-03 05:05:18 +08:00
|
|
|
std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers +
|
|
|
|
".compat.cil");
|
|
|
|
if (access(plat_compat_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
plat_compat_cil_file.clear();
|
|
|
|
}
|
|
|
|
|
2019-08-28 17:56:51 +08:00
|
|
|
std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
|
|
|
|
if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
system_ext_policy_cil_file.clear();
|
|
|
|
}
|
|
|
|
|
|
|
|
std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
|
|
|
|
".cil");
|
|
|
|
if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
|
|
|
|
system_ext_mapping_file.clear();
|
|
|
|
}
|
|
|
|
|
2018-12-15 06:25:08 +08:00
|
|
|
std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
|
|
|
|
if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
product_policy_cil_file.clear();
|
|
|
|
}
|
|
|
|
|
2019-01-17 03:57:19 +08:00
|
|
|
std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil");
|
|
|
|
if (access(product_mapping_file.c_str(), F_OK) == -1) {
|
|
|
|
product_mapping_file.clear();
|
|
|
|
}
|
|
|
|
|
2017-10-18 17:03:20 +08:00
|
|
|
// vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
|
2017-08-31 22:07:19 +08:00
|
|
|
// nonplat_sepolicy.cil.
|
2017-10-18 17:03:20 +08:00
|
|
|
std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil");
|
2017-08-31 22:07:19 +08:00
|
|
|
std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
|
|
|
|
|
|
|
|
if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
// For backward compatibility.
|
|
|
|
// TODO: remove this after no device is using nonplat_sepolicy.cil.
|
|
|
|
vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil";
|
2017-10-18 17:03:20 +08:00
|
|
|
plat_pub_versioned_cil_file.clear();
|
|
|
|
} else if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file;
|
2017-08-31 22:07:19 +08:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// odm_sepolicy.cil is default but optional.
|
|
|
|
std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
|
|
|
|
if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
|
|
|
|
odm_policy_cil_file.clear();
|
|
|
|
}
|
2019-02-16 04:13:38 +08:00
|
|
|
const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
|
2017-08-19 05:43:52 +08:00
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
// clang-format off
|
2017-08-31 22:07:19 +08:00
|
|
|
std::vector<const char*> compile_args {
|
2017-08-11 03:22:44 +08:00
|
|
|
"/system/bin/secilc",
|
2019-04-11 23:57:24 +08:00
|
|
|
use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file,
|
2017-10-07 08:03:45 +08:00
|
|
|
"-m", "-M", "true", "-G", "-N",
|
2017-08-19 05:43:52 +08:00
|
|
|
"-c", version_as_string.c_str(),
|
2019-01-17 03:57:19 +08:00
|
|
|
plat_mapping_file.c_str(),
|
2017-08-11 03:22:44 +08:00
|
|
|
"-o", compiled_sepolicy,
|
|
|
|
// We don't care about file_contexts output by the compiler
|
|
|
|
"-f", "/sys/fs/selinux/null", // /dev/null is not yet available
|
2017-08-31 22:07:19 +08:00
|
|
|
};
|
