Remove hard-coded policy version from secilc step

This change makes init's SELinux policy compilation step target the highest SELinux policy language version supported by the kernel. Prior to this change the version was simply hard-coded in init. P. S. clang-format (part of presubmit for this change) is being counter-productive trying to format the section with secilc parameters. The resulting layout is harder to read. This commit thus disables clang-format for this section of code and formats the code for improved readability. Test: Remove precompiled policy, device boots up, no new denials. Added log statement to print out the policy version passed into secilc -- it printed 30, as expected. Bug: 31363362 Change-Id: I151017b5211712861bafb662525e794a44026dd2
2017-03-09 10:56:58 -08:00 · 2017-03-09 10:56:58 -08:00 · a71dfec4c2
parent c1b3c8ef26
commit a71dfec4c2
1 changed files with 22 additions and 8 deletions
--- a/init/init.cpp
+++ b/init/init.cpp
@ -790,6 +790,14 @@ static bool selinux_load_split_policy() {

    LOG(INFO) << "Compiling SELinux policy";

+    // Determine the highest policy language version supported by the kernel
+    set_selinuxmnt("/sys/fs/selinux");
+    int max_policy_version = security_policyvers();
+    if (max_policy_version == -1) {
+        PLOG(ERROR) << "Failed to determine highest policy version supported by kernel";
+        return false;
+    }
+
    // We store the output of the compilation on /dev because this is the most convenient tmpfs
    // storage mount available this early in the boot sequence.
    char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
@ -799,14 +807,20 @@ static bool selinux_load_split_policy() {
        return false;
    }

-    const char* compile_args[] = {"/system/bin/secilc", plat_policy_cil_file, "-M", "true", "-c",
-                                  "30",  // TODO: pass in SELinux policy version from build system
-                                  "/vendor/etc/selinux/mapping_sepolicy.cil",
-                                  "/vendor/etc/selinux/nonplat_sepolicy.cil", "-o",
-                                  compiled_sepolicy,
-                                  // We don't care about file_contexts output by the compiler
-                                  "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available
-                                  nullptr};
+    // clang-format off
+    const char* compile_args[] = {
+        "/system/bin/secilc",
+        plat_policy_cil_file,
+        "-M", "true",
+        // Target the highest policy language version supported by the kernel
+        "-c", std::to_string(max_policy_version).c_str(),
+        "/vendor/etc/selinux/mapping_sepolicy.cil",
+        "/vendor/etc/selinux/nonplat_sepolicy.cil",
+        "-o", compiled_sepolicy,
+        // We don't care about file_contexts output by the compiler
+        "-f", "/sys/fs/selinux/null",  // /dev/null is not yet available
+        nullptr};
+    // clang-format on

    if (!fork_execve_and_wait_for_completion(compile_args[0], (char**)compile_args, (char**)ENV)) {
        unlink(compiled_sepolicy);