resolved conflicts for merge of 4dcd52ab to jb-mr1-dev

Change-Id: Ibd0c03a7883a2e31adab18543c016776b7b36866
author: Kenny Root <kroot@google.com> 2012-08-13 10:21:35 -0700
committer: Kenny Root <kroot@google.com> 2012-08-13 10:21:35 -0700
commit: 605103fb553a8b872aa8dd0aef76ae8b3bfe47fa (patch)
tree: aa2c23c9e87c1872ef7aacc70b446455da1704bd /init
parent: 98ebf1975f68ffeaa43d5c53964c3dabe8655562 (diff)
parent: 4dcd52ab11d25fe3d53aab52b6c233e692da4eae (diff)
download: system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.tar.gz
system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.tar.bz2
system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.zip
4 files changed, 38 insertions, 91 deletions
diff --git a/init/devices.c b/init/devices.c
index 943a1475..4ffc8857 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -33,6 +33,7 @@
 #ifdef HAVE_SELINUX
 #include <selinux/selinux.h>
 #include <selinux/label.h>
+#include <selinux/android.h>
 #endif
 
 #include <private/android_filesystem_config.h>
@@ -879,12 +880,10 @@ void device_init(void)
     struct stat info;
     int fd;
 #ifdef HAVE_SELINUX
-    struct selinux_opt seopts[] = {
-        { SELABEL_OPT_PATH, "/file_contexts" }
-    };
-
-    if (is_selinux_enabled() > 0)
-        sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
+    sehandle = NULL;
+    if (is_selinux_enabled() > 0) {
+        sehandle = selinux_android_file_context_handle();
+    }
 #endif
     /* is 64K enough? udev uses 16MB! */
     device_fd = uevent_open_socket(64*1024, true);
diff --git a/init/init.c b/init/init.c
index 4cf84149..9945c872 100755
--- a/init/init.c
+++ b/init/init.c
@@ -33,9 +33,9 @@
 #include <sys/un.h>
 
 #ifdef HAVE_SELINUX
-#include <sys/mman.h>
 #include <selinux/selinux.h>
 #include <selinux/label.h>
+#include <selinux/android.h>
 #endif
 
 #include <libgen.h>
@@ -78,7 +78,6 @@ static char qemu[32];
 
 #ifdef HAVE_SELINUX
 static int selinux_enabled = 1;
-static int selinux_enforcing = 0;
 #endif
 
 static struct action *cur_action = NULL;
@@ -605,9 +604,7 @@ static void import_kernel_nv(char *name, int for_emulator)
     if (name_len == 0) return;
 
 #ifdef HAVE_SELINUX
-    if (!strcmp(name,"enforcing")) {
-        selinux_enforcing = atoi(value);
-    } else if (!strcmp(name,"selinux")) {
+    if (!strcmp(name,"selinux")) {
         selinux_enabled = atoi(value);
     }
 #endif
@@ -759,93 +756,28 @@ static int bootchart_init_action(int nargs, char **args)
 #endif
 
 #ifdef HAVE_SELINUX
-void selinux_load_policy(void)
+void selinux_init_all_handles(void)
 {
-    const char path_prefix[] = "/sepolicy";
-    struct selinux_opt seopts[] = {
-        { SELABEL_OPT_PATH, "/file_contexts" }
-    };
-    char path[PATH_MAX];
-    int fd, rc, vers;
-    struct stat sb;
-    void *map;
+    sehandle = selinux_android_file_context_handle();
+}
 
-    sehandle = NULL;
+int selinux_reload_policy(void)
+{
     if (!selinux_enabled) {
-        INFO("SELinux:  Disabled by command line option\n");
-        return;
-    }
-
-    mkdir(SELINUXMNT, 0755);
-    if (mount("selinuxfs", SELINUXMNT, "selinuxfs", 0, NULL)) {
-        if (errno == ENODEV) {
-            /* SELinux not enabled in kernel */
-            return;
-        }
-        ERROR("SELinux:  Could not mount selinuxfs:  %s\n",
-              strerror(errno));
-        return;
-    }
-    set_selinuxmnt(SELINUXMNT);
-
-    vers = security_policyvers();
-    if (vers <= 0) {
-        ERROR("SELinux:  Unable to read policy version\n");
-        return;
-    }
-    INFO("SELinux:  Maximum supported policy version:  %d\n", vers);
-
-    snprintf(path, sizeof(path), "%s.%d",
-             path_prefix, vers);
-    fd = open(path, O_RDONLY);
-    while (fd < 0 && errno == ENOENT && --vers) {
-        snprintf(path, sizeof(path), "%s.%d",
-                 path_prefix, vers);
-        fd = open(path, O_RDONLY);
-    }
-    if (fd < 0) {
-        ERROR("SELinux:  Could not open %s:  %s\n",
-              path, strerror(errno));
-        return;
-    }
-    if (fstat(fd, &sb) < 0) {
-        ERROR("SELinux:  Could not stat %s:  %s\n",
-              path, strerror(errno));
-        return;
-    }
-    map = mmap(NULL, sb.st_size, PROT_READ, MAP_PRIVATE, fd, 0);
-    if (map == MAP_FAILED) {
-        ERROR("SELinux:  Could not map %s:  %s\n",
-              path, strerror(errno));
-        return;
+        return -1;
     }
 
