init: Make restorecon_recursive work for /data/

In the following commit:

    commit f2b7ee765516c84a9995e3acdc8fbcd7dc1b33cc
    Author: Stephen Smalley <sds@tycho.nsa.gov>
    Date:   Thu Feb 6 13:52:52 2014 -0500

    Apply restorecon_recursive to all of /data.

they removed all the adhoc restorecon_recursive of subdirectories
of /data/ and replaced it with:

    # Set SELinux security contexts on upgrade or policy update.
    restorecon_recursive /data

Unfortunately, that is a no-op because restorecon doesn't recurse
through /data/ unless you add a FORCE flag.

Since the expectation seems to be that the recursive restorecon
in init will actually work, update the built-in to add the force
flag and a flag to allow /data/data to also be recursed through.

[RC: Removed the DATADATA flag. It throws a ton of errors, and it's
supposed to be handled by seapp_contexts, not file_contexts. The actual
root paths, however, now get their individual restorecon calls so that
installd can deal with them]

Change-Id: I435c505188e924b27ef2e6a2e0ee0a6951e43f0e

1 files changed, 5 insertions, 1 deletions

diff --git a/init/util.cpp b/init/util.cpp
index a5392c6..b006e0b 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -458,9 +458,13 @@ int restorecon(const char* pathname)
     return selinux_android_restorecon(pathname, 0);
 }
 
+#define RESTORECON_RECURSIVE_FLAGS \
+        (SELINUX_ANDROID_RESTORECON_FORCE | \
+        SELINUX_ANDROID_RESTORECON_RECURSE)
+
 int restorecon_recursive(const char* pathname)
 {
-    return selinux_android_restorecon(pathname, SELINUX_ANDROID_RESTORECON_RECURSE);
+    return selinux_android_restorecon(pathname, RESTORECON_RECURSIVE_FLAGS);
 }
 
 /*