Add support for reloading policy from /data/system.
To support runtime policy management, add support for reloading
policy from /data/system. This can be triggered by setting the
selinux.loadpolicy property to 1, whether from init.rc after
mounting /data or from the system_server (e.g. upon invocation of
a new device admin API for provisioning policy). ueventd and
installd are restarted upon policy reloads to pick up the new
policy configurations relevant to their operation.
Change-Id: I97479aecef8cec23b32f60e09cc778cc5520b691
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/init/devices.c b/init/devices.c
index c367de8..597f958 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -33,6 +33,7 @@
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/android.h>
#endif
#include <private/android_filesystem_config.h>
@@ -871,12 +872,10 @@
struct stat info;
int fd;
#ifdef HAVE_SELINUX
- struct selinux_opt seopts[] = {
- { SELABEL_OPT_PATH, "/file_contexts" }
- };
-
- if (is_selinux_enabled() > 0)
- sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
+ sehandle = NULL;
+ if (is_selinux_enabled() > 0) {
+ sehandle = selinux_android_file_context_handle();
+ }
#endif
/* is 64K enough? udev uses 16MB! */
device_fd = uevent_open_socket(64*1024, true);
diff --git a/init/init.c b/init/init.c
index cc98afc..d11db61 100755
--- a/init/init.c
+++ b/init/init.c
@@ -33,9 +33,9 @@
#include <sys/un.h>
#ifdef HAVE_SELINUX
-#include <sys/mman.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
+#include <selinux/android.h>
#endif
#include <libgen.h>
@@ -77,7 +77,6 @@
#ifdef HAVE_SELINUX
static int selinux_enabled = 1;
-static int selinux_enforcing = 0;
#endif
static struct action *cur_action = NULL;
@@ -604,9 +603,7 @@
if (name_len == 0) return;
#ifdef HAVE_SELINUX
- if (!strcmp(name,"enforcing")) {
- selinux_enforcing = atoi(value);
- } else if (!strcmp(name,"selinux")) {
+ if (!strcmp(name,"selinux")) {
selinux_enabled = atoi(value);
}
#endif
@@ -758,93 +755,28 @@
#endif
#ifdef HAVE_SELINUX
-void selinux_load_policy(void)
+void selinux_init_all_handles(void)
{
- const char path_prefix[] = "/sepolicy";
- struct selinux_opt seopts[] = {
- { SELABEL_OPT_PATH, "/file_contexts" }
- };
- char path[PATH_MAX];
- int fd, rc, vers;
- struct stat sb;
- void *map;
+ sehandle = selinux_android_file_context_handle();
+}
- sehandle = NULL;
+int selinux_reload_policy(void)
+{
if (!selinux_enabled) {
- INFO("SELinux: Disabled by command line option\n");
- return;
+ return -1;
}
- mkdir(SELINUXMNT, 0755);
- if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, NULL)) {
- if (errno == ENODEV) {
- /* SELinux not enabled in kernel */
- return;
- }
- ERROR("SELinux: Could not mount selinuxfs: %s\n",
- strerror(errno));
- return;
- }
- set_selinuxmnt(SELINUXMNT);
+ INFO("SELinux: Attempting to reload policy files\n");
- vers = security_policyvers();
- if (vers <= 0) {
- ERROR("SELinux: Unable to read policy version\n");
- return;
- }
- INFO("SELinux: Maximum supported policy version: %d\n", vers);
-
- snprintf(path, sizeof(path), "%s.%d",
- path_prefix, vers);
- fd = open(path, O_RDONLY);
- while (fd < 0 && errno == ENOENT && --vers) {
- snprintf(path, sizeof(path), "%s.%d",
- path_prefix, vers);
- fd = open(path, O_RDONLY);
- }
- if (fd < 0) {
- ERROR("SELinux: Could not open %s: %s\n",
- path, strerror(errno));
- return;
- }
- if (fstat(fd, &sb) < 0) {
- ERROR("SELinux: Could not stat %s: %s\n",
- path, strerror(errno));
- return;
- }
- map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
- if (map == MAP_FAILED) {
- ERROR("SELinux: Could not map %s: %s\n",
- path, strerror(errno));
- return;
+ if (selinux_android_reload_policy() == -1) {
+ return -1;
}
- rc = security_load_policy(map, sb.st_size);
- if (rc < 0) {
- ERROR("SELinux: Could not load policy: %s\n",
- strerror(errno));
- return;
- }
+ if (sehandle)
+ selabel_close(sehandle);
- rc = security_setenforce(selinux_enforcing);
- if (rc < 0) {
- ERROR("SELinux: Could not set enforcing mode to %s: %s\n",
- selinux_enforcing ? "enforcing" : "permissive", strerror(errno));
- return;
- }
-
- munmap(map, sb.st_size);
- close(fd);
- INFO("SELinux: Loaded policy from %s\n", path);
-
- sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
- if (!sehandle) {
- ERROR("SELinux: Could not load file_contexts: %s\n",
- strerror(errno));
- return;
- }
- INFO("SELinux: Loaded file contexts from %s\n", seopts[0].value);
- return;
+ selinux_init_all_handles();
+ return 0;
}
#endif
@@ -900,8 +832,17 @@
#ifdef HAVE_SELINUX
INFO("loading selinux policy\n");
- selinux_load_policy();
- /* These directories were necessarily created before policy load
+ if (selinux_enabled) {
+ if (selinux_android_load_policy() < 0) {
+ selinux_enabled = 0;
+ INFO("SELinux: Disabled due to failed policy load\n");
+ } else {
+ selinux_init_all_handles();
+ }
+ } else {
+ INFO("SELinux: Disabled by command line option\n");
+ }
+ /* These directories were necessarily created before initial policy load
* and therefore need their security context restored to the proper value.
* This must happen before /dev is populated by ueventd.
*/
diff --git a/init/init.h b/init/init.h
index 58bbbfe..e2d990e 100644
--- a/init/init.h
+++ b/init/init.h
@@ -138,6 +138,7 @@
#ifdef HAVE_SELINUX
extern struct selabel_handle *sehandle;
+extern int selinux_reload_policy(void);
#endif
#endif /* _INIT_INIT_H */
diff --git a/init/property_service.c b/init/property_service.c
index 79914cd..471c3dc 100644
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -86,6 +86,7 @@
{ "persist.sys.", AID_SYSTEM, 0 },
{ "persist.service.", AID_SYSTEM, 0 },
{ "persist.security.", AID_SYSTEM, 0 },
+ { "selinux." , AID_SYSTEM, 0 },
{ NULL, 0, 0 }
};
@@ -334,6 +335,11 @@
* to prevent them from being overwritten by default values.
*/
write_persistent_property(name, value);
+#ifdef HAVE_SELINUX
+ } else if (strcmp("selinux.reload_policy", name) == 0 &&
+ strcmp("1", value) == 0) {
+ selinux_reload_policy();
+#endif
}
property_changed(name, value);
return 0;