am 7fd51b36: am b20fa762: Merge "Fix fs_mgr to properly invoke e2fsck on encrypted devices" into jb-mr1.1-dev
* commit '7fd51b36dabedee4de159213237e71ba20865812':
Fix fs_mgr to properly invoke e2fsck on encrypted devices
diff --git a/adb/services.c b/adb/services.c
index 495a083..54d21a8 100644
--- a/adb/services.c
+++ b/adb/services.c
@@ -202,7 +202,7 @@
int c;
for(;;) {
- r = read(fd, buf, 4096);
+ r = adb_read(fd, buf, 4096);
if(r == 0) goto done;
if(r < 0) {
if(errno == EINTR) continue;
diff --git a/adb/sysdeps.h b/adb/sysdeps.h
index 66b60cc..0252ef3 100644
--- a/adb/sysdeps.h
+++ b/adb/sysdeps.h
@@ -275,6 +275,22 @@
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <string.h>
+#include <unistd.h>
+
+/*
+ * TEMP_FAILURE_RETRY is defined by some, but not all, versions of
+ * <unistd.h>. (Alas, it is not as standard as we'd hoped!) So, if it's
+ * not already defined, then define it here.
+ */
+#ifndef TEMP_FAILURE_RETRY
+/* Used to retry syscalls that can return EINTR. */
+#define TEMP_FAILURE_RETRY(exp) ({ \
+ typeof (exp) _rc; \
+ do { \
+ _rc = (exp); \
+ } while (_rc == -1 && errno == EINTR); \
+ _rc; })
+#endif
#define OS_PATH_SEPARATOR '/'
#define OS_PATH_SEPARATOR_STR "/"
@@ -310,7 +326,7 @@
{
if ((options & O_CREAT) == 0)
{
- return open(path, options);
+ return TEMP_FAILURE_RETRY( open(path, options) );
}
else
{
@@ -319,19 +335,19 @@
va_start( args, options );
mode = va_arg( args, int );
va_end( args );
- return open(path, options, mode);
+ return TEMP_FAILURE_RETRY( open( path, options, mode ) );
}
}
static __inline__ int adb_open_mode( const char* pathname, int options, int mode )
{
- return open( pathname, options, mode );
+ return TEMP_FAILURE_RETRY( open( pathname, options, mode ) );
}
static __inline__ int adb_open( const char* pathname, int options )
{
- int fd = open( pathname, options );
+ int fd = TEMP_FAILURE_RETRY( open( pathname, options ) );
if (fd < 0)
return -1;
close_on_exec( fd );
@@ -357,7 +373,7 @@
static __inline__ int adb_read(int fd, void* buf, size_t len)
{
- return read(fd, buf, len);
+ return TEMP_FAILURE_RETRY( read( fd, buf, len ) );
}
#undef read
@@ -365,7 +381,7 @@
static __inline__ int adb_write(int fd, const void* buf, size_t len)
{
- return write(fd, buf, len);
+ return TEMP_FAILURE_RETRY( write( fd, buf, len ) );
}
#undef write
#define write ___xxx_write
@@ -386,7 +402,7 @@
static __inline__ int adb_creat(const char* path, int mode)
{
- int fd = creat(path, mode);
+ int fd = TEMP_FAILURE_RETRY( creat( path, mode ) );
if ( fd < 0 )
return -1;
@@ -401,7 +417,7 @@
{
int fd;
- fd = accept(serverfd, addr, addrlen);
