1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // This file contains the functions that initialize SELinux during boot as well as helper functions
18 // for SELinux operation for init.
19
20 // When the system boots, there is no SEPolicy present and init is running in the kernel domain.
21 // Init loads the SEPolicy from the file system, restores the context of /system/bin/init based on
22 // this SEPolicy, and finally exec()'s itself to run in the proper domain.
23
24 // The SEPolicy on Android comes in two variants: monolithic and split.
25
26 // The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy
27 // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem.
28
29 // The split policy is for supporting treble devices. It splits the SEPolicy across files on
30 // /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'nonplat'
31 // portion of the policy). This is necessary to allow the system image to be updated independently
32 // of the vendor image, while maintaining contributions from both partitions in the SEPolicy. This
33 // is especially important for VTS testing, where the SEPolicy on the Google System Image may not be
34 // identical to the system image shipped on a vendor's device.
35
36 // The split SEPolicy is loaded as described below:
37 // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
38 // /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
39 // are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
40 // were used to compile this precompiled policy. The system partition contains a similar sha256
41 // of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and
42 // product paritition contain sha256 hashes of their SEPolicy. The init loads this
43 // precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
44 // /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
45 // 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
46 // have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
47 // compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the
48 // OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
49 // That function contains even more documentation with the specific implementation details of how
50 // the SEPolicy is compiled if needed.
51
52 #include "selinux.h"
53
54 #include <android/api-level.h>
55 #include <fcntl.h>
56 #include <linux/audit.h>
57 #include <linux/netlink.h>
58 #include <stdlib.h>
59 #include <sys/wait.h>
60 #include <unistd.h>
61
62 #include <android-base/chrono_utils.h>
63 #include <android-base/file.h>
64 #include <android-base/logging.h>
65 #include <android-base/parseint.h>
66 #include <android-base/result.h>
67 #include <android-base/strings.h>
68 #include <android-base/unique_fd.h>
69 #include <fs_avb/fs_avb.h>
70 #include <fs_mgr.h>
71 #include <libgsi/libgsi.h>
72 #include <libsnapshot/snapshot.h>
73 #include <selinux/android.h>
74
75 #include "block_dev_initializer.h"
76 #include "debug_ramdisk.h"
77 #include "reboot_utils.h"
78 #include "snapuserd_transition.h"
79 #include "util.h"
80
81 using namespace std::string_literals;
82
83 using android::base::ParseInt;
84 using android::base::Timer;
85 using android::base::unique_fd;
86 using android::fs_mgr::AvbHandle;
87 using android::snapshot::SnapshotManager;
88
89 namespace android {
90 namespace init {
91
92 namespace {
93
94 enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
95
StatusFromProperty()96 EnforcingStatus StatusFromProperty() {
97 EnforcingStatus status = SELINUX_ENFORCING;
98
99 ImportKernelCmdline([&](const std::string& key, const std::string& value) {
100 if (key == "androidboot.selinux" && value == "permissive") {
101 status = SELINUX_PERMISSIVE;
102 }
103 });
104
105 if (status == SELINUX_ENFORCING) {
106 ImportBootconfig([&](const std::string& key, const std::string& value) {
107 if (key == "androidboot.selinux" && value == "permissive") {
108 status = SELINUX_PERMISSIVE;
109 }
110 });
111 }
112
113 return status;
114 }
115
IsEnforcing()116 bool IsEnforcing() {
117 if (ALLOW_PERMISSIVE_SELINUX) {
118 return StatusFromProperty() == SELINUX_ENFORCING;
119 }
120 return true;
121 }
122
123 // Forks, executes the provided program in the child, and waits for the completion in the parent.
124 // Child's stderr is captured and logged using LOG(ERROR).
ForkExecveAndWaitForCompletion(const char * filename,char * const argv[])125 bool ForkExecveAndWaitForCompletion(const char* filename, char* const argv[]) {
126 // Create a pipe used for redirecting child process's output.
127 // * pipe_fds[0] is the FD the parent will use for reading.
128 // * pipe_fds[1] is the FD the child will use for writing.
