Extend init and ueventd for SE Android.

Add SE Android support for init and ueventd.

init:
- Load policy at boot.
- Set the security context for service daemons and their sockets.
- New built-in commands: setcon, setenforce, restorecon, setsebool.
- New option for services: seclabel.

ueventd:
- Set the security context for device directories and nodes.

Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac

1 files changed, 22 insertions, 0 deletions

diff --git a/init/util.c b/init/util.c
index 13c9ca25..3a4b10b0 100755
--- a/init/util.c
+++ b/init/util.c
@@ -23,6 +23,10 @@
 #include <errno.h>
 #include <time.h>
 
+#ifdef HAVE_SELINUX
+#include <selinux/label.h>
+#endif
+
 #include <sys/stat.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@@ -33,6 +37,7 @@
 
 #include <private/android_filesystem_config.h>
 
+#include "init.h"
 #include "log.h"
 #include "util.h"
 
@@ -84,6 +89,9 @@ int create_socket(const char *name, int type, mode_t perm, uid_t uid, gid_t gid)
 {
     struct sockaddr_un addr;
     int fd, ret;
+#ifdef HAVE_SELINUX
+    char *secon;
+#endif
 
     fd = socket(PF_UNIX, type, 0);
     if (fd < 0) {
@@ -102,12 +110,26 @@ int create_socket(const char *name, int type, mode_t perm, uid_t uid, gid_t gid)
         goto out_close;
     }
 
+#ifdef HAVE_SELINUX
+    secon = NULL;
+    if (sehandle) {
+        ret = selabel_lookup(sehandle, &secon, addr.sun_path, S_IFSOCK);
+        if (ret == 0)
+            setfscreatecon(secon);
+    }
+#endif
+
     ret = bind(fd, (struct sockaddr *) &addr, sizeof (addr));
     if (ret) {
         ERROR("Failed to bind socket '%s': %s\n", name, strerror(errno));
         goto out_unlink;
     }
 
+#ifdef HAVE_SELINUX
+    setfscreatecon(NULL);
+    freecon(secon);
+#endif
+
     chown(addr.sun_path, uid, gid);
     chmod(addr.sun_path, perm);