+ fd = TEMP_FAILURE_RETRY( accept( serverfd, addr, addrlen ) );
if (fd >= 0)
close_on_exec(fd);
diff --git a/debuggerd/Android.mk b/debuggerd/Android.mk
index 15083f4..e48b9af 100644
--- a/debuggerd/Android.mk
+++ b/debuggerd/Android.mk
@@ -23,13 +23,11 @@
LOCAL_CFLAGS += -DWITH_VFP_D32
endif # ARCH_ARM_HAVE_VFP_D32
-LOCAL_SHARED_LIBRARIES := libcutils libc libcorkscrew
-
-ifeq ($(HAVE_SELINUX),true)
-LOCAL_SHARED_LIBRARIES += libselinux
-LOCAL_C_INCLUDES += external/libselinux/include
-LOCAL_CFLAGS += -DHAVE_SELINUX
-endif
+LOCAL_SHARED_LIBRARIES := \
+ libcutils \
+ libc \
+ libcorkscrew \
+ libselinux
include $(BUILD_EXECUTABLE)
diff --git a/debuggerd/backtrace.c b/debuggerd/backtrace.c
index 62f7f32..ba76e7d 100644
--- a/debuggerd/backtrace.c
+++ b/debuggerd/backtrace.c
@@ -125,10 +125,9 @@
char task_path[64];
snprintf(task_path, sizeof(task_path), "/proc/%d/task", pid);
DIR* d = opendir(task_path);
- if (d) {
- struct dirent debuf;
- struct dirent *de;
- while (!readdir_r(d, &debuf, &de) && de) {
+ if (d != NULL) {
+ struct dirent* de = NULL;
+ while ((de = readdir(d)) != NULL) {
if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) {
continue;
}
diff --git a/debuggerd/tombstone.c b/debuggerd/tombstone.c
index 592f4f2..5f2db43 100644
--- a/debuggerd/tombstone.c
+++ b/debuggerd/tombstone.c
@@ -35,9 +35,7 @@
#include <corkscrew/demangle.h>
#include <corkscrew/backtrace.h>
-#ifdef HAVE_SELINUX
#include <selinux/android.h>
-#endif
#include "machine.h"
#include "tombstone.h"
@@ -416,9 +414,8 @@
}
bool detach_failed = false;
- struct dirent debuf;
- struct dirent *de;
- while (!readdir_r(d, &debuf, &de) && de) {
+ struct dirent* de;
+ while ((de = readdir(d)) != NULL) {
/* Ignore "." and ".." */
if (!strcmp(de->d_name, ".") || !strcmp(de->d_name, "..")) {
continue;
@@ -696,12 +693,10 @@
mkdir(TOMBSTONE_DIR, 0755);
chown(TOMBSTONE_DIR, AID_SYSTEM, AID_SYSTEM);
-#ifdef HAVE_SELINUX
if (selinux_android_restorecon(TOMBSTONE_DIR) == -1) {
*detach_failed = false;
return NULL;
}
-#endif
int fd;
char* path = find_and_open_tombstone(&fd);
diff --git a/fastboot/Android.mk b/fastboot/Android.mk
index 92e9219..5025dae 100644
--- a/fastboot/Android.mk
+++ b/fastboot/Android.mk
@@ -57,9 +57,7 @@
libz
ifneq ($(HOST_OS),windows)
-ifeq ($(HAVE_SELINUX), true)
LOCAL_STATIC_LIBRARIES += libselinux
-endif # HAVE_SELINUX
endif # HOST_OS != windows
include $(BUILD_HOST_EXECUTABLE)
diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c
index 99adb81..e51c9cf 100644
--- a/fs_mgr/fs_mgr.c
+++ b/fs_mgr/fs_mgr.c
@@ -173,7 +173,7 @@
* then return an empty buffer. This effectively ignores lines that are too long.
* On EOF, return null.