129 int pipe_fds[2];
130 if (pipe(pipe_fds) == -1) {
131 PLOG(ERROR) << "Failed to create pipe";
132 return false;
133 }
134
135 pid_t child_pid = fork();
136 if (child_pid == -1) {
137 PLOG(ERROR) << "Failed to fork for " << filename;
138 return false;
139 }
140
141 if (child_pid == 0) {
142 // fork succeeded -- this is executing in the child process
143
144 // Close the pipe FD not used by this process
145 close(pipe_fds[0]);
146
147 // Redirect stderr to the pipe FD provided by the parent
148 if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) {
149 PLOG(ERROR) << "Failed to redirect stderr of " << filename;
150 _exit(127);
151 return false;
152 }
153 close(pipe_fds[1]);
154
155 if (execv(filename, argv) == -1) {
156 PLOG(ERROR) << "Failed to execve " << filename;
157 return false;
158 }
159 // Unreachable because execve will have succeeded and replaced this code
160 // with child process's code.
161 _exit(127);
162 return false;
163 } else {
164 // fork succeeded -- this is executing in the original/parent process
165
166 // Close the pipe FD not used by this process
167 close(pipe_fds[1]);
168
169 // Log the redirected output of the child process.
170 // It's unfortunate that there's no standard way to obtain an istream for a file descriptor.
171 // As a result, we're buffering all output and logging it in one go at the end of the
172 // invocation, instead of logging it as it comes in.
173 const int child_out_fd = pipe_fds[0];
174 std::string child_output;
175 if (!android::base::ReadFdToString(child_out_fd, &child_output)) {
176 PLOG(ERROR) << "Failed to capture full output of " << filename;
177 }
178 close(child_out_fd);
179 if (!child_output.empty()) {
180 // Log captured output, line by line, because LOG expects to be invoked for each line
181 std::istringstream in(child_output);
182 std::string line;
183 while (std::getline(in, line)) {
184 LOG(ERROR) << filename << ": " << line;
185 }
186 }
187
188 // Wait for child to terminate
189 int status;
190 if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) {
191 PLOG(ERROR) << "Failed to wait for " << filename;
192 return false;
193 }
194
195 if (WIFEXITED(status)) {
196 int status_code = WEXITSTATUS(status);
197 if (status_code == 0) {
198 return true;
199 } else {
200 LOG(ERROR) << filename << " exited with status " << status_code;
201 }
202 } else if (WIFSIGNALED(status)) {
203 LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status);
204 } else if (WIFSTOPPED(status)) {
205 LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status);
206 } else {
207 LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status;
208 }
209
210 return false;
211 }
212 }
213
ReadFirstLine(const char * file,std::string * line)214 bool ReadFirstLine(const char* file, std::string* line) {
215 line->clear();
216
217 std::string contents;
218 if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) {
219 return false;
220 }
221 std::istringstream in(contents);
222 std::getline(in, *line);
223 return true;
224 }
225
FindPrecompiledSplitPolicy()226 Result<std::string> FindPrecompiledSplitPolicy() {
227 std::string precompiled_sepolicy;
228 // If there is an odm partition, precompiled_sepolicy will be in
229 // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
230 static constexpr const char vendor_precompiled_sepolicy[] =
231 "/vendor/etc/selinux/precompiled_sepolicy";
232 static constexpr const char odm_precompiled_sepolicy[] =
233 "/odm/etc/selinux/precompiled_sepolicy";
234 if (access(odm_precompiled_sepolicy, R_OK) == 0) {
235 precompiled_sepolicy = odm_precompiled_sepolicy;
236 } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
237 precompiled_sepolicy = vendor_precompiled_sepolicy;
238 } else {
239 return ErrnoError() << "No precompiled sepolicy at " << vendor_precompiled_sepolicy;
240 }
241
242 // Use precompiled sepolicy only when all corresponding hashes are equal.
243 std::vector<std::pair<std::string, std::string>> sepolicy_hashes{
244 {"/system/etc/selinux/plat_sepolicy_and_mapping.sha256",
245 precompiled_sepolicy + ".plat_sepolicy_and_mapping.sha256"},
246 {"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
247 precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"},
248 {"/product/etc/selinux/product_sepolicy_and_mapping.sha256",
249 precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"},
250 };
251
252 for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) {
253 // Both of them should exist or both of them shouldn't exist.
