Cross Reference: /system/core/init/subcontext.cpp

History log of /system/core/init/subcontext.cpp
Revision	Date	Author	Comments (<<< Hide modified files) (Show modified files >>>)
c50144ef1d7ddebed3f765f176fa3a03d3d5f521	03-May-2018	Logan Chien <loganchien@google.com>	init: Use sepolicy version instead This commit uses vendor sepolicy file version (defined in `/vendor/etc/selinux/plat_sepolicy_vers.txt`) to determine whether the source context should be set as `u:r:vendor_init:s0`. Before this commit, the criterion was `ro.vndk.version` >= 28. However, the check in `property_service.cpp` will always be true because `ro.vndk.version` hasn't been loaded from `/vendor/default.prop`. Furthermore, under some circumstances, `ro.vndk.version` may be different from `plat_sepolicy_vers.txt` (e.g. O-MR1 vendor does not define `ro.vndk.version`). Bug: 78605339 # high-level bug to combine O-MR1 and P GSI Bug: 79135481 # the usage of `ro.vndk.version` in init Test: vts-tradefed run vts -m VtsTrebleVintfTest # tetheroffload Change-Id: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93 Merged-In: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93 /system/core/init/subcontext.cpp
125781255e34f0dd0973f22e30399ef0956d0e8b	12-Apr-2018	Tom Cherry <tomcherry@google.com>	init: do not impose vendor_init restrictions on old vendor images Do not restrict vendor_init restrictions on vendor images that were built before P, as they will not have the correct permissions. Bug: 77732028 Test: test new devices and see vendor_init still works Merged-In: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9 Change-Id: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9 (cherry picked from commit a1dbeb8d338017715ae7747e5a7a3999a54e7213) /system/core/init/subcontext.cpp
dc375869abb56a0ef8ee1299443866da1e76abb6	28-Feb-2018	Tom Cherry <tomcherry@google.com>	Restrict setting platform properties from vendor .prop files We should only allow vendor-init-settable properties to be set from .prop files on /vendor and /odm. Bug: 73905119 Test: test on walleye that disallowed properties are rejected Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831 /system/core/init/subcontext.cpp
69d47aa829fa5a48baeadeff0e04d03e58f147b7	01-Mar-2018	Tom Cherry <tomcherry@google.com>	Clean up property set error handling Currently we only report why a property set call has failed but drop the context of what was trying to set the property. This change adds information about why a property was trying to be set when it fails. It also unifies property_set() within init to go through the same HandlePropertySet() function as normal processes do, removing unneeded special cases. Test: boot bullhead Test: attempt to set invalid properties and see better error messages Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d /system/core/init/subcontext.cpp
de6bd50d4238d19ec401127bcf2321dc679d908d	14-Feb-2018	Tom Cherry <tomcherry@google.com>	init: add host side parser for init Create a host side parser for init such that init rc files can be verified for syntax correctness before being used on the device. Bug: 36970783 Test: run the parser on init files on host Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda /system/core/init/subcontext.cpp
32228485ffac6ff0b674210be448b121bbd6427c	19-Jan-2018	Tom Cherry <tomcherry@google.com>	Make vendor_init check SELinux before setting properties Finishing a TODO from vendor_init, check SELinux permissions before setting properties in vendor_init. Bug: 62875318 Test: N/A Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19 /system/core/init/subcontext.cpp
c49719fc5d2cf3817f6997ce40fc2dac7d411efa	10-Jan-2018	Tom Cherry <tomcherry@google.com>	init: always expand args in subcontext Currently init expands properties in arguments only when those commands are run in a subcontext. This creates a hole where properties that should not be accessible from a given subcontext of init can be accessed when running a command in the main init executable (for example `start`). This change creates a callback in subcontext init that simply expands and returns arguments back to the main init process, to ensure that only those properties that a subcontext can access get expanded. Bug: 62875318 Test: boot bullhead, new unit tests Change-Id: I2850009e70da877c08e4cc83350c727b0ea98796 /system/core/init/subcontext.cpp
193e43494f8afffaa1098690f1d249a3e61f2d43	27-Nov-2017	Tom Cherry <tomcherry@google.com>	Revert "init: use ro.init.subcontexts_enabled to enable subcontexts" This reverts commit 79193a42e7aa5760a6f98c0718e3d70c560d0e8e. Bug: 62875318 Test: boot walleye, sailfish without SELinux audits Change-Id: I019b66a3130acba2c07e984e4bc352228f09d7f5 /system/core/init/subcontext.cpp
0d1452ee1b2fb137e175064f4b84b1db8dde6487	19-Oct-2017	Tom Cherry <tomcherry@google.com>	init: add SelabelInitialize() for subcontext Children of init that use any of the SELinux wrapper functions, including make_dir(), mkdir_recursive(), and plenty others, need to first initialize the sehandle with SelabelInitialize(). I wish there were a better solution, but early init doesn't actually want this handle initialized, so that is a valid use case. Ueventd needs to initialize this before fork()'ing, so lazy initialization is not universally acceptable either. Likely we won't have other children that fork() then exec() init again, so this should be okay. Bug: 62875318 Test: init unit tests Test: sailfish creates directories with correct SELabel after wipe Change-Id: I6de937604a060e18945427418f15b90e0b9d5c37 /system/core/init/subcontext.cpp
79193a42e7aa5760a6f98c0718e3d70c560d0e8e	06-Oct-2017	Tom Cherry <tomcherry@google.com>	init: use ro.init.subcontexts_enabled to enable subcontexts As SEPolicy is developed, use this property to enable/disable subcontexts. Bug: 62875318 Test: boot device with/without subcontexts Change-Id: Ieb879836a71c72d4de1bb16514d083d52480bf9a /system/core/init/subcontext.cpp
ac7428b2f54aa7f5c489c887940f5b201c4546b0	03-Oct-2017	Tom Cherry <tomcherry@google.com>	init: fix subcontext SELinux strings 'object_r' is supposed to be simply 'r'. Test: boot sailfish with SELinux fully enabled and subcontexts enabled Change-Id: I7eb8b2dd18e66f23c09863e8961da339f72d25c5 /system/core/init/subcontext.cpp
cb0f9bbc855097e0c8248643015b837255fd569a	13-Sep-2017	Tom Cherry <tomcherry@google.com>	init: run vendor commands in a separate SELinux context One of the major aspects of treble is the compartmentalization of system and vendor components, however init leaves a huge gap here, as vendor init scripts run in the same context as system init scripts and thus can access and modify the same properties, files, etc as the system can. This change is meant to close that gap. It forks a separate 'subcontext' init that runs in a different SELinux context with permissions that match what vendors should have access to. Commands get sent over a socket to this 'subcontext' init that then runs them in this SELinux context and returns the result. Note that not all commands run in the subcontext; some commands such as those dealing with services only make sense in the context of the main init process. Bug: 62875318 Test: init unit tests, boot bullhead, boot sailfish Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee /system/core/init/subcontext.cpp