*/
-static char *getline(char *buf, int size, FILE *file)
+static char *fs_getline(char *buf, int size, FILE *file)
{
int cnt = 0;
int eof = 0;
@@ -247,7 +247,7 @@
}
entries = 0;
- while (getline(line, sizeof(line), fstab_file)) {
+ while (fs_getline(line, sizeof(line), fstab_file)) {
/* if the last character is a newline, shorten the string by 1 byte */
len = strlen(line);
if (line[len - 1] == '\n') {
@@ -274,7 +274,7 @@
fseek(fstab_file, 0, SEEK_SET);
cnt = 0;
- while (getline(line, sizeof(line), fstab_file)) {
+ while (fs_getline(line, sizeof(line), fstab_file)) {
/* if the last character is a newline, shorten the string by 1 byte */
len = strlen(line);
if (line[len - 1] == '\n') {
diff --git a/init/Android.mk b/init/Android.mk
index a1c1e7a..00d2144 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -33,13 +33,11 @@
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
LOCAL_UNSTRIPPED_PATH := $(TARGET_ROOT_OUT_UNSTRIPPED)
-LOCAL_STATIC_LIBRARIES := libfs_mgr libcutils libc
-
-ifeq ($(HAVE_SELINUX),true)
-LOCAL_STATIC_LIBRARIES += libselinux
-LOCAL_C_INCLUDES += external/libselinux/include
-LOCAL_CFLAGS += -DHAVE_SELINUX
-endif
+LOCAL_STATIC_LIBRARIES := \
+ libfs_mgr \
+ libcutils \
+ libc \
+ libselinux
include $(BUILD_EXECUTABLE)
diff --git a/init/builtins.c b/init/builtins.c
index aaf85d9..baa3e7f 100644
--- a/init/builtins.c
+++ b/init/builtins.c
@@ -35,10 +35,8 @@
#include <sys/system_properties.h>
#include <fs_mgr.h>
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
-#endif
#include "init.h"
#include "keywords.h"
@@ -515,24 +513,20 @@
}
int do_setcon(int nargs, char **args) {
-#ifdef HAVE_SELINUX
if (is_selinux_enabled() <= 0)
return 0;
if (setcon(args[1]) < 0) {
return -errno;
}
-#endif
return 0;
}
int do_setenforce(int nargs, char **args) {
-#ifdef HAVE_SELINUX
if (is_selinux_enabled() <= 0)
return 0;
if (security_setenforce(atoi(args[1])) < 0) {
return -errno;
}
-#endif
return 0;
}
@@ -760,7 +754,6 @@
}
int do_setsebool(int nargs, char **args) {
-#ifdef HAVE_SELINUX
SELboolean *b = alloca(nargs * sizeof(SELboolean));
char *v;
int i;
@@ -789,7 +782,7 @@
if (security_set_boolean_list(nargs - 1, b, 0) < 0)
return -errno;
-#endif
+
return 0;
}
diff --git a/init/devices.c b/init/devices.c
index c30303f..dd875d6 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -30,11 +30,9 @@
#include <sys/un.h>
#include <linux/netlink.h>
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <selinux/android.h>
-#endif
#include <private/android_filesystem_config.h>
#include <sys/time.h>
@@ -53,9 +51,7 @@
#define FIRMWARE_DIR2 "/vendor/firmware"
#define FIRMWARE_DIR3 "/firmware/image"
-#ifdef HAVE_SELINUX
extern struct selabel_handle *sehandle;
-#endif
static int device_fd = -1;
@@ -193,17 +189,15 @@
unsigned gid;
mode_t mode;
dev_t dev;
-#ifdef HAVE_SELINUX
char *secontext = NULL;
-#endif
mode = get_device_perm(path, &uid, &gid) | (block ? S_IFBLK : S_IFCHR);
-#ifdef HAVE_SELINUX
+
if (sehandle) {
selabel_lookup(sehandle, &secontext, path, mode);
setfscreatecon(secontext);
}
-#endif
+
dev = makedev(major, minor);
/* Temporarily change egid to avoid race condition setting the gid of the
* device node. Unforunately changing the euid would prevent creation of
@@ -214,12 +208,11 @@
mknod(path, mode, dev);
chown(path, uid, -1);
setegid(AID_ROOT);
-#ifdef HAVE_SELINUX