254 if (access(actual_id_path.c_str(), R_OK) != 0) {
255 if (access(precompiled_id_path.c_str(), R_OK) == 0) {
256 return Error() << precompiled_id_path << " exists but " << actual_id_path
257 << " doesn't";
258 }
259 continue;
260 }
261
262 std::string actual_id;
263 if (!ReadFirstLine(actual_id_path.c_str(), &actual_id)) {
264 return ErrnoError() << "Failed to read " << actual_id_path;
265 }
266
267 std::string precompiled_id;
268 if (!ReadFirstLine(precompiled_id_path.c_str(), &precompiled_id)) {
269 return ErrnoError() << "Failed to read " << precompiled_id_path;
270 }
271
272 if (actual_id.empty() || actual_id != precompiled_id) {
273 return Error() << actual_id_path << " and " << precompiled_id_path << " differ";
274 }
275 }
276
277 return precompiled_sepolicy;
278 }
279
GetVendorMappingVersion(std::string * plat_vers)280 bool GetVendorMappingVersion(std::string* plat_vers) {
281 if (!ReadFirstLine("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
282 PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
283 return false;
284 }
285 if (plat_vers->empty()) {
286 LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
287 return false;
288 }
289 return true;
290 }
291
292 constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
293
IsSplitPolicyDevice()294 bool IsSplitPolicyDevice() {
295 return access(plat_policy_cil_file, R_OK) != -1;
296 }
297
GetUserdebugPlatformPolicyFile()298 std::optional<const char*> GetUserdebugPlatformPolicyFile() {
299 // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.
300 const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");
301 if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) {
302 const std::vector<const char*> debug_policy_candidates = {
303 #if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1
304 "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil",
305 #endif
306 kDebugRamdiskSEPolicy,
307 };
308 for (const char* debug_policy : debug_policy_candidates) {
309 if (access(debug_policy, F_OK) == 0) {
310 return debug_policy;
311 }
312 }
313 }
314 return std::nullopt;
315 }
316
317 struct PolicyFile {
318 unique_fd fd;
319 std::string path;
320 };
321
OpenSplitPolicy(PolicyFile * policy_file)322 bool OpenSplitPolicy(PolicyFile* policy_file) {
323 // IMPLEMENTATION NOTE: Split policy consists of three CIL files:
324 // * platform -- policy needed due to logic contained in the system image,
325 // * non-platform -- policy needed due to logic contained in the vendor image,
326 // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
327 // with newer versions of platform policy.
328 //
329 // secilc is invoked to compile the above three policy files into a single monolithic policy
330 // file. This file is then loaded into the kernel.
331
332 const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile();
333 const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value();
334 if (use_userdebug_policy) {
335 LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy;
336 }
337
338 // Load precompiled policy from vendor image, if a matching policy is found there. The policy
339 // must match the platform policy on the system image.
340 // use_userdebug_policy requires compiling sepolicy with userdebug_plat_sepolicy.cil.
341 // Thus it cannot use the precompiled policy from vendor image.
342 if (!use_userdebug_policy) {
343 if (auto res = FindPrecompiledSplitPolicy(); res.ok()) {
344 unique_fd fd(open(res->c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
345 if (fd != -1) {
346 policy_file->fd = std::move(fd);
347 policy_file->path = std::move(*res);
348 return true;
349 }
350 } else {
351 LOG(INFO) << res.error();
352 }
353 }
354 // No suitable precompiled policy could be loaded
355
356 LOG(INFO) << "Compiling SELinux policy";
357
358 // We store the output of the compilation on /dev because this is the most convenient tmpfs
359 // storage mount available this early in the boot sequence.
360 char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
361 unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
362 if (compiled_sepolicy_fd < 0) {
363 PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy;
364 return false;
365 }
366
367 // Determine which mapping file to include
368 std::string vend_plat_vers;
369 if (!GetVendorMappingVersion(&vend_plat_vers)) {
370 return false;
371 }
372 std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
373
374 std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers +
375 ".compat.cil");
376 if (access(plat_compat_cil_file.c_str(), F_OK) == -1) {
377 plat_compat_cil_file.clear();
378 }
379
380 std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
381 if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
382 system_ext_policy_cil_file.clear();
383 }
384
385 std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
386 ".cil");
387 if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
388 system_ext_mapping_file.clear();
389 }
390
391 std::string system_ext_compat_cil_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
392 ".compat.cil");
393 if (access(system_ext_compat_cil_file.c_str(), F_OK) == -1) {
394 system_ext_compat_cil_file.clear();
395 }
396
397 std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
398 if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
399 product_policy_cil_file.clear();
400 }
401
402 std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil");
403 if (access(product_mapping_file.c_str(), F_OK) == -1) {
404 product_mapping_file.clear();
405 }
406
407 // vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
408 // nonplat_sepolicy.cil.
409 std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil");
410 std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
411
412 if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
413 // For backward compatibility.
