diff options
| author | Ricardo Cerqueira <cyanogenmod@cerqueira.org> | 2013-07-17 16:45:20 +0100 |
|---|---|---|
| committer | Ricardo Cerqueira <cyanogenmod@cerqueira.org> | 2013-07-17 16:48:28 +0100 |
| commit | d2d1a7ffb1f5e831ed654379496f0efe88159a66 (patch) | |
| tree | d8ccd176a7d0c188b0f40c430b90cc56da42c3c8 | |
| parent | 1f1434338bc7445a9d309ace69e06ec6a17bb303 (diff) | |
| download | vendor_replicant-d2d1a7ffb1f5e831ed654379496f0efe88159a66.zip vendor_replicant-d2d1a7ffb1f5e831ed654379496f0efe88159a66.tar.gz vendor_replicant-d2d1a7ffb1f5e831ed654379496f0efe88159a66.tar.bz2 | |
Add SELinux filesystem relabeling to init
Since not all recoveries out there will support the OTA packages'
own labeling, check at boot if the system needs labels (and
apply them)
Change-Id: I58767977b90a78a12efe7bd9d713654eadf47e7a
| -rw-r--r-- | config/common.mk | 4 | ||||
| -rw-r--r-- | prebuilt/common/etc/init.d/50selinuxrelabel | 46 |
2 files changed, 50 insertions, 0 deletions
diff --git a/config/common.mk b/config/common.mk index 96e6ce5..56d53b7 100644 --- a/config/common.mk +++ b/config/common.mk @@ -95,6 +95,10 @@ PRODUCT_COPY_FILES += \ PRODUCT_COPY_FILES += \ vendor/cm/prebuilt/common/etc/init.d/90userinit:system/etc/init.d/90userinit +# SELinux filesystem labels +PRODUCT_COPY_FILES += \ + vendor/cm/prebuilt/common/etc/init.d/50selinuxrelabel:system/etc/init.d/50selinuxrelabel + # CM-specific init file PRODUCT_COPY_FILES += \ vendor/cm/prebuilt/common/etc/init.local.rc:root/init.cm.rc diff --git a/prebuilt/common/etc/init.d/50selinuxrelabel b/prebuilt/common/etc/init.d/50selinuxrelabel new file mode 100644 index 0000000..4096fdc --- /dev/null +++ b/prebuilt/common/etc/init.d/50selinuxrelabel @@ -0,0 +1,46 @@ +#!/system/bin/sh + +L="log -p i -t SELinuxLabel" + +# Bail out early if not on a SELinux build +getprop ro.build.selinux | grep -q 1 || exit +if [ ! -f /file_contexts ]; then + exit +fi + +LABELDATA=0 +LABELSYS=0 + +# Test /data +ls -Zd /data/anr | grep -q unlabeled +if [ $? -eq 0 ]; then + $L "userdata is unlabeled, fixing..." + LABELDATA=1 +fi + +ls -Z /system/bin/surfaceflinger | grep -q unlabeled +if [ $? -eq 0 ]; then + $L "system is unlabeled, fixing... (You really should update your recovery)" + LABELSYS=1 +fi + +ls -Z /system/app/GoogleServicesFramework.apk | grep -q unlabeled +if [ $LABELSYS = "0" -a $? -eq 0 ]; then + $L "Found unlabeled Google framework, fixing..." + LABELSYS=1 +fi + + +if [ $LABELSYS = "1" ]; then + busybox mount -o remount,rw /system + $L "/system relabel starting..." + restorecon -R /system + $L "/system relabel complete" + busybox mount -o remount,ro /system +fi + +if [ $LABELDATA = "1" ]; then + $L "/data relabel starting..." + restorecon -R /data + $L "/data relabel complete" +fi |