c50144ef1d7ddebed3f765f176fa3a03d3d5f521 |
|
03-May-2018 |
Logan Chien <loganchien@google.com> |
init: Use sepolicy version instead This commit uses vendor sepolicy file version (defined in `/vendor/etc/selinux/plat_sepolicy_vers.txt`) to determine whether the source context should be set as `u:r:vendor_init:s0`. Before this commit, the criterion was `ro.vndk.version` >= 28. However, the check in `property_service.cpp` will always be true because `ro.vndk.version` hasn't been loaded from `/vendor/default.prop`. Furthermore, under some circumstances, `ro.vndk.version` may be different from `plat_sepolicy_vers.txt` (e.g. O-MR1 vendor does not define `ro.vndk.version`). Bug: 78605339 # high-level bug to combine O-MR1 and P GSI Bug: 79135481 # the usage of `ro.vndk.version` in init Test: vts-tradefed run vts -m VtsTrebleVintfTest # tetheroffload Change-Id: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93 Merged-In: Ied46e9346b4ca7931aa4dcf1c9dbc11de0e12d93
/system/core/init/subcontext.cpp
|
125781255e34f0dd0973f22e30399ef0956d0e8b |
|
12-Apr-2018 |
Tom Cherry <tomcherry@google.com> |
init: do not impose vendor_init restrictions on old vendor images Do not restrict vendor_init restrictions on vendor images that were built before P, as they will not have the correct permissions. Bug: 77732028 Test: test new devices and see vendor_init still works Merged-In: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9 Change-Id: I636a07b54fbfb248e1d1a68a8f3c4d047fd5a9e9 (cherry picked from commit a1dbeb8d338017715ae7747e5a7a3999a54e7213)
/system/core/init/subcontext.cpp
|
dc375869abb56a0ef8ee1299443866da1e76abb6 |
|
28-Feb-2018 |
Tom Cherry <tomcherry@google.com> |
Restrict setting platform properties from vendor .prop files We should only allow vendor-init-settable properties to be set from .prop files on /vendor and /odm. Bug: 73905119 Test: test on walleye that disallowed properties are rejected Change-Id: I2a5d244fdc71060ddda3e3d87442e831e6b97831
/system/core/init/subcontext.cpp
|
69d47aa829fa5a48baeadeff0e04d03e58f147b7 |
|
01-Mar-2018 |
Tom Cherry <tomcherry@google.com> |
Clean up property set error handling Currently we only report why a property set call has failed but drop the context of what was trying to set the property. This change adds information about why a property was trying to be set when it fails. It also unifies property_set() within init to go through the same HandlePropertySet() function as normal processes do, removing unneeded special cases. Test: boot bullhead Test: attempt to set invalid properties and see better error messages Change-Id: I5cd3a40086fd3b226e9c8a5e3a84cb3b31399c0d
/system/core/init/subcontext.cpp
|
de6bd50d4238d19ec401127bcf2321dc679d908d |
|
14-Feb-2018 |
Tom Cherry <tomcherry@google.com> |
init: add host side parser for init Create a host side parser for init such that init rc files can be verified for syntax correctness before being used on the device. Bug: 36970783 Test: run the parser on init files on host Change-Id: I7e8772e278ebaff727057308596ebacf28b6fdda
/system/core/init/subcontext.cpp
|
32228485ffac6ff0b674210be448b121bbd6427c |
|
19-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
Make vendor_init check SELinux before setting properties Finishing a TODO from vendor_init, check SELinux permissions before setting properties in vendor_init. Bug: 62875318 Test: N/A Change-Id: I3cb6abadd2613ae083705cc6b9c970587b6c6b19
/system/core/init/subcontext.cpp
|
c49719fc5d2cf3817f6997ce40fc2dac7d411efa |
|
10-Jan-2018 |
Tom Cherry <tomcherry@google.com> |
init: always expand args in subcontext Currently init expands properties in arguments only when those commands are run in a subcontext. This creates a hole where properties that should not be accessible from a given subcontext of init can be accessed when running a command in the main init executable (for example `start`). This change creates a callback in subcontext init that simply expands and returns arguments back to the main init process, to ensure that only those properties that a subcontext can access get expanded. Bug: 62875318 Test: boot bullhead, new unit tests Change-Id: I2850009e70da877c08e4cc83350c727b0ea98796
/system/core/init/subcontext.cpp
|
193e43494f8afffaa1098690f1d249a3e61f2d43 |
|
27-Nov-2017 |
Tom Cherry <tomcherry@google.com> |
Revert "init: use ro.init.subcontexts_enabled to enable subcontexts" This reverts commit 79193a42e7aa5760a6f98c0718e3d70c560d0e8e. Bug: 62875318 Test: boot walleye, sailfish without SELinux audits Change-Id: I019b66a3130acba2c07e984e4bc352228f09d7f5
/system/core/init/subcontext.cpp
|
0d1452ee1b2fb137e175064f4b84b1db8dde6487 |
|
19-Oct-2017 |
Tom Cherry <tomcherry@google.com> |
init: add SelabelInitialize() for subcontext Children of init that use any of the SELinux wrapper functions, including make_dir(), mkdir_recursive(), and plenty others, need to first initialize the sehandle with SelabelInitialize(). I wish there were a better solution, but early init doesn't actually want this handle initialized, so that is a valid use case. Ueventd needs to initialize this before fork()'ing, so lazy initialization is not universally acceptable either. Likely we won't have other children that fork() then exec() init again, so this should be okay. Bug: 62875318 Test: init unit tests Test: sailfish creates directories with correct SELabel after wipe Change-Id: I6de937604a060e18945427418f15b90e0b9d5c37
/system/core/init/subcontext.cpp
|
79193a42e7aa5760a6f98c0718e3d70c560d0e8e |
|
06-Oct-2017 |
Tom Cherry <tomcherry@google.com> |
init: use ro.init.subcontexts_enabled to enable subcontexts As SEPolicy is developed, use this property to enable/disable subcontexts. Bug: 62875318 Test: boot device with/without subcontexts Change-Id: Ieb879836a71c72d4de1bb16514d083d52480bf9a
/system/core/init/subcontext.cpp
|
ac7428b2f54aa7f5c489c887940f5b201c4546b0 |
|
03-Oct-2017 |
Tom Cherry <tomcherry@google.com> |
init: fix subcontext SELinux strings 'object_r' is supposed to be simply 'r'. Test: boot sailfish with SELinux fully enabled and subcontexts enabled Change-Id: I7eb8b2dd18e66f23c09863e8961da339f72d25c5
/system/core/init/subcontext.cpp
|
cb0f9bbc855097e0c8248643015b837255fd569a |
|
13-Sep-2017 |
Tom Cherry <tomcherry@google.com> |
init: run vendor commands in a separate SELinux context One of the major aspects of treble is the compartmentalization of system and vendor components, however init leaves a huge gap here, as vendor init scripts run in the same context as system init scripts and thus can access and modify the same properties, files, etc as the system can. This change is meant to close that gap. It forks a separate 'subcontext' init that runs in a different SELinux context with permissions that match what vendors should have access to. Commands get sent over a socket to this 'subcontext' init that then runs them in this SELinux context and returns the result. Note that not all commands run in the subcontext; some commands such as those dealing with services only make sense in the context of the main init process. Bug: 62875318 Test: init unit tests, boot bullhead, boot sailfish Change-Id: Idf4a4ebf98842d27b8627f901f961ab9eb412aee
/system/core/init/subcontext.cpp
|