Add flags to restorecon_recursive to traverse filesystems
Use to solve the problem of tracefs conditionally being mounted
under debugfs and needing restorecon'd without boot performance
penalty.
Also move skip-ce to a flag for consistency.
Test: Check that trace_mount has correct attributes after boot
Bug: 32849675
Change-Id: Ib6731f502b6afc393ea5ada96fa95b339f14da49
diff --git a/init/builtins.cpp b/init/builtins.cpp
index 08b591b..20d4d3a 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -40,6 +40,7 @@
#include <thread>
+#include <selinux/android.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
@@ -904,25 +905,49 @@
static int do_restorecon(const std::vector<std::string>& args) {
int ret = 0;
- for (auto it = std::next(args.begin()); it != args.end(); ++it) {
- if (restorecon(it->c_str()) < 0)
- ret = -errno;
+ struct flag_type {const char* name; int value;};
+ static const flag_type flags[] = {
+ {"--recursive", SELINUX_ANDROID_RESTORECON_RECURSE},
+ {"--skip-ce", SELINUX_ANDROID_RESTORECON_SKIPCE},
+ {"--cross-filesystems", SELINUX_ANDROID_RESTORECON_CROSS_FILESYSTEMS},
+ {0, 0}
+ };
+
+ int flag = 0;
+
+ bool in_flags = true;
+ for (size_t i = 1; i < args.size(); ++i) {
+ if (android::base::StartsWith(args[i], "--")) {
+ if (!in_flags) {
+ LOG(ERROR) << "restorecon - flags must precede paths";
+ return -1;
+ }
+ bool found = false;
+ for (size_t j = 0; flags[j].name; ++j) {
+ if (args[i] == flags[j].name) {
+ flag |= flags[j].value;
+ found = true;
+ break;
+ }
+ }
+ if (!found) {
+ LOG(ERROR) << "restorecon - bad flag " << args[i];
+ return -1;
+ }
+ } else {
+ in_flags = false;
+ if (restorecon(args[i].c_str(), flag) < 0) {
+ ret = -errno;
+ }
+ }
}
return ret;
}
static int do_restorecon_recursive(const std::vector<std::string>& args) {
- int ret = 0;
-
- for (auto it = std::next(args.begin()); it != args.end(); ++it) {
- /* The contents of CE paths are encrypted on FBE devices until user
- * credentials are presented (filenames inside are mangled), so we need
- * to delay restorecon of those until vold explicitly requests it. */
- if (restorecon_recursive_skipce(it->c_str()) < 0) {
- ret = -errno;
- }
- }
- return ret;
+ std::vector<std::string> non_const_args(args);
+ non_const_args.insert(std::next(non_const_args.begin()), "--recursive");
+ return do_restorecon(non_const_args);
}
static int do_loglevel(const std::vector<std::string>& args) {
diff --git a/init/devices.cpp b/init/devices.cpp
index 2452c1d..2db24b7 100644
--- a/init/devices.cpp
+++ b/init/devices.cpp
@@ -190,7 +190,7 @@
if (access(path.c_str(), F_OK) == 0) {
LOG(VERBOSE) << "restorecon_recursive: " << path;
- restorecon_recursive(path.c_str());
+ restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_RECURSE);
}
}
diff --git a/init/init.cpp b/init/init.cpp
index cbd46bf..4efcc34 100644
--- a/init/init.cpp
+++ b/init/init.cpp
@@ -657,8 +657,8 @@
restorecon("/dev/socket");
restorecon("/dev/__properties__");
restorecon("/property_contexts");
- restorecon_recursive("/sys");
- restorecon_recursive("/dev/block");
+ restorecon("/sys", SELINUX_ANDROID_RESTORECON_RECURSE);
+ restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
restorecon("/dev/device-mapper");
epoll_fd = epoll_create1(EPOLL_CLOEXEC);
diff --git a/init/property_service.cpp b/init/property_service.cpp
index e7176c6..e198297 100644
--- a/init/property_service.cpp
+++ b/init/property_service.cpp
@@ -42,6 +42,7 @@
#include <netinet/in.h>
#include <sys/mman.h>
+#include <selinux/android.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
@@ -175,7 +176,7 @@
if (valuelen >= PROP_VALUE_MAX) return -1;
if (strcmp("selinux.restorecon_recursive", name) == 0 && valuelen > 0) {
- if (restorecon_recursive(value) != 0) {
+ if (restorecon(value, SELINUX_ANDROID_RESTORECON_RECURSE) != 0) {
LOG(ERROR) << "Failed to restorecon_recursive " << value;
}
}
diff --git a/init/util.cpp b/init/util.cpp
index 65b238b..5205ea0 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -369,20 +369,9 @@
return rc;
}
-int restorecon(const char* pathname)
+int restorecon(const char* pathname, int flags)
{
- return selinux_android_restorecon(pathname, 0);
-}
-
-int restorecon_recursive(const char* pathname)
-{
- return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
-}
-
-int restorecon_recursive_skipce(const char* pathname)
-{
- return selinux_android_restorecon(pathname,
- SELINUX_ANDROID_RESTORECON_RECURSE | SELINUX_ANDROID_RESTORECON_SKIPCE);
+ return selinux_android_restorecon(pathname, flags);
}
/*
diff --git a/init/util.h b/init/util.h
index ef40748..d56da39 100644
--- a/init/util.h
+++ b/init/util.h
@@ -68,9 +68,7 @@
void import_kernel_cmdline(bool in_qemu,
const std::function<void(const std::string&, const std::string&, bool)>&);
int make_dir(const char *path, mode_t mode);
-int restorecon(const char *pathname);
-int restorecon_recursive(const char *pathname);
-int restorecon_recursive_skipce(const char *pathname);
+int restorecon(const char *pathname, int flags = 0);
std::string bytes_to_hex(const uint8_t *bytes, size_t bytes_len);
bool is_dir(const char* pathname);
bool expand_props(const std::string& src, std::string* dst);
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 4e766bb..fb53178 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -293,11 +293,8 @@
mount none /mnt/runtime/default /storage slave bind rec
# Make sure /sys/kernel/debug (if present) is labeled properly
- restorecon_recursive /sys/kernel/debug
-
- # On systems with tracefs, tracing is a separate mount, so make sure
- # it too is correctly labeled
- restorecon_recursive /sys/kernel/debug/tracing
+ # Note that tracefs may be mounted under debug, so we need to cross filesystems
+ restorecon --recursive --cross-filesystems /sys/kernel/debug
# We chown/chmod /cache again so because mount is run as root + defaults
chown system cache /cache
@@ -462,7 +459,7 @@
init_user0
# Set SELinux security contexts on upgrade or policy update.
- restorecon_recursive /data
+ restorecon --recursive --skip-ce /data
# Check any timezone data in /data is newer than the copy in /system, delete if not.
exec - system system -- /system/bin/tzdatacheck /system/usr/share/zoneinfo /data/misc/zoneinfo