Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core_old / 71879fe0a9992d8345dddd110d4f2513c3d74a96^! / .
commit71879fe0a9992d8345dddd110d4f2513c3d74a96[log] [tgz]
authorDan Cashman <dcashman@google.com>Mon Apr 10 12:20:01 2017 -0700
committerDan Cashman <dcashman@google.com>Wed Apr 12 10:45:08 2017 -0700
treef7d335bb24e1d8d4e0a02a3d6b1e92285b670b72
parentba7e51432edfa1b040789e95fc02434cbfcbd3e6 [diff]
init: use platform sepolicy version indicated by /vendor.

It's possible, in the event of a platform update, for the platform
SELinux policy to change from the policy on which the vendor SELinux
policy was originally based.  In this case, a different mapping file
to bridge the differences between the new policy and the old needs to
be selected.

Make init choose which mapping policy file to use based on the version
reported in /vendor/etc/selinux/plat_sepolicy_vers.txt.

Bug: 36783775
Test: Force compilation of sepolicy on-device with mapping file changed
to new location and name, using the value reported on /vendor.

Change-Id: I63c883ccb79dd31c92dabe44a55c4ab50a3735e6

diff --git a/init/init.cpp b/init/init.cpp
index 94bf37a..e6932d9 100644
--- a/init/init.cpp
+++ b/init/init.cpp

@@ -736,6 +736,18 @@
     return true;
 }
 
+static bool selinux_get_vendor_mapping_version(std::string* plat_vers) {
+    if (!read_first_line("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
+        PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
+        return false;
+    }
+    if (plat_vers->empty()) {
+        LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
+        return false;
+    }
+    return true;
+}
+
 static constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
 
 static bool selinux_is_split_policy_device() { return access(plat_policy_cil_file, R_OK) != -1; }
@@ -790,6 +802,12 @@
         return false;
     }
 
+    // Determine which mapping file to include
+    std::string vend_plat_vers;
+    if (!selinux_get_vendor_mapping_version(&vend_plat_vers)) {
+        return false;
+    }
+    std::string mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
     // clang-format off
     const char* compile_args[] = {
         "/system/bin/secilc",
@@ -797,7 +815,7 @@
         "-M", "true",
         // Target the highest policy language version supported by the kernel
         "-c", std::to_string(max_policy_version).c_str(),
-        "/system/etc/selinux/mapping_sepolicy.cil",
+        mapping_file.c_str(),
         "/vendor/etc/selinux/nonplat_sepolicy.cil",
         "-o", compiled_sepolicy,
         // We don't care about file_contexts output by the compiler