2017-08-11 03:22:44 +08:00
|
|
|
// clang-format on
|
|
|
|
|
2019-05-03 05:05:18 +08:00
|
|
|
if (!plat_compat_cil_file.empty()) {
|
|
|
|
compile_args.push_back(plat_compat_cil_file.c_str());
|
|
|
|
}
|
2019-08-28 17:56:51 +08:00
|
|
|
if (!system_ext_policy_cil_file.empty()) {
|
|
|
|
compile_args.push_back(system_ext_policy_cil_file.c_str());
|
|
|
|
}
|
|
|
|
if (!system_ext_mapping_file.empty()) {
|
|
|
|
compile_args.push_back(system_ext_mapping_file.c_str());
|
|
|
|
}
|
2018-12-15 06:25:08 +08:00
|
|
|
if (!product_policy_cil_file.empty()) {
|
|
|
|
compile_args.push_back(product_policy_cil_file.c_str());
|
|
|
|
}
|
2019-01-17 03:57:19 +08:00
|
|
|
if (!product_mapping_file.empty()) {
|
|
|
|
compile_args.push_back(product_mapping_file.c_str());
|
|
|
|
}
|
2017-10-18 17:03:20 +08:00
|
|
|
if (!plat_pub_versioned_cil_file.empty()) {
|
|
|
|
compile_args.push_back(plat_pub_versioned_cil_file.c_str());
|
2017-08-31 22:07:19 +08:00
|
|
|
}
|
|
|
|
if (!vendor_policy_cil_file.empty()) {
|
|
|
|
compile_args.push_back(vendor_policy_cil_file.c_str());
|
|
|
|
}
|
|
|
|
if (!odm_policy_cil_file.empty()) {
|
|
|
|
compile_args.push_back(odm_policy_cil_file.c_str());
|
|
|
|
}
|
|
|
|
compile_args.push_back(nullptr);
|
|
|
|
|
|
|
|
if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
|
2017-08-11 03:22:44 +08:00
|
|
|
unlink(compiled_sepolicy);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
unlink(compiled_sepolicy);
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
policy_file->fd = std::move(compiled_sepolicy_fd);
|
|
|
|
policy_file->path = compiled_sepolicy;
|
2017-08-11 03:22:44 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
bool OpenMonolithicPolicy(PolicyFile* policy_file) {
|
|
|
|
static constexpr char kSepolicyFile[] = "/sepolicy";
|
|
|
|
|
|
|
|
LOG(VERBOSE) << "Opening SELinux policy from monolithic file";
|
|
|
|
policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
|
|
|
|
if (policy_file->fd < 0) {
|
|
|
|
PLOG(ERROR) << "Failed to open monolithic SELinux policy";
|
2017-08-11 03:22:44 +08:00
|
|
|
return false;
|
|
|
|
}
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
policy_file->path = kSepolicyFile;
|
2017-08-11 03:22:44 +08:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
void ReadPolicy(std::string* policy) {
|
|
|
|
PolicyFile policy_file;
|
2017-08-11 03:22:44 +08:00
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
bool ok = IsSplitPolicyDevice() ? OpenSplitPolicy(&policy_file)
|
|
|
|
: OpenMonolithicPolicy(&policy_file);
|
|
|
|
if (!ok) {
|
|
|
|
LOG(FATAL) << "Unable to open SELinux policy";
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!android::base::ReadFdToString(policy_file.fd, policy)) {
|
|
|
|
PLOG(FATAL) << "Failed to read policy file: " << policy_file.path;
|
2017-08-11 03:22:44 +08:00
|
|
|
}
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
}
|
2017-08-11 03:22:44 +08:00
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
void SelinuxSetEnforcement() {
