Move property_context label handling to libselinux.android-wear-5.0.0_r1lollipop-wear-release

Resubmission of commit: b3e5022bd4319eabdecdeee0187588e1a4d15c12.

Changed "if (compute_contexts...)" to "if (!compute_contexts..."

Change-Id: I5d6d6eb7438361bbb072540c96361cef95c83a9e

2 files changed, 77 insertions, 70 deletions

diff --git a/include/selinux/android.h b/include/selinux/android.h
index 00894f5..76856a8 100644
--- a/include/selinux/android.h
+++ b/include/selinux/android.h
@@ -13,6 +13,8 @@ extern "C" {
 
 extern struct selabel_handle* selinux_android_file_context_handle(void);
 
+extern struct selabel_handle* selinux_android_prop_context_handle(void);
+
 extern struct selabel_handle* selinux_android_service_context_handle(void);
 
 extern void selinux_android_set_sehandle(const struct selabel_handle *hndl);
@@ -48,8 +50,6 @@ extern int selinux_android_restorecon_pkgdir(const char *pkgdir,
 
 extern int selinux_android_seapp_context_reload(void);
 
-extern bool selinux_android_use_data_policy(void);
-
 #ifdef __cplusplus
 }
 #endif
diff --git a/src/android.c b/src/android.c
index 9e5bd02..dea22e8 100644
--- a/src/android.c
+++ b/src/android.c
@@ -49,6 +49,12 @@ static const char *const sepolicy_file[] = {
 	"/data/security/current/sepolicy",
 	NULL };
 
+static const struct selinux_opt seopts_prop[] = {
+        { SELABEL_OPT_PATH, "/property_contexts" },
+        { SELABEL_OPT_PATH, "/data/security/current/property_contexts" },
+        { 0, NULL }
+};
+
 static const struct selinux_opt seopts_service[] = {
     { SELABEL_OPT_PATH, "/service_contexts" },
     { SELABEL_OPT_PATH, "/data/security/current/service_contexts" },
@@ -127,12 +133,6 @@ static void set_policy_index(void)
 	munmap(map_override, sb_override.st_size);
 }
 
-bool selinux_android_use_data_policy(void)
-{
-	set_policy_index();
-	return (policy_index == 1);
-}
-
 #if DEBUG
 static char const * const levelFromName[] = {
 	"none",
@@ -821,92 +821,49 @@ oom:
 	goto out;
 }
 
-static struct selabel_handle *sehandle = NULL;
+static struct selabel_handle *fc_sehandle = NULL;
 #define FC_DIGEST_SIZE SHA_DIGEST_SIZE
 static uint8_t fc_digest[FC_DIGEST_SIZE];
 
-static struct selabel_handle *get_selabel_handle(const struct selinux_opt opts[])
+static bool compute_contexts_hash(const struct selinux_opt opts[], uint8_t c_digest[])
 {
-    struct selabel_handle *h;
     int fd;
     struct stat sb;
     void *map;
 
-    set_policy_index();
-
-    h = selabel_open(SELABEL_CTX_FILE, &opts[policy_index], 1);
-    if (!h)
-        return NULL;
-
-    fd = open(opts[policy_index].value, O_RDONLY | O_NOFOLLOW);
+    fd = open(opts[policy_index].value, O_CLOEXEC | O_RDONLY | O_NOFOLLOW);
     if (fd < 0) {
         selinux_log(SELINUX_ERROR, "SELinux:  Could not open %s:  %s\n",
                     opts[policy_index].value, strerror(errno));
-        goto err;
+        return false;
     }
     if (fstat(fd, &sb) < 0) {
         selinux_log(SELINUX_ERROR, "SELinux:  Could not stat %s:  %s\n",
                     opts[policy_index].value, strerror(errno));
         close(fd);
-        goto err;
+        return false;
     }
     map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
     if (map == MAP_FAILED) {
         selinux_log(SELINUX_ERROR, "SELinux:  Could not map %s:  %s\n",
                     opts[policy_index].value, strerror(errno));
         close(fd);
-        goto err;
+        return false;
     }
-    SHA_hash(map, sb.st_size, fc_digest);
+    SHA_hash(map, sb.st_size, c_digest);
     munmap(map, sb.st_size);
     close(fd);
 
-    selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts from %s\n",
-                opts[policy_index].value);
-
-    return h;
-
-err:
-    selabel_close(h);
-    return NULL;
-}
-
-static struct selabel_handle *file_context_open(void)
-{
-	struct selabel_handle *h;
-
-	h = get_selabel_handle(seopts);
-
-	if (!h)
-		selinux_log(SELINUX_ERROR, "%s: Error getting file context handle (%s)\n",
-				__FUNCTION__, strerror(errno));
-	return h;
+    return true;
 }
 
 static void file_context_init(void)
 {
-    if (!sehandle)
-        sehandle = file_context_open();
+    if (!fc_sehandle)
+        fc_sehandle = selinux_android_file_context_handle();
 }
 
-static struct selabel_handle *service_context_open(void)
-{
-    struct selabel_handle *handle = NULL;
-
-    set_policy_index();
-    handle = selabel_open(SELABEL_CTX_ANDROID_PROP,
-            &seopts_service[policy_index], 1);
-
-    if (!handle) {
-        selinux_log(SELINUX_ERROR, "%s: Error getting service context handle (%s)\n",
-                __FUNCTION__, strerror(errno));
-    } else {
-        selinux_log(SELINUX_INFO, "SELinux: Loaded service contexts from %s.\n",
-                seopts_service[policy_index].value);
-    }
 