-    rc = security_load_policy(map, sb.st_size);
-    if (rc < 0) {
-        ERROR("SELinux:  Could not load policy:  %s\n",
-              strerror(errno));
-        return;
-    }
+    INFO("SELinux: Attempting to reload policy files\n");
 
-    rc = security_setenforce(selinux_enforcing);
-    if (rc < 0) {
-        ERROR("SELinux:  Could not set enforcing mode to %s:  %s\n",
-              selinux_enforcing ? "enforcing" : "permissive", strerror(errno));
-        return;
+    if (selinux_android_reload_policy() == -1) {
+        return -1;
     }
 
-    munmap(map, sb.st_size);
-    close(fd);
-    INFO("SELinux: Loaded policy from %s\n", path);
+    if (sehandle)
+        selabel_close(sehandle);
 
-    sehandle = selabel_open(SELABEL_CTX_FILE, seopts, 1);
-    if (!sehandle) {
-        ERROR("SELinux:  Could not load file_contexts:  %s\n",
-              strerror(errno));
-        return;
-    }
-    INFO("SELinux: Loaded file contexts from %s\n", seopts[0].value);
-    return;
+    selinux_init_all_handles();
+    return 0;
 }
 #endif
 
@@ -904,8 +836,17 @@ int main(int argc, char **argv)
 
 #ifdef HAVE_SELINUX
     INFO("loading selinux policy\n");
-    selinux_load_policy();
-    /* These directories were necessarily created before policy load
+    if (selinux_enabled) {
+        if (selinux_android_load_policy() < 0) {
+            selinux_enabled = 0;
+            INFO("SELinux: Disabled due to failed policy load\n");
+        } else {
+            selinux_init_all_handles();
+        }
+    } else {
+        INFO("SELinux:  Disabled by command line option\n");
+    }
+    /* These directories were necessarily created before initial policy load
      * and therefore need their security context restored to the proper value.
      * This must happen before /dev is populated by ueventd.
      */
diff --git a/init/init.h b/init/init.h
index 58bbbfe9..e2d990e6 100644
--- a/init/init.h
+++ b/init/init.h
@@ -138,6 +138,7 @@ int load_565rle_image( char *file_name );
 
 #ifdef HAVE_SELINUX
 extern struct selabel_handle *sehandle;
+extern int selinux_reload_policy(void);
 #endif
 
 #endif	/* _INIT_INIT_H */
diff --git a/init/property_service.c b/init/property_service.c
index b092077c..10a8a763 100755
--- a/init/property_service.c
+++ b/init/property_service.c
@@ -88,6 +88,7 @@ struct {
     { "persist.service.", AID_SYSTEM,   0 },
     { "persist.security.", AID_SYSTEM,   0 },
     { "persist.service.bdroid.", AID_BLUETOOTH,   0 },
+    { "selinux."         , AID_SYSTEM,   0 },
     { NULL, 0, 0 }
 };
 
@@ -336,6 +337,11 @@ int property_set(const char *name, const char *value)
          * to prevent them from being overwritten by default values.
          */
         write_persistent_property(name, value);
+#ifdef HAVE_SELINUX
+    } else if (strcmp("selinux.reload_policy", name) == 0 &&
+               strcmp("1", value) == 0) {
+        selinux_reload_policy();
+#endif
     }
     property_changed(name, value);
     return 0;
author	Kenny Root <kroot@google.com>	2012-08-13 10:21:35 -0700
committer	Kenny Root <kroot@google.com>	2012-08-13 10:21:35 -0700
commit	605103fb553a8b872aa8dd0aef76ae8b3bfe47fa (patch)
tree	aa2c23c9e87c1872ef7aacc70b446455da1704bd /init
parent	98ebf1975f68ffeaa43d5c53964c3dabe8655562 (diff)
parent	4dcd52ab11d25fe3d53aab52b6c233e692da4eae (diff)
download	system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.tar.gz system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.tar.bz2 system_core-605103fb553a8b872aa8dd0aef76ae8b3bfe47fa.zip