|
2017-08-11 03:22:44 +08:00
|
|
|
bool kernel_enforcing = (security_getenforce() == 1);
|
|
|
|
bool is_enforcing = IsEnforcing();
|
|
|
|
if (kernel_enforcing != is_enforcing) {
|
|
|
|
if (security_setenforce(is_enforcing)) {
|
2019-08-31 02:11:44 +08:00
|
|
|
PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
|
|
|
|
<< ") failed";
|
2017-08-11 03:22:44 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-02-06 02:49:33 +08:00
|
|
|
if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
|
2017-08-18 08:28:30 +08:00
|
|
|
LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
|
2017-08-11 03:22:44 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-08-27 04:57:51 +08:00
|
|
|
constexpr size_t kKlogMessageSize = 1024;
|
|
|
|
|
|
|
|
void SelinuxAvcLog(char* buf, size_t buf_len) {
|
|
|
|
CHECK_GT(buf_len, 0u);
|
|
|
|
|
|
|
|
size_t str_len = strnlen(buf, buf_len);
|
|
|
|
// trim newline at end of string
|
|
|
|
if (buf[str_len - 1] == '\n') {
|
|
|
|
buf[str_len - 1] = '\0';
|
|
|
|
}
|
|
|
|
|
|
|
|
struct NetlinkMessage {
|
|
|
|
nlmsghdr hdr;
|
|
|
|
char buf[kKlogMessageSize];
|
|
|
|
} request = {};
|
|
|
|
|
|
|
|
request.hdr.nlmsg_flags = NLM_F_REQUEST;
|
|
|
|
request.hdr.nlmsg_type = AUDIT_USER_AVC;
|
|
|
|
request.hdr.nlmsg_len = sizeof(request);
|
|
|
|
strlcpy(request.buf, buf, sizeof(request.buf));
|
|
|
|
|
|
|
|
auto fd = unique_fd{socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT)};
|
|
|
|
if (!fd.ok()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
TEMP_FAILURE_RETRY(send(fd, &request, sizeof(request), 0));
|
|
|
|
}
|
|
|
|
|
2018-11-07 06:12:05 +08:00
|
|
|
} // namespace
|
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
void SelinuxRestoreContext() {
|
|
|
|
LOG(INFO) << "Running restorecon...";
|
|
|
|
selinux_android_restorecon("/dev", 0);
|
|
|
|
selinux_android_restorecon("/dev/kmsg", 0);
|
|
|
|
if constexpr (WORLD_WRITABLE_KMSG) {
|
|
|
|
selinux_android_restorecon("/dev/kmsg_debug", 0);
|
|
|
|
}
|
2018-07-31 07:23:49 +08:00
|
|
|
selinux_android_restorecon("/dev/null", 0);
|
|
|
|
selinux_android_restorecon("/dev/ptmx", 0);
|
2017-08-11 03:22:44 +08:00
|
|
|
selinux_android_restorecon("/dev/socket", 0);
|
|
|
|
selinux_android_restorecon("/dev/random", 0);
|
|
|
|
selinux_android_restorecon("/dev/urandom", 0);
|
|
|
|
selinux_android_restorecon("/dev/__properties__", 0);
|
|
|
|
|
|
|
|
selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
|
2020-11-13 16:31:47 +08:00
|
|
|
selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE);
|
2017-08-11 03:22:44 +08:00
|
|
|
selinux_android_restorecon("/dev/device-mapper", 0);
|
2019-02-22 15:04:35 +08:00
|
|
|
|
|
|
|
selinux_android_restorecon("/apex", 0);
|
2019-11-22 15:14:10 +08:00
|
|
|
|
|
|
|
selinux_android_restorecon("/linkerconfig", 0);
|
2020-01-20 18:03:58 +08:00
|
|
|
|
2020-02-22 09:11:07 +08:00
|
|
|
// adb remount, snapshot-based updates, and DSUs all create files during
|
|
|
|
// first-stage init.
