Merge "Improve bad error reporting seen in shamu SELinux boot failures."
diff --git a/init/devices.cpp b/init/devices.cpp
index 96b1696..2c7f5a9 100644
--- a/init/devices.cpp
+++ b/init/devices.cpp
@@ -266,7 +266,6 @@
static void add_platform_device(const char *path)
{
int path_len = strlen(path);
- struct listnode *node;
struct platform_node *bus;
const char *name = path;
@@ -276,15 +275,6 @@
name += 9;
}
- list_for_each_reverse(node, &platform_names) {
- bus = node_to_item(node, struct platform_node, list);
- if ((bus->path_len < path_len) &&
- (path[bus->path_len] == '/') &&
- !strncmp(path, bus->path, bus->path_len))
- /* subdevice of an existing platform, ignore it */
- return;
- }
-
INFO("adding platform device %s (%s)\n", name, path);
bus = (platform_node*) calloc(1, sizeof(struct platform_node));
diff --git a/init/init.cpp b/init/init.cpp
index ed20661..b1d65db 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -940,13 +940,7 @@
return 0;
}
-static void security_failure() {
- ERROR("Security failure; rebooting into recovery mode...\n");
- android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
- while (true) { pause(); } // never reached
-}
-
-static void selinux_initialize(bool in_kernel_domain) {
+static void selinux_initialize() {
Timer t;
selinux_callback cb;
@@ -959,27 +953,19 @@
return;
}
- if (in_kernel_domain) {
- if (write_file("/sys/fs/selinux/checkreqprot", "0") == -1) {
- ERROR("couldn't write to /sys/fs/selinux/checkreqprot: %s\n",
- strerror(errno));
- security_failure();
- }
-
- INFO("Loading SELinux policy...\n");
- if (selinux_android_load_policy() < 0) {
- ERROR("failed to load policy: %s\n", strerror(errno));
- security_failure();
- }
-
- bool is_enforcing = selinux_is_enforcing();
- security_setenforce(is_enforcing);
-
- NOTICE("(Initializing SELinux %s took %.2fs.)\n",
- is_enforcing ? "enforcing" : "non-enforcing", t.duration());
- } else {
- selinux_init_all_handles();
+ INFO("Loading SELinux policy...\n");
+ if (selinux_android_load_policy() < 0) {
+ ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
+ android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
+ while (1) { pause(); } // never reached
}
+
+ selinux_init_all_handles();
+ bool is_enforcing = selinux_is_enforcing();
+ INFO("SELinux: security_setenforce(%d)\n", is_enforcing);
+ security_setenforce(is_enforcing);
+
+ NOTICE("(Initializing SELinux took %.2fs.)\n", t.duration());
}
int main(int argc, char** argv) {
@@ -1020,8 +1006,7 @@
klog_init();
klog_set_level(KLOG_NOTICE_LEVEL);
- bool is_first_stage = (argc == 1);
- NOTICE("init%s started!\n", is_first_stage ? "" : " second stage");
+ NOTICE("init started!\n");
property_init();
@@ -1034,23 +1019,7 @@
// used by init as well as the current required properties.
export_kernel_boot_props();
- // Set up SELinux, including loading the SELinux policy if we're in the kernel domain.
- selinux_initialize(is_first_stage);
-
- // If we're in the kernel domain, re-exec init to transition to the init domain now
- // that the SELinux policy has been loaded.
- if (is_first_stage) {
- if (restorecon("/init") == -1) {
- ERROR("restorecon failed: %s\n", strerror(errno));
- security_failure();
- }
- char* path = argv[0];
- char* args[] = { path, const_cast<char*>("--second-stage"), nullptr };
- if (execv(path, args) == -1) {
- ERROR("execv(\"%s\") failed: %s\n", path, strerror(errno));
- security_failure();
- }
- }
+ selinux_initialize();
// These directories were necessarily created before initial policy load
// and therefore need their security context restored to the proper value.
diff --git a/rootdir/etc/mountd.conf b/rootdir/etc/mountd.conf
deleted file mode 100644
index 094a2c7..0000000
--- a/rootdir/etc/mountd.conf
+++ /dev/null
@@ -1,19 +0,0 @@
-## mountd configuration file
-
-## add a mount entry for each mount point to be managed by mountd
-mount {
- ## root block device with partition map or raw FAT file system
- block_device /dev/block/mmcblk0
-
- ## mount point for block device
- mount_point /sdcard
-
- ## true if this mount point can be shared via USB mass storage
- enable_ums true
-
- ## path to the UMS driver file for specifying the block device path
- ## use this for the mass_storage function driver
- driver_store_path /sys/devices/platform/usb_mass_storage/lun0/file
- ## use this for android_usb composite gadget driver
- ##driver_store_path /sys/devices/platform/msm_hsusb/gadget/lun0/file
-}
diff --git a/rootdir/init.rc b/rootdir/init.rc
index c00c590..d3c562f 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -14,6 +14,13 @@
# Set init and its forked children's oom_adj.
write /proc/1/oom_score_adj -1000
+ # Apply strict SELinux checking of PROT_EXEC on mmap/mprotect calls.
+ write /sys/fs/selinux/checkreqprot 0
+
+ # Set the security context for the init process.
+ # This should occur before anything else (e.g. ueventd) is started.
+ setcon u:r:init:s0
+
# Set the security context of /adb_keys if present.
restorecon /adb_keys