-    return handle;
-}
 
 static pthread_once_t fc_once = PTHREAD_ONCE_INIT;
 
@@ -1154,7 +1111,7 @@ static int restorecon_sb(const char *pathname, const struct stat *sb,
     char *oldsecontext = NULL;
     int rc = 0;
 
-    if (selabel_lookup(sehandle, &secontext, pathname, sb->st_mode) < 0)
+    if (selabel_lookup(fc_sehandle, &secontext, pathname, sb->st_mode) < 0)
         return 0;  /* no match, but not an error */
 
     if (lgetfilecon(pathname, &oldsecontext) < 0)
@@ -1226,7 +1183,7 @@ static int selinux_android_restorecon_common(const char* pathname,
 
     __selinux_once(fc_once, file_context_init);
 
-    if (!sehandle)
+    if (!fc_sehandle)
         return 0;
 
     if (!recurse) {
@@ -1291,7 +1248,7 @@ static int selinux_android_restorecon_common(const char* pathname,
             fts_set(fts, ftsent, FTS_SKIP);
             continue;
         case FTS_D:
-            if (issys && !selabel_partial_match(sehandle, ftsent->fts_path)) {
+            if (issys && !selabel_partial_match(fc_sehandle, ftsent->fts_path)) {
                 fts_set(fts, ftsent, FTS_SKIP);
                 continue;
             }
@@ -1335,17 +1292,66 @@ int selinux_android_restorecon_pkgdir(const char *pkgdir,
 
 struct selabel_handle* selinux_android_file_context_handle(void)
 {
-    return file_context_open();
+    struct selabel_handle *sehandle;
+
+    set_policy_index();
+    sehandle = selabel_open(SELABEL_CTX_FILE, &seopts[policy_index], 1);
+
+    if (!sehandle) {
+        selinux_log(SELINUX_ERROR, "%s: Error getting file context handle (%s)\n",
+                __FUNCTION__, strerror(errno));
+        return NULL;
+    }
+    if (!compute_contexts_hash(seopts, fc_digest)) {
+        selabel_close(sehandle);
+        return NULL;
+    }
+    selinux_log(SELINUX_INFO, "SELinux: Loaded file_contexts contexts from %s.\n",
+            seopts[policy_index].value);
+
+    return sehandle;
+}
+
+struct selabel_handle* selinux_android_prop_context_handle(void)
+{
+    struct selabel_handle* sehandle;
+
+    set_policy_index();
+    sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP,
+            &seopts_prop[policy_index], 1);
+    if (!sehandle) {
+        selinux_log(SELINUX_ERROR, "%s: Error getting property context handle (%s)\n",
+                __FUNCTION__, strerror(errno));
+        return NULL;
+    }
+    selinux_log(SELINUX_INFO, "SELinux: Loaded property_contexts from %s.\n",
+            seopts_prop[policy_index].value);
+
+    return sehandle;
 }
 
 struct selabel_handle* selinux_android_service_context_handle(void)
 {
-    return service_context_open();
+    struct selabel_handle* sehandle;
+
+    set_policy_index();
+    sehandle = selabel_open(SELABEL_CTX_ANDROID_PROP,
+            &seopts_service[policy_index], 1);
+
+    if (!sehandle) {
+        selinux_log(SELINUX_ERROR, "%s: Error getting service context handle (%s)\n",
+                __FUNCTION__, strerror(errno));
+        return NULL;
+    }
+    selinux_log(SELINUX_INFO, "SELinux: Loaded service_contexts from %s.\n",
+            seopts_service[policy_index].value);
+
+    return sehandle;
 }
 
 void selinux_android_set_sehandle(const struct selabel_handle *hndl)
 {
-    sehandle = (struct selabel_handle *) hndl;
+    fc_sehandle = (struct selabel_handle *) hndl;
 }
 
 static int selinux_android_load_policy_helper(bool reload)
@@ -1360,7 +1366,8 @@ static int selinux_android_load_policy_helper(bool reload)
 	 * policy is disabled via safe mode, then just return.
 	 * There is no point in reloading policy from / a second time.
 	 */
-	if (reload && !selinux_android_use_data_policy())
+	set_policy_index();
+	if (reload && policy_index)
 		return 0;
 
 	fd = open(sepolicy_file[policy_index], O_RDONLY | O_NOFOLLOW);
@@ -1378,7 +1385,7 @@ static int selinux_android_load_policy_helper(bool reload)
 	map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (map == MAP_FAILED) {
 		selinux_log(SELINUX_ERROR, "SELinux:  Could not map %s:  %s\n",
-			sepolicy_file[policy_index], strerror(errno));
+				sepolicy_file[policy_index], strerror(errno));
 		close(fd);
 		return -1;
 	}
@@ -1386,7 +1393,7 @@ static int selinux_android_load_policy_helper(bool reload)
 	rc = security_load_policy(map, sb.st_size);
 	if (rc < 0) {
 		selinux_log(SELINUX_ERROR, "SELinux:  Could not load policy:  %s\n",
-			strerror(errno));
+				strerror(errno));
 		munmap(map, sb.st_size);
 		close(fd);
 		return -1;