|
2020-02-21 09:54:57 +08:00
|
|
|
selinux_android_restorecon(SnapshotManager::GetGlobalRollbackIndicatorPath().c_str(), 0);
|
2020-03-07 10:14:19 +08:00
|
|
|
selinux_android_restorecon("/metadata/gsi", SELINUX_ANDROID_RESTORECON_RECURSE |
|
|
|
|
SELINUX_ANDROID_RESTORECON_SKIP_SEHASH);
|
2017-08-11 03:22:44 +08:00
|
|
|
}
|
|
|
|
|
2018-07-21 06:26:25 +08:00
|
|
|
int SelinuxKlogCallback(int type, const char* fmt, ...) {
|
|
|
|
android::base::LogSeverity severity = android::base::ERROR;
|
|
|
|
if (type == SELINUX_WARNING) {
|
|
|
|
severity = android::base::WARNING;
|
|
|
|
} else if (type == SELINUX_INFO) {
|
|
|
|
severity = android::base::INFO;
|
|
|
|
}
|
2019-08-27 04:57:51 +08:00
|
|
|
char buf[kKlogMessageSize];
|
2018-07-21 06:26:25 +08:00
|
|
|
va_list ap;
|
|
|
|
va_start(ap, fmt);
|
2019-08-27 04:57:51 +08:00
|
|
|
int length_written = vsnprintf(buf, sizeof(buf), fmt, ap);
|
2018-07-21 06:26:25 +08:00
|
|
|
va_end(ap);
|
2019-08-27 04:57:51 +08:00
|
|
|
if (length_written <= 0) {
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
if (type == SELINUX_AVC) {
|
|
|
|
SelinuxAvcLog(buf, sizeof(buf));
|
|
|
|
} else {
|
|
|
|
android::base::KernelLogger(android::base::MAIN, severity, "selinux", nullptr, 0, buf);
|
|
|
|
}
|
2018-07-21 06:26:25 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
void SelinuxSetupKernelLogging() {
|
|
|
|
selinux_callback cb;
|
2018-07-21 06:26:25 +08:00
|
|
|
cb.func_log = SelinuxKlogCallback;
|
2017-08-11 03:22:44 +08:00
|
|
|
selinux_set_callback(SELINUX_CB_LOG, cb);
|
|
|
|
}
|
|
|
|
|
2018-08-02 04:41:12 +08:00
|
|
|
int SelinuxGetVendorAndroidVersion() {
|
2019-08-01 04:59:15 +08:00
|
|
|
static int vendor_android_version = [] {
|
|
|
|
if (!IsSplitPolicyDevice()) {
|
|
|
|
// If this device does not split sepolicy files, it's not a Treble device and therefore,
|
|
|
|
// we assume it's always on the latest platform.
|
|
|
|
return __ANDROID_API_FUTURE__;
|
|
|
|
}
|
2018-05-03 14:33:52 +08:00
|
|
|
|
2019-08-01 04:59:15 +08:00
|
|
|
std::string version;
|
|
|
|
if (!GetVendorMappingVersion(&version)) {
|
|
|
|
LOG(FATAL) << "Could not read vendor SELinux version";
|
|
|
|
}
|
2018-05-03 14:33:52 +08:00
|
|
|
|
2019-08-01 04:59:15 +08:00
|
|
|
int major_version;
|
|
|
|
std::string major_version_str(version, 0, version.find('.'));
|
|
|
|
if (!ParseInt(major_version_str, &major_version)) {
|
|
|
|
PLOG(FATAL) << "Failed to parse the vendor sepolicy major version "
|
|
|
|
<< major_version_str;
|
|
|
|
}
|
2018-05-03 14:33:52 +08:00
|
|
|
|
2019-08-01 04:59:15 +08:00
|
|
|
return major_version;
|
|
|
|
}();
|
|
|
|
return vendor_android_version;
|
2018-05-03 14:33:52 +08:00
|
|
|
}
|
|
|
|
|
2020-03-21 12:47:10 +08:00
|
|
|
// This is for R system.img/system_ext.img to work on old vendor.img as system_ext.img
|
|
|
|
// is introduced in R. We mount system_ext in second stage init because the first-stage
|
|
|
|
// init in boot.img won't be updated in the system-only OTA scenario.
|
|
|
|
void MountMissingSystemPartitions() {
|
|
|
|
android::fs_mgr::Fstab fstab;
|
|
|
|
if (!ReadDefaultFstab(&fstab)) {
|
|
|
|
LOG(ERROR) << "Could not read default fstab";
|
|
|
|
}
|
|
|
|
|
|
|
|
android::fs_mgr::Fstab mounts;
|
|
|
|
if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
|
|
|
|
LOG(ERROR) << "Could not read /proc/mounts";
|
|
|
|
}
|
|
|
|
|
|
|
|
static const std::vector<std::string> kPartitionNames = {"system_ext", "product"};
|
|
|
|
|
|
|
|
android::fs_mgr::Fstab extra_fstab;
|
|
|
|
for (const auto& name : kPartitionNames) {
|
|
|
|
if (GetEntryForMountPoint(&mounts, "/"s + name)) {
|
|
|
|
// The partition is already mounted.