+
if (secontext) {
freecon(secontext);
setfscreatecon(NULL);
}
-#endif
}
static void add_platform_device(const char *name)
@@ -882,12 +875,12 @@
suseconds_t t0, t1;
struct stat info;
int fd;
-#ifdef HAVE_SELINUX
+
sehandle = NULL;
if (is_selinux_enabled() > 0) {
sehandle = selinux_android_file_context_handle();
}
-#endif
+
/* is 64K enough? udev uses 16MB! */
device_fd = uevent_open_socket(64*1024, true);
if(device_fd < 0)
diff --git a/init/init.c b/init/init.c
index 1c80d9c..b20b434 100755
--- a/init/init.c
+++ b/init/init.c
@@ -33,11 +33,9 @@
#include <sys/un.h>
#include <sys/personality.h>
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <selinux/android.h>
-#endif
#include <libgen.h>
@@ -61,10 +59,8 @@
#include "ueventd.h"
#include "watchdogd.h"
-#ifdef HAVE_SELINUX
struct selabel_handle *sehandle;
struct selabel_handle *sehandle_prop;
-#endif
static int property_triggers_enabled = 0;
@@ -78,9 +74,7 @@
static unsigned revision = 0;
static char qemu[32];
-#ifdef HAVE_SELINUX
static int selinux_enabled = 1;
-#endif
static struct action *cur_action = NULL;
static struct command *cur_command = NULL;
@@ -164,10 +158,9 @@
pid_t pid;
int needs_console;
int n;
-#ifdef HAVE_SELINUX
char *scon = NULL;
int rc;
-#endif
+
/* starting a service removes it from the disabled or reset
* state and immediately takes it out of the restarting
* state if it was in there
@@ -204,7 +197,6 @@
return;
}
-#ifdef HAVE_SELINUX
if (is_selinux_enabled() > 0) {
char *mycon = NULL, *fcon = NULL;
@@ -230,7 +222,6 @@
return;
}
}
-#endif
NOTICE("starting '%s'\n", svc->name);
@@ -267,9 +258,7 @@
for (ei = svc->envvars; ei; ei = ei->next)
add_environment(ei->name, ei->value);
-#ifdef HAVE_SELINUX
setsockcreatecon(scon);
-#endif
for (si = svc->sockets; si; si = si->next) {
int socket_type = (
@@ -282,11 +271,9 @@
}
}
-#ifdef HAVE_SELINUX
freecon(scon);
scon = NULL;
setsockcreatecon(NULL);
-#endif
if (svc->ioprio_class != IoSchedClass_NONE) {
if (android_set_ioprio(getpid(), svc->ioprio_class, svc->ioprio_pri)) {
@@ -332,15 +319,12 @@
_exit(127);
}
}
-
-#ifdef HAVE_SELINUX
if (svc->seclabel) {
if (is_selinux_enabled() > 0 && setexeccon(svc->seclabel) < 0) {
ERROR("cannot setexeccon('%s'): %s\n", svc->seclabel, strerror(errno));
_exit(127);
}
}
-#endif
if (!dynamic_args) {
if (execve(svc->args[0], (char**) svc->args, (char**) ENV) < 0) {
@@ -367,9 +351,7 @@
_exit(127);
}
-#ifdef HAVE_SELINUX
freecon(scon);
-#endif
if (pid < 0) {
ERROR("failed to start '%s'\n", svc->name);
@@ -620,11 +602,9 @@
*value++ = 0;
if (name_len == 0) return;
-#ifdef HAVE_SELINUX
if (!strcmp(name,"selinux")) {
selinux_enabled = atoi(value);
}
-#endif
if (for_emulator) {
/* in the emulator, export any kernel option with the
@@ -772,7 +752,6 @@
}
#endif
-#ifdef HAVE_SELINUX
static const struct selinux_opt seopts_prop[] = {
{ SELABEL_OPT_PATH, "/data/system/property_contexts" },
{ SELABEL_OPT_PATH, "/property_contexts" },
@@ -831,8 +810,6 @@
return 0;
}
-#endif
-
int main(int argc, char **argv)
{
int fd_count = 0;
@@ -886,7 +863,6 @@
process_kernel_cmdline();
-#ifdef HAVE_SELINUX
union selinux_callback cb;
cb.func_log = klog_write;
selinux_set_callback(SELINUX_CB_LOG, cb);
@@ -911,7 +887,6 @@
*/
restorecon("/dev");
restorecon("/dev/socket");
-#endif
is_charger = !strcmp(bootmode, "charger");
diff --git a/init/init.h b/init/init.h
