diff options
| author | Nick Kralevich <nnk@google.com> | 2013-06-24 17:41:40 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2013-09-03 15:54:15 -0700 |
| commit | 56fa0ac6b6e4ca790c0169c21a3106e09cab672c (patch) | |
| tree | 9d1907f733df4f1a87ba4a84927eb9e57e0d9802 | |
| parent | b35f68a6974589fc3c762d6d2c7bac363794e355 (diff) | |
| download | system_core-56fa0ac6b6e4ca790c0169c21a3106e09cab672c.zip system_core-56fa0ac6b6e4ca790c0169c21a3106e09cab672c.tar.gz system_core-56fa0ac6b6e4ca790c0169c21a3106e09cab672c.tar.bz2 | |
init: move SELinux into enforcing mode.
When init starts up, immediately put SELinux into enforcing mode.
This is currently a no-op. We currently have everything in the
unconfined domain, so this should not break anything.
(if it does, I'll roll it back immediately)
If the kernel doesn't have SELinux support compiled in, then
don't try loading a policy and continue without SELinux protections.
Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
| -rw-r--r--[-rwxr-xr-x] | init/init.c | 41 |
1 files changed, 20 insertions, 21 deletions
diff --git a/init/init.c b/init/init.c index 0c9bf4a..4ae5c06 100755..100644 --- a/init/init.c +++ b/init/init.c @@ -39,6 +39,7 @@ #include <libgen.h> #include <cutils/list.h> +#include <cutils/android_reboot.h> #include <cutils/sockets.h> #include <cutils/iosched_policy.h> #include <private/android_filesystem_config.h> @@ -73,8 +74,6 @@ static char hardware[32]; static unsigned revision = 0; static char qemu[32]; -static int selinux_enabled = 1; - static struct action *cur_action = NULL; static struct command *cur_command = NULL; static struct listnode *command_queue = NULL; @@ -611,10 +610,6 @@ static void import_kernel_nv(char *name, int for_emulator) *value++ = 0; if (name_len == 0) return; - if (!strcmp(name,"selinux")) { - selinux_enabled = atoi(value); - } - if (for_emulator) { /* in the emulator, export any kernel option with the * ro.kernel. prefix */ @@ -797,10 +792,6 @@ void selinux_init_all_handles(void) int selinux_reload_policy(void) { - if (!selinux_enabled) { - return -1; - } - INFO("SELinux: Attempting to reload policy files\n"); if (selinux_android_reload_policy() == -1) { @@ -823,6 +814,24 @@ int audit_callback(void *data, security_class_t cls, char *buf, size_t len) return 0; } +static void selinux_initialize(void) +{ + if (access("/sys/fs/selinux", F_OK) != 0) { + // SELinux is not compiled into this kernel. Fail gracefully. + return; + } + + INFO("loading selinux policy\n"); + if (selinux_android_load_policy() < 0) { + ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n"); + android_reboot(ANDROID_RB_RESTART2, 0, "recovery"); + while (1) { pause(); } // never reached + } + + selinux_init_all_handles(); + security_setenforce(1); +} + int main(int argc, char **argv) { int fd_count = 0; @@ -883,17 +892,7 @@ int main(int argc, char **argv) cb.func_audit = audit_callback; selinux_set_callback(SELINUX_CB_AUDIT, cb); - INFO("loading selinux policy\n"); - if (selinux_enabled) { - if (selinux_android_load_policy() < 0) { - selinux_enabled = 0; - INFO("SELinux: Disabled due to failed policy load\n"); - } else { - selinux_init_all_handles(); - } - } else { - INFO("SELinux: Disabled by command line option\n"); - } + selinux_initialize(); /* These directories were necessarily created before initial policy load * and therefore need their security context restored to the proper value. * This must happen before /dev is populated by ueventd. |