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto system_entry = GetEntryForMountPoint(&fstab, "/system");
|
|
|
|
if (!system_entry) {
|
|
|
|
LOG(ERROR) << "Could not find mount entry for /system";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (!system_entry->fs_mgr_flags.logical) {
|
|
|
|
LOG(INFO) << "Skipping mount of " << name << ", system is not dynamic.";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
auto entry = *system_entry;
|
|
|
|
auto partition_name = name + fs_mgr_get_slot_suffix();
|
|
|
|
auto replace_name = "system"s + fs_mgr_get_slot_suffix();
|
|
|
|
|
|
|
|
entry.mount_point = "/"s + name;
|
|
|
|
entry.blk_device =
|
|
|
|
android::base::StringReplace(entry.blk_device, replace_name, partition_name, false);
|
|
|
|
if (!fs_mgr_update_logical_partition(&entry)) {
|
|
|
|
LOG(ERROR) << "Could not update logical partition";
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
extra_fstab.emplace_back(std::move(entry));
|
|
|
|
}
|
|
|
|
|
|
|
|
SkipMountingPartitions(&extra_fstab);
|
|
|
|
if (extra_fstab.empty()) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
BlockDevInitializer block_dev_init;
|
|
|
|
for (auto& entry : extra_fstab) {
|
|
|
|
if (access(entry.blk_device.c_str(), F_OK) != 0) {
|
|
|
|
auto block_dev = android::base::Basename(entry.blk_device);
|
|
|
|
if (!block_dev_init.InitDmDevice(block_dev)) {
|
|
|
|
LOG(ERROR) << "Failed to find device-mapper node: " << block_dev;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (fs_mgr_do_mount_one(entry)) {
|
|
|
|
LOG(ERROR) << "Could not mount " << entry.mount_point;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
static void LoadSelinuxPolicy(std::string& policy) {
|
|
|
|
LOG(INFO) << "Loading SELinux policy";
|
|
|
|
|
|
|
|
set_selinuxmnt("/sys/fs/selinux");
|
|
|
|
if (security_load_policy(policy.data(), policy.size()) < 0) {
|
|
|
|
PLOG(FATAL) << "SELinux: Could not load policy";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// The SELinux setup process is carefully orchestrated around snapuserd. Policy
|
|
|
|
// must be loaded off dynamic partitions, and during an OTA, those partitions
|
|
|
|
// cannot be read without snapuserd. But, with kernel-privileged snapuserd
|
|
|
|
// running, loading the policy will immediately trigger audits.
|
|
|
|
//
|
|
|
|
// We use a five-step process to address this:
|
|
|
|
// (1) Read the policy into a string, with snapuserd running.
|
|
|
|
// (2) Rewrite the snapshot device-mapper tables, to generate new dm-user
|
|
|
|
// devices and to flush I/O.
|
|
|
|
// (3) Kill snapuserd, which no longer has any dm-user devices to attach to.
|
|
|
|
// (4) Load the sepolicy and issue critical restorecons in /dev, carefully
|
|
|
|
// avoiding anything that would read from /system.
|
|
|
|
// (5) Re-launch snapuserd and attach it to the dm-user devices from step (2).
|
|
|
|
//
|
|
|
|
// After this sequence, it is safe to enable enforcing mode and continue booting.
|
2018-11-07 06:12:05 +08:00
|
|
|
int SetupSelinux(char** argv) {
|
2019-07-30 00:35:18 +08:00
|
|
|
SetStdioToDevNull(argv);
|
2019-05-29 01:19:44 +08:00
|
|
|
InitKernelLogging(argv);
|
2018-11-07 06:12:05 +08:00
|
|
|
|
|
|
|
if (REBOOT_BOOTLOADER_ON_PANIC) {
|
|
|
|
InstallRebootSignalHandlers();
|
|
|
|
}
|
|
|
|
|
2019-03-27 23:10:41 +08:00
|
|
|
boot_clock::time_point start_time = boot_clock::now();
|
|
|
|
|
2020-03-21 12:47:10 +08:00
|
|
|
MountMissingSystemPartitions();
|
|
|
|
|
2018-11-07 06:12:05 +08:00
|
|
|
SelinuxSetupKernelLogging();
|
init: Add an selinux transition for snapuserd.
