Merge "Separate system_ext_sepolicy.cil out of system sepolicy" am: 34aba6a690
am: d6441fc4bc
Change-Id: I2fa73feee7c89197fda05f800238ab901370d704
diff --git a/init/selinux.cpp b/init/selinux.cpp
index 4852cd0..a15d136 100644
--- a/init/selinux.cpp
+++ b/init/selinux.cpp
@@ -36,16 +36,18 @@
// The split SEPolicy is loaded as described below:
// 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
// /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
-// are the sha256 hashes of the parts of the SEPolicy on /system and /product that were used to
-// compile this precompiled policy. The system partition contains a similar sha256 of the parts
-// of the SEPolicy that it currently contains. Symmetrically, product paritition contains a
-// sha256 of its SEPolicy. System loads this precompiled_sepolicy directly if and only if hashes
-// for system policy match and hashes for product policy match.
-// 2) If these hashes do not match, then either /system or /product (or both) have been updated out
-// of sync with /vendor and the init needs to compile the SEPolicy. /system contains the
-// SEPolicy compiler, secilc, and it is used by the LoadSplitPolicy() function below to compile
-// the SEPolicy to a temp directory and load it. That function contains even more documentation
-// with the specific implementation details of how the SEPolicy is compiled if needed.
+// are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
+// were used to compile this precompiled policy. The system partition contains a similar sha256
+// of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and
+// product paritition contain sha256 hashes of their SEPolicy. The init loads this
+// precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
+// /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
+// 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
+// have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
+// compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the
+// LoadSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
+// That function contains even more documentation with the specific implementation details of how
+// the SEPolicy is compiled if needed.
#include "selinux.h"
@@ -228,6 +230,13 @@
"/system/etc/selinux/plat_sepolicy_and_mapping.sha256";
return false;
}
+ std::string actual_system_ext_id;
+ if (!ReadFirstLine("/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
+ &actual_system_ext_id)) {
+ PLOG(INFO) << "Failed to read "
+ "/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256";
+ return false;
+ }
std::string actual_product_id;
if (!ReadFirstLine("/product/etc/selinux/product_sepolicy_and_mapping.sha256",
&actual_product_id)) {
@@ -243,6 +252,13 @@
file->clear();
return false;
}
+ std::string precompiled_system_ext_id;
+ std::string precompiled_system_ext_sha256 = *file + ".system_ext_sepolicy_and_mapping.sha256";
+ if (!ReadFirstLine(precompiled_system_ext_sha256.c_str(), &precompiled_system_ext_id)) {
+ PLOG(INFO) << "Failed to read " << precompiled_system_ext_sha256;
+ file->clear();
+ return false;
+ }
std::string precompiled_product_id;
std::string precompiled_product_sha256 = *file + ".product_sepolicy_and_mapping.sha256";
if (!ReadFirstLine(precompiled_product_sha256.c_str(), &precompiled_product_id)) {
@@ -251,6 +267,7 @@
return false;
}
if (actual_plat_id.empty() || actual_plat_id != precompiled_plat_id ||
+ actual_system_ext_id.empty() || actual_system_ext_id != precompiled_system_ext_id ||
actual_product_id.empty() || actual_product_id != precompiled_product_id) {
file->clear();
return false;
@@ -336,6 +353,17 @@
plat_compat_cil_file.clear();
}
+ std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
+ if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
+ system_ext_policy_cil_file.clear();
+ }
+
+ std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
+ ".cil");
+ if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
+ system_ext_mapping_file.clear();
+ }
+
std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
product_policy_cil_file.clear();
@@ -384,6 +412,12 @@
if (!plat_compat_cil_file.empty()) {
compile_args.push_back(plat_compat_cil_file.c_str());
}
+ if (!system_ext_policy_cil_file.empty()) {
+ compile_args.push_back(system_ext_policy_cil_file.c_str());
+ }
+ if (!system_ext_mapping_file.empty()) {
+ compile_args.push_back(system_ext_mapping_file.c_str());
+ }
if (!product_policy_cil_file.empty()) {
compile_args.push_back(product_policy_cil_file.c_str());
}