Set the SELinux security label on new directories.
Automatically set the SELinux security label on directories created
by init.rc. This avoids the need to separately call restorecon on
each such directory from the init.rc file. Also restorecon /dev
and /dev/socket after initial policy load so that they are labeled
correctly before any other dev nodes or sockets are created.
Change-Id: If6af6c4887cdead949737cebdd673957e9273ead
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/init/builtins.c b/init/builtins.c
index 661c9b1..a05ca45 100644
--- a/init/builtins.c
+++ b/init/builtins.c
@@ -300,7 +300,7 @@
mode = strtoul(args[2], 0, 8);
}
- ret = mkdir(args[1], mode);
+ ret = make_dir(args[1], mode);
/* chmod in case the directory already exists */
if (ret == -1 && errno == EEXIST) {
ret = _chmod(args[1], mode);
@@ -735,26 +735,12 @@
}
int do_restorecon(int nargs, char **args) {
-#ifdef HAVE_SELINUX
- char *secontext = NULL;
- struct stat sb;
int i;
- if (is_selinux_enabled() <= 0 || !sehandle)
- return 0;
-
for (i = 1; i < nargs; i++) {
- if (lstat(args[i], &sb) < 0)
+ if (restorecon(args[i]) < 0)
return -errno;
- if (selabel_lookup(sehandle, &secontext, args[i], sb.st_mode) < 0)
- return -errno;
- if (lsetfilecon(args[i], secontext) < 0) {
- freecon(secontext);
- return -errno;
- }
- freecon(secontext);
}
-#endif
return 0;
}
diff --git a/init/devices.c b/init/devices.c
index 3b4d369..1394351 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -52,7 +52,7 @@
#define FIRMWARE_DIR2 "/vendor/firmware"
#ifdef HAVE_SELINUX
-static struct selabel_handle *sehandle;
+extern struct selabel_handle *sehandle;
#endif
static int device_fd = -1;
@@ -219,32 +219,6 @@
#endif
}
-
-static int make_dir(const char *path, mode_t mode)
-{
- int rc;
-
-#ifdef HAVE_SELINUX
- char *secontext = NULL;
-
- if (sehandle) {
- selabel_lookup(sehandle, &secontext, path, mode);
- setfscreatecon(secontext);
- }
-#endif
-
- rc = mkdir(path, mode);
-
-#ifdef HAVE_SELINUX
- if (secontext) {
- freecon(secontext);
- setfscreatecon(NULL);
- }
-#endif
- return rc;
-}
-
-
static void add_platform_device(const char *name)
{
int name_len = strlen(name);
diff --git a/init/init.c b/init/init.c
index 1ee88a7..31f5c12 100755
--- a/init/init.c
+++ b/init/init.c
@@ -900,6 +900,12 @@
#ifdef HAVE_SELINUX
INFO("loading selinux policy\n");
selinux_load_policy();
+ /* These directories were necessarily created before policy load
+ * and therefore need their security context restored to the proper value.
+ * This must happen before /dev is populated by ueventd.
+ */
+ restorecon("/dev");
+ restorecon("/dev/socket");
#endif
is_charger = !strcmp(bootmode, "charger");
diff --git a/init/util.c b/init/util.c
index 3a4b10b..8922de5 100755
--- a/init/util.c
+++ b/init/util.c
@@ -290,12 +290,12 @@
memcpy(buf, pathname, width);
buf[width] = 0;
if (stat(buf, &info) != 0) {
- ret = mkdir(buf, mode);
+ ret = make_dir(buf, mode);
if (ret && errno != EEXIST)
return ret;
}
}
- ret = mkdir(pathname, mode);
+ ret = make_dir(pathname, mode);
if (ret && errno != EEXIST)
return ret;
return 0;
@@ -451,3 +451,52 @@
ptr = x;
}
}
+
+int make_dir(const char *path, mode_t mode)
+{
+ int rc;
+
+#ifdef HAVE_SELINUX
+ char *secontext = NULL;
+
+ if (sehandle) {
+ selabel_lookup(sehandle, &secontext, path, mode);
+ setfscreatecon(secontext);
+ }
+#endif
+
+ rc = mkdir(path, mode);
+
+#ifdef HAVE_SELINUX
+ if (secontext) {
+ int save_errno = errno;
+ freecon(secontext);
+ setfscreatecon(NULL);
+ errno = save_errno;
+ }
+#endif
+ return rc;
+}
+
+int restorecon(const char *pathname)
+{
+#ifdef HAVE_SELINUX
+ char *secontext = NULL;
+ struct stat sb;
+ int i;
+
+ if (is_selinux_enabled() <= 0 || !sehandle)
+ return 0;
+
+ if (lstat(pathname, &sb) < 0)
+ return -errno;
+ if (selabel_lookup(sehandle, &secontext, pathname, sb.st_mode) < 0)
+ return -errno;
+ if (lsetfilecon(pathname, secontext) < 0) {
+ freecon(secontext);
+ return -errno;
+ }
+ freecon(secontext);
+#endif
+ return 0;
+}
diff --git a/init/util.h b/init/util.h
index 9247739..45905b6 100644
--- a/init/util.h
+++ b/init/util.h
@@ -39,4 +39,6 @@
void open_devnull_stdio(void);
void get_hardware_name(char *hardware, unsigned int *revision);
void import_kernel_cmdline(int in_qemu, void (*import_kernel_nv)(char *name, int in_qemu));
+int make_dir(const char *path, mode_t mode);
+int restorecon(const char *pathname);
#endif