diff options
author | dcashman <dcashman@google.com> | 2014-12-03 12:51:50 -0800 |
---|---|---|
committer | dcashman <dcashman@google.com> | 2014-12-10 13:31:18 -0800 |
commit | 965141a4e5dc3c00720ce4359d8b8b4db5b623b3 (patch) | |
tree | 980cccc03ff8b35ea76b28defa14daca808d9624 | |
parent | d2c90a77be13b3cc9ef2f2e706d288edb0dd865a (diff) | |
download | libselinux-lollipop-wear-release.tar.gz |
Move property_context label handling to libselinux.android-wear-5.0.0_r1lollipop-wear-release
Resubmission of commit: b3e5022bd4319eabdecdeee0187588e1a4d15c12.
Changed "if (compute_contexts...)" to "if (!compute_contexts..."
Change-Id: I5d6d6eb7438361bbb072540c96361cef95c83a9e
-rw-r--r-- | include/selinux/android.h | 4 | ||||
-rw-r--r-- | src/android.c | 143 |
2 files changed, 77 insertions, 70 deletions
diff --git a/include/selinux/android.h b/include/selinux/android.h index 00894f5..76856a8 100644 --- a/include/selinux/android.h +++ b/include/selinux/android.h @@ -13,6 +13,8 @@ extern "C" { extern struct selabel_handle* selinux_android_file_context_handle(void); +extern struct selabel_handle* selinux_android_prop_context_handle(void); + extern struct selabel_handle* selinux_android_service_context_handle(void); extern void selinux_android_set_sehandle(const struct selabel_handle *hndl); @@ -48,8 +50,6 @@ extern int selinux_android_restorecon_pkgdir(const char *pkgdir, extern int selinux_android_seapp_context_reload(void); -extern bool selinux_android_use_data_policy(void); - #ifdef __cplusplus } #endif diff --git a/src/android.c b/src/android.c index 9e5bd02..dea22e8 100644 --- a/src/android.c +++ b/src/android.c @@ -49,6 +49,12 @@ static const char *const sepolicy_file[] = { "/data/security/current/sepolicy", NULL }; +static const struct selinux_opt seopts_prop[] = { + { SELABEL_OPT_PATH, "/property_contexts" }, + { SELABEL_OPT_PATH, "/data/security/current/property_contexts" }, + { 0, NULL } +}; + static const struct selinux_opt seopts_service[] = { { SELABEL_OPT_PATH, "/service_contexts" }, { SELABEL_OPT_PATH, "/data/security/current/service_contexts" }, @@ -127,12 +133,6 @@ static void set_policy_index(void) munmap(map_override, sb_override.st_size); } -bool selinux_android_use_data_policy(void) -{ - set_policy_index(); - return (policy_index == 1); -} - #if DEBUG static char const * const levelFromName[] = { "none", @@ -821,92 +821,49 @@ oom: goto out; } -static struct selabel_handle *sehandle = NULL; +static struct selabel_handle *fc_sehandle = NULL; #define FC_DIGEST_SIZE SHA_DIGEST_SIZE static uint8_t fc_digest[FC_DIGEST_SIZE]; -static struct selabel_handle *get_selabel_handle(const struct selinux_opt opts[]) +static bool compute_contexts_hash(const struct selinux_opt opts[], uint8_t c_digest[]) { - struct selabel_handle *h; int fd; struct stat sb; void *map; - set_policy_index(); - - h = selabel_open(SELABEL_CTX_FILE, &opts[policy_index], 1); - if (!h) - return NULL; - - fd = open(opts[policy_index].value, O_RDONLY | O_NOFOLLOW); + fd = open(opts[policy_index].value, O_CLOEXEC | O_RDONLY | O_NOFOLLOW); if (fd < 0) { selinux_log(SELINUX_ERROR, "SELinux: Could not open %s: %s\n", opts[policy_index].value, strerror(errno)); - goto err; + return false; } if (fstat(fd, &sb) < 0) { selinux_log(SELINUX_ERROR, "SELinux: Could not stat %s: %s\n", opts[policy_index].value, strerror(errno)); close(fd); - goto err; + return false; } map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n", opts[policy_index].value, strerror(errno)); close(fd); - goto err; + return false; } - SHA_hash(map, sb.st_size, fc_digest); + SHA_hash(map, sb.st_size, c_digest); munmap(map, sb.st_size); close(fd); - selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts from %s\n", - opts[policy_index].value); - - return h; - -err: - selabel_close(h); - return NULL; -} - -static struct selabel_handle *file_context_open(void) -{ - struct selabel_handle *h; - - h = get_selabel_handle(seopts); - - if (!h) - selinux_log(SELINUX_ERROR, "%s: Error getting file context handle (%s)\n", - __FUNCTION__, strerror(errno)); - return h; + return true; } static void file_context_init(void) { - if (!sehandle) - sehandle = file_context_open(); + if (!fc_sehandle) + fc_sehandle = selinux_android_file_context_handle(); } -static struct selabel_handle *service_context_open(void) -{ - struct selabel_handle *handle = NULL; - - set_policy_index(); - handle = selabel_open(SELABEL_CTX_ANDROID_PROP, - &seopts_service[policy_index], 1); - - if (!handle) { - selinux_log(SELINUX_ERROR, "%s: Error getting service context handle (%s)\n", - __FUNCTION__, strerror(errno)); - } else { - selinux_log(SELINUX_INFO, "SELinux: Loaded service contexts from %s.