Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / system / core / 1eee419e7a1c5789f81e1e3a19693403495e70f1^! / .
commit1eee419e7a1c5789f81e1e3a19693403495e70f1[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Fri Jan 13 08:54:34 2012 -0500
committerStephen Smalley <sds@tycho.nsa.gov>Thu Jul 26 15:37:45 2012 -0400
tree0aee47fca889f44b21251d35e7bf8c4ebe61a97c
parentff856a2b927aaadb189181d2cd9dd08dc98456a4 [diff]
Modify init.rc and init.goldfish.rc for SE Android.

Set the security context for the init process.
Restore the security contexts of /cache and /data in case they were reset.
Specify the security context for services launched from the rootfs since
we cannot label their executables.
If on the emulator, set a policy boolean and restore the context of
/sys/qemu_trace to allow accesses not normally permitted on a device.

Change-Id: I166ffc267e8e0543732e7118eb0fd4b031efac3b
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/rootdir/etc/init.goldfish.rc b/rootdir/etc/init.goldfish.rc
index 83b7f8a..cde9dee 100644
--- a/rootdir/etc/init.goldfish.rc
+++ b/rootdir/etc/init.goldfish.rc

@@ -5,6 +5,10 @@
     symlink /mnt/sdcard /sdcard
 
 on boot
+    setsebool in_qemu=1
+    restorecon /sys/qemu_trace/process_name
+    restorecon /sys/qemu_trace/state
+    restorecon /sys/qemu_trace/symbol
     setprop ARGH ARGH
     setprop net.eth0.gw 10.0.2.2
     setprop net.eth0.dns1 10.0.2.3

diff --git a/rootdir/init.rc b/rootdir/init.rc
index 236c97b..7215c4e 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc

@@ -4,6 +4,10 @@
     # Set init and its forked children's oom_adj.
     write /proc/1/oom_adj -16
 
+    # Set the security context for the init process.
+    # This should occur before anything else (e.g. ueventd) is started.
+    setcon u:r:init:s0
+
     start ueventd
 
 # create mountpoints
@@ -109,10 +113,14 @@
     # We chown/chmod /cache again so because mount is run as root + defaults
     chown system cache /cache
     chmod 0770 /cache
+    # We restorecon /cache in case the cache partition has been reset.
+    restorecon /cache
 
     # This may have been created by the recovery system with odd permissions
     chown system cache /cache/recovery
     chmod 0770 /cache/recovery
+    # This may have been created by the recovery system with the wrong context.
+    restorecon /cache/recovery
 
     #change permissions on vmallocinfo so we can grab it from bugreports
     chown root log /proc/vmallocinfo
@@ -131,6 +139,8 @@
     # We chown/chmod /data again so because mount is run as root + defaults
     chown system system /data
     chmod 0771 /data
+    # We restorecon /data in case the userdata partition has been reset.
+    restorecon /data
 
     # Create dump dir and collect dumps.
     # Do this before we mount cache so eventually we can use cache for
@@ -344,6 +354,7 @@
 service ueventd /sbin/ueventd
     class core
     critical
+    seclabel u:r:ueventd:s0
 
 service console /system/bin/sh
     class core
@@ -359,6 +370,7 @@
 service adbd /sbin/adbd
     class core
     disabled
+    seclabel u:r:adbd:s0
 
 # adbd on at boot in emulator
 on property:ro.kernel.qemu=1