diff options
| -rw-r--r-- | init/builtins.c | 18 | ||||
| -rw-r--r-- | init/devices.c | 28 | ||||
| -rwxr-xr-x | init/init.c | 6 | ||||
| -rwxr-xr-x | init/util.c | 53 | ||||
| -rw-r--r-- | init/util.h | 2 |
5 files changed, 62 insertions, 45 deletions
diff --git a/init/builtins.c b/init/builtins.c index ac9585e..5bda7a0 100644 --- a/init/builtins.c +++ b/init/builtins.c @@ -302,7 +302,7 @@ int do_mkdir(int nargs, char **args) mode = strtoul(args[2], 0, 8); } - ret = mkdir(args[1], mode); + ret = make_dir(args[1], mode); /* chmod in case the directory already exists */ if (ret == -1 && errno == EEXIST) { ret = _chmod(args[1], mode); @@ -736,26 +736,12 @@ int do_chmod(int nargs, char **args) { } int do_restorecon(int nargs, char **args) { -#ifdef HAVE_SELINUX - char *secontext = NULL; - struct stat sb; int i; - if (is_selinux_enabled() <= 0 || !sehandle) - return 0; - for (i = 1; i < nargs; i++) { - if (lstat(args[i], &sb) < 0) - return -errno; - if (selabel_lookup(sehandle, &secontext, args[i], sb.st_mode) < 0) + if (restorecon(args[i]) < 0) return -errno; - if (lsetfilecon(args[i], secontext) < 0) { - freecon(secontext); - return -errno; - } - freecon(secontext); } -#endif return 0; } diff --git a/init/devices.c b/init/devices.c index 125f981..c367de8 100644 --- a/init/devices.c +++ b/init/devices.c @@ -52,7 +52,7 @@ #define FIRMWARE_DIR2 "/vendor/firmware" #ifdef HAVE_SELINUX -static struct selabel_handle *sehandle; +extern struct selabel_handle *sehandle; #endif static int device_fd = -1; @@ -220,32 +220,6 @@ static void make_device(const char *path, #endif } - -static int make_dir(const char *path, mode_t mode) -{ - int rc; - -#ifdef HAVE_SELINUX - char *secontext = NULL; - - if (sehandle) { - selabel_lookup(sehandle, &secontext, path, mode); - setfscreatecon(secontext); - } -#endif - - rc = mkdir(path, mode); - -#ifdef HAVE_SELINUX - if (secontext) { - freecon(secontext); - setfscreatecon(NULL); - } -#endif - return rc; -} - - static void add_platform_device(const char *name) { int name_len = strlen(name); diff --git a/init/init.c b/init/init.c index 4f57144..cc98afc 100755 --- a/init/init.c +++ b/init/init.c @@ -901,6 +901,12 @@ int main(int argc, char **argv) #ifdef HAVE_SELINUX INFO("loading selinux policy\n"); selinux_load_policy(); + /* These directories were necessarily created before policy load + * and therefore need their security context restored to the proper value. + * This must happen before /dev is populated by ueventd. + */ + restorecon("/dev"); + restorecon("/dev/socket"); #endif is_charger = !strcmp(bootmode, "charger"); diff --git a/init/util.c b/init/util.c index 7d79f39..f994ab9 100755 --- a/init/util.c +++ b/init/util.c @@ -302,12 +302,12 @@ int mkdir_recursive(const char *pathname, mode_t mode) memcpy(buf, pathname, width); buf[width] = 0; if (stat(buf, &info) != 0) { - ret = mkdir(buf, mode); + ret = make_dir(buf, mode); if (ret && errno != EEXIST) return ret; } } - ret = mkdir(pathname, mode); + ret = make_dir(pathname, mode); if (ret && errno != EEXIST) return ret; return 0; @@ -463,3 +463,52 @@ void import_kernel_cmdline(int in_qemu, ptr = x; } } + +int make_dir(const char *path, mode_t mode) +{ + int rc; + +#ifdef HAVE_SELINUX + char *secontext = NULL; + + if (sehandle) { + selabel_lookup(sehandle, &secontext, path, mode); + setfscreatecon(secontext); + } +#endif + + rc = mkdir(path, mode); + +#ifdef HAVE_SELINUX + if (secontext) { + int save_errno = errno; + freecon(secontext); + setfscreatecon(NULL); + errno = save_errno; + } +#endif + return rc; +} + +int restorecon(const char *pathname) +{ +#ifdef HAVE_SELINUX + char *secontext = NULL; + struct stat sb; + int i; + + if (is_selinux_enabled() <= 0 || !sehandle) + return 0; + + if (lstat(pathname, &sb) < 0) + return -errno; + if (selabel_lookup(sehandle, &secontext, pathname, sb.st_mode) < 0) + return -errno; + if (lsetfilecon(pathname, secontext) < 0) { + freecon(secontext); + return -errno; + } + freecon(secontext); +#endif + return 0; +} diff --git a/init/util.h b/init/util.h index 9247739..45905b6 100644 --- a/init/util.h +++ b/init/util.h @@ -39,4 +39,6 @@ int wait_for_file(const char *filename, int timeout); void open_devnull_stdio(void); void get_hardware_name(char *hardware, unsigned int *revision); void import_kernel_cmdline(int in_qemu, void (*import_kernel_nv)(char *name, int in_qemu)); +int make_dir(const char *path, mode_t mode); +int restorecon(const char *pathname); #endif |