init: move SELinux into enforcing mode.
When init starts up, immediately put SELinux into enforcing mode.
This is currently a no-op. We currently have everything in the
unconfined domain, so this should not break anything.
(if it does, I'll roll it back immediately)
If the kernel doesn't have SELinux support compiled in, then
don't try loading a policy and continue without SELinux protections.
Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
diff --git a/init/init.c b/init/init.c
old mode 100755
new mode 100644
index fd428b0..4a335ca
--- a/init/init.c
+++ b/init/init.c
@@ -39,6 +39,7 @@
#include <libgen.h>
#include <cutils/list.h>
+#include <cutils/android_reboot.h>
#include <cutils/sockets.h>
#include <cutils/iosched_policy.h>
#include <private/android_filesystem_config.h>
@@ -73,8 +74,6 @@
static unsigned revision = 0;
static char qemu[32];
-static int selinux_enabled = 1;
-
static struct action *cur_action = NULL;
static struct command *cur_command = NULL;
static struct listnode *command_queue = NULL;
@@ -594,10 +593,6 @@
*value++ = 0;
if (name_len == 0) return;
- if (!strcmp(name,"selinux")) {
- selinux_enabled = atoi(value);
- }
-
if (for_emulator) {
/* in the emulator, export any kernel option with the
* ro.kernel. prefix */
@@ -780,10 +775,6 @@
int selinux_reload_policy(void)
{
- if (!selinux_enabled) {
- return -1;
- }
-
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_android_reload_policy() == -1) {
@@ -806,6 +797,24 @@
return 0;
}
+static void selinux_initialize(void)
+{
+ if (access("/sys/fs/selinux", F_OK) != 0) {
+ // SELinux is not compiled into this kernel. Fail gracefully.
+ return;
+ }
+
+ INFO("loading selinux policy\n");
+ if (selinux_android_load_policy() < 0) {
+ ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
+ android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
+ while (1) { pause(); } // never reached
+ }
+
+ selinux_init_all_handles();
+ security_setenforce(1);
+}
+
int main(int argc, char **argv)
{
int fd_count = 0;
@@ -866,17 +875,7 @@
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
- INFO("loading selinux policy\n");
- if (selinux_enabled) {
- if (selinux_android_load_policy() < 0) {
- selinux_enabled = 0;
- INFO("SELinux: Disabled due to failed policy load\n");
- } else {
- selinux_init_all_handles();
- }
- } else {
- INFO("SELinux: Disabled by command line option\n");
- }
+ selinux_initialize();
/* These directories were necessarily created before initial policy load
* and therefore need their security context restored to the proper value.
* This must happen before /dev is populated by ueventd.