With compressed VAB updates, it is not possible to mount /system without
first running snapuserd, which is the userspace component to the dm-user
kernel module. This poses a problem because as soon as selinux
enforcement is enabled, snapuserd (running in a kernel context) does not
have access to read and decompress the underlying system partition.
To account for this, we split SelinuxInitialize into multiple steps:
First, sepolicy is read into an in-memory string.
Second, the device-mapper tables for all snapshots are rebuilt. This
flushes any pending reads and creates new dm-user devices. The original
kernel-privileged snapuserd is then killed.
Third, sepolicy is loaded from the in-memory string.
Fourth, we re-launch snapuserd and connect it to the newly created
dm-user devices. As part of this step we restorecon device-mapper
devices and /dev/block/by-name/super, since the new snapuserd is in a
limited context.
Finally, we set enforcing mode.
This sequence ensures that snapuserd has appropriate privileges with a
minimal number of permissive audits.
Bug: 173476209
Test: full OTA with VABC applies and boots
Change-Id: Ie4e0f5166b01c31a6f337afc26fc58b96217604e
2020-12-08 16:21:20 +08:00
|
|
|
|
|
|
|
LOG(INFO) << "Opening SELinux policy";
|
|
|
|
|
|
|
|
// Read the policy before potentially killing snapuserd.
|
|
|
|
std::string policy;
|
|
|
|
ReadPolicy(&policy);
|
|
|
|
|
|
|
|
auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
|
|
|
|
if (snapuserd_helper) {
|
|
|
|
// Kill the old snapused to avoid audit messages. After this we cannot
|
|
|
|
// read from /system (or other dynamic partitions) until we call
|
|
|
|
// FinishTransition().
|
|
|
|
snapuserd_helper->StartTransition();
|
|
|
|
}
|
|
|
|
|
|
|
|
LoadSelinuxPolicy(policy);
|
|
|
|
|
|
|
|
if (snapuserd_helper) {
|
|
|
|
// Before enforcing, finish the pending snapuserd transition.
|
|
|
|
snapuserd_helper->FinishTransition();
|
|
|
|
snapuserd_helper = nullptr;
|
|
|
|
}
|
|
|
|
|
|
|
|
SelinuxSetEnforcement();
|
2018-11-07 06:12:05 +08:00
|
|
|
|
|
|
|
// We're in the kernel domain and want to transition to the init domain. File systems that
|
|
|
|
// store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
|
|
|
|
// but other file systems do. In particular, this is needed for ramdisks such as the
|
|
|
|
// recovery image for A/B devices.
|
|
|
|
if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
|
|
|
|
PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
|
|
|
|
}
|
|
|
|
|
2019-05-09 03:44:50 +08:00
|
|
|
setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
|
2019-03-27 23:10:41 +08:00
|
|
|
|
2018-11-07 06:12:05 +08:00
|
|
|
const char* path = "/system/bin/init";
|
|
|
|
const char* args[] = {path, "second_stage", nullptr};
|
|
|
|
execv(path, const_cast<char**>(args));
|
|
|
|
|
|
|
|
// execv() only returns if an error happened, in which case we
|
|
|
|
// panic and never return from this function.
|
|
|
|
PLOG(FATAL) << "execv(\"" << path << "\") failed";
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2017-08-11 03:22:44 +08:00
|
|
|
} // namespace init
|
|
|
|
} // namespace android
|