index b7e06c9..955e1f0 100644
--- a/init/init.h
+++ b/init/init.h
@@ -95,9 +95,7 @@
gid_t supp_gids[NR_SVC_SUPP_GIDS];
size_t nr_supp_gids;
-#ifdef HAVE_SELINUX
char *seclabel;
-#endif
struct socketinfo *sockets;
struct svcenvinfo *envvars;
@@ -136,10 +134,8 @@
int load_565rle_image( char *file_name );
-#ifdef HAVE_SELINUX
extern struct selabel_handle *sehandle;
extern struct selabel_handle *sehandle_prop;
extern int selinux_reload_policy(void);
-#endif
#endif /* _INIT_INIT_H */
diff --git a/init/init_parser.c b/init/init_parser.c
index 5393e52..beb9188 100644
--- a/init/init_parser.c
+++ b/init/init_parser.c
@@ -799,13 +799,11 @@
}
break;
case K_seclabel:
-#ifdef HAVE_SELINUX
if (nargs != 2) {
parse_error(state, "seclabel option requires a label string\n");
} else {
svc->seclabel = args[1];
}
-#endif
break;
default:
diff --git a/init/property_service.c b/init/property_service.c
index f58e07d..61dd86f 100755
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -40,10 +40,8 @@
#include <sys/atomics.h>
#include <private/android_filesystem_config.h>
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
-#endif
#include "property_service.h"
#include "init.h"
@@ -125,7 +123,7 @@
/* dev is a tmpfs that we can use to carve a shared workspace
* out of, so let's do that...
*/
- fd = open("/dev/__properties__", O_RDWR | O_CREAT, 0600);
+ fd = open("/dev/__properties__", O_RDWR | O_CREAT | O_NOFOLLOW, 0600);
if (fd < 0)
return -1;
@@ -138,7 +136,7 @@
close(fd);
- fd = open("/dev/__properties__", O_RDONLY);
+ fd = open("/dev/__properties__", O_RDONLY | O_NOFOLLOW);
if (fd < 0)
return -1;
@@ -201,7 +199,6 @@
static int check_mac_perms(const char *name, char *sctx)
{
-#ifdef HAVE_SELINUX
if (is_selinux_enabled() <= 0)
return 1;
@@ -225,15 +222,10 @@
freecon(tctx);
err:
return result;
-
-#endif
- return 1;
}
static int check_control_mac_perms(const char *name, char *sctx)
{
-#ifdef HAVE_SELINUX
-
/*
* Create a name prefix out of ctl.<service name>
* The new prefix allows the use of the existing
@@ -247,9 +239,6 @@
return 0;
return check_mac_perms(ctl_name, sctx);
-
-#endif
- return 1;
}
/*
@@ -320,13 +309,12 @@
static void write_persistent_property(const char *name, const char *value)
{
- const char *tempPath = PERSISTENT_PROPERTY_DIR "/.temp";
+ char tempPath[PATH_MAX];
char path[PATH_MAX];
- int fd, length;
+ int fd;
- snprintf(path, sizeof(path), "%s/%s", PERSISTENT_PROPERTY_DIR, name);
-
- fd = open(tempPath, O_WRONLY|O_CREAT|O_TRUNC, 0600);
+ snprintf(tempPath, sizeof(tempPath), "%s/.temp.XXXXXX", PERSISTENT_PROPERTY_DIR);
+ fd = mkstemp(tempPath);
if (fd < 0) {
ERROR("Unable to write persistent property to temp file %s errno: %d\n", tempPath, errno);
return;
@@ -334,6 +322,7 @@
write(fd, value, strlen(value));
close(fd);
+ snprintf(path, sizeof(path), "%s/%s", PERSISTENT_PROPERTY_DIR, name);
if (rename(tempPath, path)) {
unlink(tempPath);
ERROR("Unable to rename persistent property file %s to %s\n", tempPath, path);
@@ -345,8 +334,8 @@
prop_area *pa;
prop_info *pi;
- int namelen = strlen(name);
- int valuelen = strlen(value);
+ size_t namelen = strlen(name);
+ size_t valuelen = strlen(value);
if(namelen >= PROP_NAME_MAX) return -1;
if(valuelen >= PROP_VALUE_MAX) return -1;
@@ -396,11 +385,9 @@
* to prevent them from being overwritten by default values.
