Compile sepolicy on-device at early boot.
Compile policy from disparate sources at beginning of init and use to load
rather than relying on prebuilt policy.
Bug: 31363362
Test: Policy builds on-device and boots.
Change-Id: I681ec3f7da351d0b24d1f1e81e8a6b00c9c9d20c
diff --git a/init/Android.mk b/init/Android.mk
index ecdf5db..4999e58 100644
--- a/init/Android.mk
+++ b/init/Android.mk
@@ -95,6 +95,7 @@
libext4_utils_static \
libbase \
libc \
+ libsepol \
libselinux \
liblog \
libcrypto_utils \
diff --git a/init/init.cpp b/init/init.cpp
index 2d474c7..5bf8069 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -36,6 +36,8 @@
#include <sys/wait.h>
#include <unistd.h>
+#include <cil/android.h>
+#include <cil/cil.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
#include <selinux/android.h>
@@ -517,6 +519,13 @@
return 0;
}
+/* policy is a combination of platform, non-platform and mapping policy files */
+static constexpr const char* pol_files[] = {
+ "/plat_sepolicy.cil",
+ "/mapping_sepolicy.cil",
+ "/nonplat_sepolicy.cil" // TODO, switch to different partition when final.
+};
+
static void selinux_initialize(bool in_kernel_domain) {
Timer t;
@@ -525,13 +534,24 @@
selinux_set_callback(SELINUX_CB_LOG, cb);
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
+ cil_set_log_handler((void (*)(int, char*))selinux_klog_callback);
if (in_kernel_domain) {
+ void* pol_data = NULL;
+ size_t pol_len = 0;
+
+ LOG(INFO) << "Compiling SELinux policy...";
+ if (cil_android_compile_policy(&pol_data, &pol_len, pol_files,
+ arraysize(pol_files)) < 0) {
+ LOG(ERROR) << "failed to compile policy";
+ security_failure();
+ }
LOG(INFO) << "Loading SELinux policy...";
- if (selinux_android_load_policy() < 0) {
+ if (selinux_android_load_policy(pol_data, pol_len) < 0) {
PLOG(ERROR) << "failed to load policy";
security_failure();
}
+ free(pol_data);
bool kernel_enforcing = (security_getenforce() == 1);
bool is_enforcing = selinux_is_enforcing();