summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2013-06-24 17:41:40 -0700
committerNick Kralevich <nnk@google.com>2013-06-25 11:23:29 -0700
commitb710ed21dec88c0dde8209264df054c842561589 (patch)
tree8cac1258e36aed0f6122dbc4ebff39f8d7b56e0a
parent62362e1a64e09c6223ad6598601bb0adca28d296 (diff)
downloadsystem_core-b710ed21dec88c0dde8209264df054c842561589.zip
system_core-b710ed21dec88c0dde8209264df054c842561589.tar.gz
system_core-b710ed21dec88c0dde8209264df054c842561589.tar.bz2
init: move SELinux into enforcing mode.
When init starts up, immediately put SELinux into enforcing mode. This is currently a no-op. We currently have everything in the unconfined domain, so this should not break anything. (if it does, I'll roll it back immediately) If the kernel doesn't have SELinux support compiled in, then don't try loading a policy and continue without SELinux protections. Change-Id: Id0279cf82c545ea0f7090137b7566a5bc3ddd641
-rw-r--r--[-rwxr-xr-x]init/init.c41
1 files changed, 20 insertions, 21 deletions
diff --git a/init/init.c b/init/init.c
index fd428b0..4a335ca 100755..100644
--- a/init/init.c
+++ b/init/init.c
@@ -39,6 +39,7 @@
#include <libgen.h>
#include <cutils/list.h>
+#include <cutils/android_reboot.h>
#include <cutils/sockets.h>
#include <cutils/iosched_policy.h>
#include <private/android_filesystem_config.h>
@@ -73,8 +74,6 @@ static char hardware[32];
static unsigned revision = 0;
static char qemu[32];
-static int selinux_enabled = 1;
-
static struct action *cur_action = NULL;
static struct command *cur_command = NULL;
static struct listnode *command_queue = NULL;
@@ -594,10 +593,6 @@ static void import_kernel_nv(char *name, int for_emulator)
*value++ = 0;
if (name_len == 0) return;
- if (!strcmp(name,"selinux")) {
- selinux_enabled = atoi(value);
- }
-
if (for_emulator) {
/* in the emulator, export any kernel option with the
* ro.kernel. prefix */
@@ -780,10 +775,6 @@ void selinux_init_all_handles(void)
int selinux_reload_policy(void)
{
- if (!selinux_enabled) {
- return -1;
- }
-
INFO("SELinux: Attempting to reload policy files\n");
if (selinux_android_reload_policy() == -1) {
@@ -806,6 +797,24 @@ int audit_callback(void *data, security_class_t cls, char *buf, size_t len)
return 0;
}
+static void selinux_initialize(void)
+{
+ if (access("/sys/fs/selinux", F_OK) != 0) {
+ // SELinux is not compiled into this kernel. Fail gracefully.
+ return;
+ }
+
+ INFO("loading selinux policy\n");
+ if (selinux_android_load_policy() < 0) {
+ ERROR("SELinux: Failed to load policy; rebooting into recovery mode\n");
+ android_reboot(ANDROID_RB_RESTART2, 0, "recovery");
+ while (1) { pause(); } // never reached
+ }
+
+ selinux_init_all_handles();
+ security_setenforce(1);
+}
+
int main(int argc, char **argv)
{
int fd_count = 0;
@@ -866,17 +875,7 @@ int main(int argc, char **argv)
cb.func_audit = audit_callback;
selinux_set_callback(SELINUX_CB_AUDIT, cb);
- INFO("loading selinux policy\n");
- if (selinux_enabled) {
- if (selinux_android_load_policy() < 0) {
- selinux_enabled = 0;
- INFO("SELinux: Disabled due to failed policy load\n");
- } else {
- selinux_init_all_handles();
- }
- } else {
- INFO("SELinux: Disabled by command line option\n");
- }
+ selinux_initialize();
/* These directories were necessarily created before initial policy load
* and therefore need their security context restored to the proper value.
* This must happen before /dev is populated by ueventd.