*/
write_persistent_property(name, value);
-#ifdef HAVE_SELINUX
} else if (strcmp("selinux.reload_policy", name) == 0 &&
strcmp("1", value) == 0) {
selinux_reload_policy();
-#endif
}
property_changed(name, value);
return 0;
@@ -425,13 +412,13 @@
/* Check socket options here */
if (getsockopt(s, SOL_SOCKET, SO_PEERCRED, &cr, &cr_size) < 0) {
close(s);
- ERROR("Unable to recieve socket options\n");
+ ERROR("Unable to receive socket options\n");
return;
}
r = TEMP_FAILURE_RETRY(recv(s, &msg, sizeof(msg), 0));
if(r != sizeof(prop_msg)) {
- ERROR("sys_prop: mis-match msg size recieved: %d expected: %d errno: %d\n",
+ ERROR("sys_prop: mis-match msg size received: %d expected: %d errno: %d\n",
r, sizeof(prop_msg), errno);
close(s);
return;
@@ -442,9 +429,7 @@
msg.name[PROP_NAME_MAX-1] = 0;
msg.value[PROP_VALUE_MAX-1] = 0;
-#ifdef HAVE_SELINUX
getpeercon(s, &source_ctx);
-#endif
if(memcmp(msg.name,"ctl.",4) == 0) {
// Keep the old close-socket-early behavior when handling
@@ -469,10 +454,7 @@
// the property is written to memory.
close(s);
}
-#ifdef HAVE_SELINUX
freecon(source_ctx);
-#endif
-
break;
default:
@@ -530,12 +512,14 @@
static void load_persistent_properties()
{
DIR* dir = opendir(PERSISTENT_PROPERTY_DIR);
+ int dir_fd;
struct dirent* entry;
- char path[PATH_MAX];
char value[PROP_VALUE_MAX];
int fd, length;
+ struct stat sb;
if (dir) {
+ dir_fd = dirfd(dir);
while ((entry = readdir(dir)) != NULL) {
if (strncmp("persist.", entry->d_name, strlen("persist.")))
continue;
@@ -544,20 +528,39 @@
continue;
#endif
/* open the file and read the property value */
- snprintf(path, sizeof(path), "%s/%s", PERSISTENT_PROPERTY_DIR, entry->d_name);
- fd = open(path, O_RDONLY);
- if (fd >= 0) {
- length = read(fd, value, sizeof(value) - 1);
- if (length >= 0) {
- value[length] = 0;
- property_set(entry->d_name, value);
- } else {
- ERROR("Unable to read persistent property file %s errno: %d\n", path, errno);
- }
- close(fd);
- } else {
- ERROR("Unable to open persistent property file %s errno: %d\n", path, errno);
+ fd = openat(dir_fd, entry->d_name, O_RDONLY | O_NOFOLLOW);
+ if (fd < 0) {
+ ERROR("Unable to open persistent property file \"%s\" errno: %d\n",
+ entry->d_name, errno);
+ continue;
}
+ if (fstat(fd, &sb) < 0) {
+ ERROR("fstat on property file \"%s\" failed errno: %d\n", entry->d_name, errno);
+ close(fd);
+ continue;
+ }
+
+ // File must not be accessible to others, be owned by root/root, and
+ // not be a hard link to any other file.
