Add a version check for SELinux policy on device.

This helps to ensure that when a new system image is installed,
old userdata policy isn't applied over the top of it.

Bug: 8841348
Change-Id: I135af32250aa62979763e775842ce0af3c8b6f9f
This commit is contained in:
repo sync 2013-05-09 23:04:07 -07:00
parent 683aa89bfd
commit 921be8b656
2 changed files with 62 additions and 3 deletions

View File

@ -61,6 +61,9 @@
struct selabel_handle *sehandle;
struct selabel_handle *sehandle_prop;
#define SELINUX_DATA_POLICY_VERSION_PATH "/data/security/bundle/metadata/version"
#define SELINUX_BOOT_POLICY_VERSION_PATH "/sepolicy.version"
static int property_triggers_enabled = 0;
#if BOOTCHART
@ -774,6 +777,58 @@ void selinux_init_all_handles(void)
sehandle_prop = selinux_android_prop_context_handle();
}
static int selinux_read_version_file(char *version_file_path)
{
unsigned version_string_length = 0;
unsigned characters_consumed = 0;
int policy_version = 0;
char *version_string;
version_string = read_file(version_file_path, &version_string_length);
if (version_string == NULL)
return -1;
sscanf(version_string, "%d%n", &policy_version, &characters_consumed);
free(version_string);
if (characters_consumed != (version_string_length - 1))
return -1;
return policy_version;
}
static int selinux_check_policy_version(void)
{
int data_policy_version = 0;
int boot_policy_version = 0;
// get the policy version for the sepolicy on the data partition
// fail open to allow the existing policy to relabel
data_policy_version = selinux_read_version_file(SELINUX_DATA_POLICY_VERSION_PATH);
if (data_policy_version < 0) {
INFO("Couldn't read data policy version file");
return 0;
}
// get the policy version for the sepolicy on the boot partition
// fail open to allow devices without an sepolicy.version to update
boot_policy_version = selinux_read_version_file(SELINUX_BOOT_POLICY_VERSION_PATH);
if (boot_policy_version < 0) {
INFO("Couldn't read boot policy version file");
return 0;
}
// return an error if the "updated" policy is too old
if (data_policy_version <= boot_policy_version) {
ERROR("SELinux: data policy version (%d) <= factory policy version (%d)",
data_policy_version,
boot_policy_version);
return -1;
}
return 0;
}
int selinux_reload_policy(void)
{
if (!selinux_enabled) {
@ -782,6 +837,10 @@ int selinux_reload_policy(void)
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_check_policy_version() == -1) {
return -1;
}
if (selinux_android_reload_policy() == -1) {
return -1;
}

View File

@ -177,9 +177,6 @@ on post-fs
mkdir /cache/lost+found 0770 root root
on post-fs-data
# reload SELinux based on what we find on the data partition
selinux_reload_policy
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
@ -263,6 +260,9 @@ on post-fs-data
#setprop vold.post_fs_data_done 1
on boot
# reload SELinux policy to make sure we use the most up-to-date one
selinux_reload_policy
# basic network init
ifup lo
hostname localhost