diff options
| author | gcondra@google.com <gcondra@google.com> | 2013-05-14 23:43:56 -0700 |
|---|---|---|
| committer | Android Git Automerger <android-git-automerger@android.com> | 2013-05-14 23:43:56 -0700 |
| commit | 5a98566d589408c78e35f4476f478a2fa1c13e78 (patch) | |
| tree | 3e17a8e334543059a0895be111f4d6e78f4ca640 /init/init.c | |
| parent | a817ff9cf61daeb69e8b8382c80677e3e5c573a9 (diff) | |
| parent | 921be8b6568df0057c4eacbac2e1022b71e09620 (diff) | |
| download | core-5a98566d589408c78e35f4476f478a2fa1c13e78.tar.gz core-5a98566d589408c78e35f4476f478a2fa1c13e78.tar.bz2 core-5a98566d589408c78e35f4476f478a2fa1c13e78.zip | |
am 921be8b6: Add a version check for SELinux policy on device.
* commit '921be8b6568df0057c4eacbac2e1022b71e09620':
Add a version check for SELinux policy on device.
Diffstat (limited to 'init/init.c')
| -rwxr-xr-x | init/init.c | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/init/init.c b/init/init.c index 516bf571c..54adabb1b 100755 --- a/init/init.c +++ b/init/init.c @@ -61,6 +61,9 @@ struct selabel_handle *sehandle; struct selabel_handle *sehandle_prop; +#define SELINUX_DATA_POLICY_VERSION_PATH "/data/security/bundle/metadata/version" +#define SELINUX_BOOT_POLICY_VERSION_PATH "/sepolicy.version" + static int property_triggers_enabled = 0; #if BOOTCHART @@ -774,6 +777,58 @@ void selinux_init_all_handles(void) sehandle_prop = selinux_android_prop_context_handle(); } +static int selinux_read_version_file(char *version_file_path) +{ + unsigned version_string_length = 0; + unsigned characters_consumed = 0; + int policy_version = 0; + char *version_string; + + version_string = read_file(version_file_path, &version_string_length); + if (version_string == NULL) + return -1; + + sscanf(version_string, "%d%n", &policy_version, &characters_consumed); + free(version_string); + + if (characters_consumed != (version_string_length - 1)) + return -1; + + return policy_version; +} + +static int selinux_check_policy_version(void) +{ + int data_policy_version = 0; + int boot_policy_version = 0; + + // get the policy version for the sepolicy on the data partition + // fail open to allow the existing policy to relabel + data_policy_version = selinux_read_version_file(SELINUX_DATA_POLICY_VERSION_PATH); + if (data_policy_version < 0) { + INFO("Couldn't read data policy version file"); + return 0; + } + + // get the policy version for the sepolicy on the boot partition + // fail open to allow devices without an sepolicy.version to update + boot_policy_version = selinux_read_version_file(SELINUX_BOOT_POLICY_VERSION_PATH); + if (boot_policy_version < 0) { + INFO("Couldn't read boot policy version file"); + return 0; + } + + // return an error if the "updated" policy is too old + if (data_policy_version <= boot_policy_version) { + ERROR("SELinux: data policy version (%d) <= factory policy version (%d)", + data_policy_version, + boot_policy_version); + return -1; + } + + return 0; +} + int selinux_reload_policy(void) { if (!selinux_enabled) { @@ -782,6 +837,10 @@ int selinux_reload_policy(void) INFO("SELinux: Attempting to reload policy files\n"); + if (selinux_check_policy_version() == -1) { + return -1; + } + if (selinux_android_reload_policy() == -1) { return -1; } |