+ if (((sb.st_mode & (S_IRWXG | S_IRWXO)) != 0)
+ || (sb.st_uid != 0)
+ || (sb.st_gid != 0)
+ || (sb.st_nlink != 1)) {
+ ERROR("skipping insecure property file %s (uid=%lu gid=%lu nlink=%d mode=%o)\n",
+ entry->d_name, sb.st_uid, sb.st_gid, sb.st_nlink, sb.st_mode);
+ close(fd);
+ continue;
+ }
+
+ length = read(fd, value, sizeof(value) - 1);
+ if (length >= 0) {
+ value[length] = 0;
+ property_set(entry->d_name, value);
+ } else {
+ ERROR("Unable to read persistent property file %s errno: %d\n",
+ entry->d_name, errno);
+ }
+ close(fd);
}
closedir(dir);
} else {
diff --git a/init/util.c b/init/util.c
index 743748b..918bc05 100755
--- a/init/util.c
+++ b/init/util.c
@@ -23,9 +23,7 @@
#include <errno.h>
#include <time.h>
-#ifdef HAVE_SELINUX
#include <selinux/label.h>
-#endif
#include <sys/stat.h>
#include <sys/types.h>
@@ -89,9 +87,7 @@
{
struct sockaddr_un addr;
int fd, ret;
-#ifdef HAVE_SELINUX
char *secon;
-#endif
fd = socket(PF_UNIX, type, 0);
if (fd < 0) {
@@ -110,14 +106,12 @@
goto out_close;
}
-#ifdef HAVE_SELINUX
secon = NULL;
if (sehandle) {
ret = selabel_lookup(sehandle, &secon, addr.sun_path, S_IFSOCK);
if (ret == 0)
setfscreatecon(secon);
}
-#endif
ret = bind(fd, (struct sockaddr *) &addr, sizeof (addr));
if (ret) {
@@ -125,10 +119,8 @@
goto out_unlink;
}
-#ifdef HAVE_SELINUX
setfscreatecon(NULL);
freecon(secon);
-#endif
chown(addr.sun_path, uid, gid);
chmod(addr.sun_path, perm);
@@ -468,31 +460,27 @@
{
int rc;
-#ifdef HAVE_SELINUX
char *secontext = NULL;
if (sehandle) {
selabel_lookup(sehandle, &secontext, path, mode);
setfscreatecon(secontext);
}
-#endif
rc = mkdir(path, mode);
-#ifdef HAVE_SELINUX
if (secontext) {
int save_errno = errno;
freecon(secontext);
setfscreatecon(NULL);
errno = save_errno;
}
-#endif
+
return rc;
}
int restorecon(const char *pathname)
{
-#ifdef HAVE_SELINUX
char *secontext = NULL;
struct stat sb;
int i;
@@ -509,6 +497,5 @@
return -errno;
}
freecon(secontext);
-#endif
return 0;
}
diff --git a/logcat/event.logtags b/logcat/event.logtags
index 09640e1..6040bd9 100644
--- a/logcat/event.logtags
+++ b/logcat/event.logtags
@@ -150,5 +150,8 @@
80305 bionic_event_resolver_wrong_server (uid|1)
80310 bionic_event_resolver_wrong_query (uid|1)
+# libcore failure logging
+90100 cert_pin_failure (certs|4)