\n", - seopts_service[policy_index].value); - } - return handle; -} static pthread_once_t fc_once = PTHREAD_ONCE_INIT; @@ -1154,7 +1111,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb, char *oldsecontext = NULL; int rc = 0; - if (selabel_lookup(sehandle, &secontext, pathname, sb->st_mode) < 0) + if (selabel_lookup(fc_sehandle, &secontext, pathname, sb->st_mode) < 0) return 0; /* no match, but not an error */ if (lgetfilecon(pathname, &oldsecontext) < 0) @@ -1226,7 +1183,7 @@ static int selinux_android_restorecon_common(const char* pathname, __selinux_once(fc_once, file_context_init); - if (!sehandle) + if (!fc_sehandle) return 0; if (!recurse) { @@ -1291,7 +1248,7 @@ static int selinux_android_restorecon_common(const char* pathname, fts_set(fts, ftsent, FTS_SKIP); continue; case FTS_D: - if (issys && !selabel_partial_match(sehandle, ftsent->fts_path)) { + if (issys && !selabel_partial_match(fc_sehandle, ftsent->fts_path)) { fts_set(fts, ftsent, FTS_SKIP); continue; } @@ -1335,17 +1292,66 @@ int selinux_android_restorecon_pkgdir(const char *pkgdir, struct selabel_handle* selinux_android_file_context_handle(void) { - return file_context_open(); + struct selabel_handle *sehandle; + + set_policy_index(); + sehandle = selabel_open(SELABEL_CTX_FILE, &seopts[policy_index], 1); + + if (!sehandle) { + selinux_log(SELINUX_ERROR, "%s: Error getting file context handle (%s)\n", + __FUNCTION__, strerror(errno)); + return NULL; + } + if (!compute_contexts_hash(seopts, fc_digest)) { + selabel_close(sehandle); + return NULL; + } + selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts contexts from %s.\n", + seopts[policy_index].value); + + return sehandle; +} + +struct selabel_handle* selinux_android_prop_context_handle(void) +{ + struct selabel_handle* sehandle; + + set_policy_index(); + sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP, + &seopts_prop[policy_index], 1); + if (!sehandle) { + selinux_log(SELINUX_ERROR, "%s: Error getting property context handle (%s)\n", + __FUNCTION__, strerror(errno)); + return NULL; + } + selinux_log(SELINUX_INFO, "SELinux: Loaded property_contexts from %s.\n", + seopts_prop[policy_index].value); + + return sehandle; } struct selabel_handle* selinux_android_service_context_handle(void) { - return service_context_open(); + struct selabel_handle* sehandle; + + set_policy_index(); + sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP, + &seopts_service[policy_index], 1); + + if (!sehandle) { + selinux_log(SELINUX_ERROR, "%s: Error getting service context handle (%s)\n", + __FUNCTION__, strerror(errno)); + return NULL; + } + selinux_log(SELINUX_INFO, "SELinux: Loaded service_contexts from %s.\n", + seopts_service[policy_index].value); + + return sehandle; } void selinux_android_set_sehandle(const struct selabel_handle *hndl) { - sehandle = (struct selabel_handle *) hndl; + fc_sehandle = (struct selabel_handle *) hndl; } static int selinux_android_load_policy_helper(bool reload) @@ -1360,7 +1366,8 @@ static int selinux_android_load_policy_helper(bool reload) * policy is disabled via safe mode, then just return. * There is no point in reloading policy from / a second time. */ - if (reload && !selinux_android_use_data_policy()) + set_policy_index(); + if (reload && policy_index) return 0; fd = open(sepolicy_file[policy_index], O_RDONLY | O_NOFOLLOW); @@ -1378,7 +1385,7 @@ static int selinux_android_load_policy_helper(bool reload) map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0); if (map == MAP_FAILED) { selinux_log(SELINUX_ERROR, "SELinux: Could not map %s: %s\n", - sepolicy_file[policy_index], strerror(errno)); + sepolicy_file[policy_index], strerror(errno)); close(fd); return -1; } @@ -1386,7 +1393,7 @@ static int selinux_android_load_policy_helper(bool reload) rc = security_load_policy(map, sb.st_size); if (rc < 0) { selinux_log(SELINUX_ERROR, "SELinux: Could not load policy: %s\n", - strerror(errno)); + strerror(errno)); munmap(map, sb.st_size); close(fd); return -1; |