summaryrefslogtreecommitdiffstats
path: root/init
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2013-06-24 17:41:40 -0700
committerNick Kralevich <nnk@google.com>2013-06-25 11:23:29 -0700
commitb710ed21dec88c0dde8209264df054c842561589 (patch)
tree8cac1258e36aed0f6122dbc4ebff39f8d7b56e0a /init
parent62362e1a64e09c6223ad6598601bb0adca28d296 (diff)
downloadcore-b710ed21dec88c0dde8209264df054c842561589.tar.gz
core-b710ed21dec88c0dde8209264df054c842561589.tar.bz2
core-b710ed21dec88c0dde8209264df054c842561589.zip
init: move SELinux into enforcing mode.
When init starts up, immediately put SELinux into enforcing mode. This is currently a no-op. We currently have everything in the unconfined domain, so this should not break anything. (if it does, I'll roll it back immediately) If the kernel doesn't have SELinux support compiled in, then don't try loading a policy and continue without SELinux protections. Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
Diffstat (limited to 'init')
-rw-r--r--[-rwxr-xr-x]init/init.c41
1 files changed, 20 insertions, 21 deletions
diff --git a/init/init.c b/init/init.c
index fd428b01f..4a335ca77 100755..100644
--- a/init/init.c
+++ b/init/init.c
@@ -39,6 +39,7 @@
#include <libgen.h>
#include <cutils/list.h>
+#include <cutils/android_reboot.h>
#include <cutils/sockets.h>
#include <cutils/iosched_policy.h>
#include <private/android_filesystem_config.h>
@@ -73,8 +74,6 @@ static char hardware[32];
static unsigned revision = 0;
static char qemu[32];
-static int selinux_enabled = 1;
-
static struct action *cur_action = NULL;
static struct command *cur_command = NULL;
static struct listnode *command_queue = NULL;
@@ -594,10 +593,6 @@ static void import_kernel_nv(char *name, int for_emulator)
*value++ = 0;
if (name_len == 0) return;
- if (!strcmp(name,"selinux")) {
- selinux_enabled = atoi(value);
- }
-
if (for_emulator) {
/* in the emulator, export any kernel option with the
* ro.kernel. prefix */
@@ -780,10 +775,6 @@ void selinux_init_all_handles(void)
int selinux_reload_policy(void)
{
- if (!selinux_enabled) {
- return -1;
- }
-
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_android_reload_policy() == -1) {
@@ -806,6 +797,24 @@ int audit_callback(void *data, security_class_t cls, char *buf, size_t len)
return 0;
}
+static void selinux_initialize(void)
+{
+ if (access("/sys/fs/selinux", F_OK) != 0) {
+ // SELinux is not compiled into this kernel. Fail gracefully.
+ return;
+ }
+
+ INFO("loading selinux policy\n");
+ if (selinux_android_load_policy() < 0) {
+ ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
+ android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
+ while (1) { pause(); } // never reached
+ }
+
+ selinux_init_all_handles();
+ security_setenforce(1);
+}
+
int main(int argc, char **argv)
{
int fd_count = 0;
@@ -866,17 +875,7 @@ int main(int argc, char **argv)
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
- INFO("loading selinux policy\n");
- if (selinux_enabled) {
- if (selinux_android_load_policy() < 0) {
- selinux_enabled = 0;
- INFO("SELinux: Disabled due to failed policy load\n");
- } else {
- selinux_init_all_handles();
- }
- } else {
- INFO("SELinux: Disabled by command line option\n");
- }
+ selinux_initialize();
/* These directories were necessarily created before initial policy load
* and therefore need their security context restored to the proper value.
* This must happen before /dev is populated by ueventd.