+
# NOTE - the range 1000000-2000000 is reserved for partners and others who
# want to define their own log tags without conflicting with the core platform.
diff --git a/rootdir/init.rc b/rootdir/init.rc
index caef358..af42223 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -200,6 +200,7 @@
mkdir /data/misc/keystore 0700 keystore keystore
mkdir /data/misc/keychain 0771 system system
mkdir /data/misc/sms 0770 system radio
+ mkdir /data/misc/zoneinfo 0775 system system
mkdir /data/misc/vpn 0770 system vpn
mkdir /data/misc/systemkeys 0700 system system
# give system access to wpa_supplicant.conf for backup and restore
diff --git a/toolbox/Android.mk b/toolbox/Android.mk
index 086ba0d..dbbce06 100644
--- a/toolbox/Android.mk
+++ b/toolbox/Android.mk
@@ -57,11 +57,7 @@
touch \
lsof \
du \
- md5
-
-ifeq ($(HAVE_SELINUX),true)
-
-TOOLS += \
+ md5 \
getenforce \
setenforce \
chcon \
@@ -71,9 +67,6 @@
setsebool \
load_policy
-endif
-
-
ifneq (,$(filter userdebug eng,$(TARGET_BUILD_VARIANT)))
TOOLS += r
endif
@@ -90,17 +83,13 @@
cp/cp.c cp/utils.c \
grep/grep.c grep/fastgrep.c grep/file.c grep/queue.c grep/util.c
-LOCAL_SHARED_LIBRARIES := libcutils libc libusbhost
-
LOCAL_C_INCLUDES := bionic/libc/bionic
-ifeq ($(HAVE_SELINUX),true)
-
-LOCAL_CFLAGS += -DHAVE_SELINUX
-LOCAL_SHARED_LIBRARIES += libselinux
-LOCAL_C_INCLUDES += external/libselinux/include
-
-endif
+LOCAL_SHARED_LIBRARIES := \
+ libcutils \
+ libc \
+ libusbhost \
+ libselinux
LOCAL_MODULE := toolbox
diff --git a/toolbox/id.c b/toolbox/id.c
index bc79288..8ec79c1 100644
--- a/toolbox/id.c
+++ b/toolbox/id.c
@@ -4,10 +4,7 @@
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>
-
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
-#endif
static void print_uid(uid_t uid)
{
@@ -34,9 +31,7 @@
{
gid_t list[64];
int n, max;
-#ifdef HAVE_SELINUX
char *secctx;
-#endif
max = getgroups(64, list);
if (max < 0) max = 0;
@@ -53,12 +48,10 @@
print_gid(list[n]);
}
}
-#ifdef HAVE_SELINUX
if (getcon(&secctx) == 0) {
printf(" context=%s", secctx);
free(secctx);
}
-#endif
printf("\n");
return 0;
}
diff --git a/toolbox/ls.c b/toolbox/ls.c
index a4db99c..e530521 100644
--- a/toolbox/ls.c
+++ b/toolbox/ls.c
@@ -5,9 +5,7 @@
#include <dirent.h>
#include <errno.h>
-#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
-#endif
#include <sys/stat.h>
#include <unistd.h>
@@ -260,11 +258,7 @@
return -1;
}
-#ifdef HAVE_SELINUX
lgetfilecon(path, &maclabel);
-#else
- maclabel = strdup("-");
-#endif
if (!maclabel) {
return -1;
}
@@ -276,12 +270,12 @@
switch(s.st_mode & S_IFMT) {
case S_IFLNK: {
char linkto[256];
- int len;
+ ssize_t len;
len = readlink(path, linkto, sizeof(linkto));
if(len < 0) return -1;
- if(len > sizeof(linkto)-1) {
+ if((size_t)len > sizeof(linkto)-1) {
linkto[sizeof(linkto)-4] = '.';
linkto[sizeof(linkto)-3] = '.';
linkto[sizeof(linkto)-2] = '.';
@@ -307,7 +301,7 @@
static int listfile(const char *dirname, const char *filename, int flags)
{
- if ((flags & LIST_LONG | LIST_SIZE | LIST_CLASSIFY | LIST_MACLABEL) == 0) {
+ if ((flags & (LIST_LONG | LIST_SIZE | LIST_CLASSIFY | LIST_MACLABEL)) == 0) {
printf("%s\n", filename);
return 0;
}