Update OTA installer to understand SELinux filesystem labels
Modify the OTA installer to understand SELinux filesystem labels.
We do this by introducing new set_perm2 / set_perm2_recursive
calls, which understand SELinux filesystem labels. These filesystem
labels are applied at the same time that we apply the
UID / GID / permission changes.
For compatibility, we preserve the behavior of the existing
set_perm / set_perm_recursive calls.
If the destination kernel doesn't support security labels, don't
fail. SELinux isn't enabled on all kernels.
Bug: 8985290
Change-Id: I99800499f01784199e4918a82e3e2db1089cf25b
diff --git a/minzip/DirUtil.c b/minzip/DirUtil.c
index 8dd5da1..c120fa3 100644
--- a/minzip/DirUtil.c
+++ b/minzip/DirUtil.c
@@ -23,6 +23,7 @@
#include <errno.h>
#include <dirent.h>
#include <limits.h>
+#include <selinux/selinux.h>
#include "DirUtil.h"
@@ -237,7 +238,7 @@
int
dirSetHierarchyPermissions(const char *path,
- int uid, int gid, int dirMode, int fileMode)
+ int uid, int gid, int dirMode, int fileMode, const char* secontext)
{
struct stat st;
if (lstat(path, &st)) {
@@ -255,6 +256,10 @@
return -1;
}
+ if ((secontext != NULL) && lsetfilecon(path, secontext) && (errno != ENOTSUP)) {
+ return -1;
+ }
+
/* recurse over directory components */
if (S_ISDIR(st.st_mode)) {
DIR *dir = opendir(path);
@@ -271,7 +276,7 @@
char dn[PATH_MAX];
snprintf(dn, sizeof(dn), "%s/%s", path, de->d_name);
- if (!dirSetHierarchyPermissions(dn, uid, gid, dirMode, fileMode)) {
+ if (!dirSetHierarchyPermissions(dn, uid, gid, dirMode, fileMode, secontext)) {
errno = 0;
} else if (errno == 0) {
errno = -1;
diff --git a/minzip/DirUtil.h b/minzip/DirUtil.h
index a5cfa76..3e12a0b 100644
--- a/minzip/DirUtil.h
+++ b/minzip/DirUtil.h
@@ -54,7 +54,7 @@
* Sets directories to <dirMode> and files to <fileMode>. Skips symlinks.
*/
int dirSetHierarchyPermissions(const char *path,
- int uid, int gid, int dirMode, int fileMode);
+ int uid, int gid, int dirMode, int fileMode, const char* secontext);
#ifdef __cplusplus
}
diff --git a/updater/install.c b/updater/install.c
index 9fa06a2..c81bbb5 100644
--- a/updater/install.c
+++ b/updater/install.c
@@ -27,6 +27,7 @@
#include <unistd.h>
#include <fcntl.h>
#include <time.h>
+#include <selinux/selinux.h>
#include "cutils/misc.h"
#include "cutils/properties.h"
@@ -521,9 +522,10 @@
Value* SetPermFn(const char* name, State* state, int argc, Expr* argv[]) {
char* result = NULL;
- bool recursive = (strcmp(name, "set_perm_recursive") == 0);
+ bool recursive = (strcmp(name, "set_perm_recursive") == 0) || (strcmp(name, "set_perm2_recursive") == 0);
+ bool has_selabel = (strcmp(name, "set_perm2") == 0) || (strcmp(name, "set_perm2_recursive") == 0);
- int min_args = 4 + (recursive ? 1 : 0);
+ int min_args = 4 + (has_selabel ? 1 : 0) + (recursive ? 1 : 0);
if (argc < min_args) {
return ErrorAbort(state, "%s() expects %d+ args, got %d",
name, min_args, argc);
@@ -562,8 +564,13 @@
goto done;
}
- for (i = 4; i < argc; ++i) {
- dirSetHierarchyPermissions(args[i], uid, gid, dir_mode, file_mode);
+ char* secontext = NULL;
+ if (has_selabel) {
+ secontext = args[4];
+ }
+
+ for (i = 4 + (has_selabel ? 1 : 0); i < argc; ++i) {
+ dirSetHierarchyPermissions(args[i], uid, gid, dir_mode, file_mode, secontext);
}
} else {
int mode = strtoul(args[2], &end, 0);
@@ -572,7 +579,12 @@
goto done;
}
- for (i = 3; i < argc; ++i) {
+ char* secontext = NULL;
+ if (has_selabel) {
+ secontext = args[3];
+ }
+
+ for (i = 3 + (has_selabel ? 1 : 0); i < argc; ++i) {
if (chown(args[i], uid, gid) < 0) {
printf("%s: chown of %s to %d %d failed: %s\n",
name, args[i], uid, gid, strerror(errno));
@@ -583,6 +595,11 @@
name, args[i], mode, strerror(errno));
++bad;
}
+ if (has_selabel && lsetfilecon(args[i], secontext) && (errno != ENOTSUP)) {
+ printf("%s: lsetfilecon of %s to %s failed: %s\n",
+ name, args[i], secontext, strerror(errno));
+ ++bad;
+ }
}
}
result = strdup("");
@@ -1135,6 +1152,8 @@
RegisterFunction("symlink", SymlinkFn);
RegisterFunction("set_perm", SetPermFn);
RegisterFunction("set_perm_recursive", SetPermFn);
+ RegisterFunction("set_perm2", SetPermFn);
+ RegisterFunction("set_perm2_recursive", SetPermFn);
RegisterFunction("getprop", GetPropFn);
RegisterFunction("file_getprop", FileGetPropFn);