414 // TODO: remove this after no device is using nonplat_sepolicy.cil.
415 vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil";
416 plat_pub_versioned_cil_file.clear();
417 } else if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) {
418 LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file;
419 return false;
420 }
421
422 // odm_sepolicy.cil is default but optional.
423 std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
424 if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
425 odm_policy_cil_file.clear();
426 }
427 const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
428
429 // clang-format off
430 std::vector<const char*> compile_args {
431 "/system/bin/secilc",
432 use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file,
433 "-m", "-M", "true", "-G", "-N",
434 "-c", version_as_string.c_str(),
435 plat_mapping_file.c_str(),
436 "-o", compiled_sepolicy,
437 // We don't care about file_contexts output by the compiler
438 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
439 };
440 // clang-format on
441
442 if (!plat_compat_cil_file.empty()) {
443 compile_args.push_back(plat_compat_cil_file.c_str());
444 }
445 if (!system_ext_policy_cil_file.empty()) {
446 compile_args.push_back(system_ext_policy_cil_file.c_str());
447 }
448 if (!system_ext_mapping_file.empty()) {
449 compile_args.push_back(system_ext_mapping_file.c_str());
450 }
451 if (!system_ext_compat_cil_file.empty()) {
452 compile_args.push_back(system_ext_compat_cil_file.c_str());
453 }
454 if (!product_policy_cil_file.empty()) {
455 compile_args.push_back(product_policy_cil_file.c_str());
456 }
457 if (!product_mapping_file.empty()) {
458 compile_args.push_back(product_mapping_file.c_str());
459 }
460 if (!plat_pub_versioned_cil_file.empty()) {
461 compile_args.push_back(plat_pub_versioned_cil_file.c_str());
462 }
463 if (!vendor_policy_cil_file.empty()) {
464 compile_args.push_back(vendor_policy_cil_file.c_str());
465 }
466 if (!odm_policy_cil_file.empty()) {
467 compile_args.push_back(odm_policy_cil_file.c_str());
468 }
469 compile_args.push_back(nullptr);
470
471 if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
472 unlink(compiled_sepolicy);
473 return false;
474 }
475 unlink(compiled_sepolicy);
476
477 policy_file->fd = std::move(compiled_sepolicy_fd);
478 policy_file->path = compiled_sepolicy;
479 return true;
480 }
481
OpenMonolithicPolicy(PolicyFile * policy_file)482 bool OpenMonolithicPolicy(PolicyFile* policy_file) {
483 static constexpr char kSepolicyFile[] = "/sepolicy";
484
485 LOG(VERBOSE) << "Opening SELinux policy from monolithic file";
486 policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
487 if (policy_file->fd < 0) {
488 PLOG(ERROR) << "Failed to open monolithic SELinux policy";
489 return false;
490 }
491 policy_file->path = kSepolicyFile;
492 return true;
493 }
494
ReadPolicy(std::string * policy)495 void ReadPolicy(std::string* policy) {
496 PolicyFile policy_file;
497
498 bool ok = IsSplitPolicyDevice() ? OpenSplitPolicy(&policy_file)
499 : OpenMonolithicPolicy(&policy_file);
500 if (!ok) {
501 LOG(FATAL) << "Unable to open SELinux policy";
502 }
503
504 if (!android::base::ReadFdToString(policy_file.fd, policy)) {
505 PLOG(FATAL) << "Failed to read policy file: " << policy_file.path;
506 }
507 }
508
SelinuxSetEnforcement()509 void SelinuxSetEnforcement() {
510 bool kernel_enforcing = (security_getenforce() == 1);
511 bool is_enforcing = IsEnforcing();
512 if (kernel_enforcing != is_enforcing) {
513 if (security_setenforce(is_enforcing)) {
514 PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
515 << ") failed";
516 }
517 }
518
519 if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
520 LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
521 }
522 }
523
524 constexpr size_t kKlogMessageSize = 1024;
525
SelinuxAvcLog(char * buf,size_t buf_len)526 void SelinuxAvcLog(char* buf, size_t buf_len) {
527 CHECK_GT(buf_len, 0u);
528
529 size_t str_len = strnlen(buf, buf_len);
530 // trim newline at end of string
531 if (buf[str_len - 1] == '\n') {
532 buf[str_len - 1] = '\0';
533 }
534
535 struct NetlinkMessage {
536 nlmsghdr hdr;
537 char buf[kKlogMessageSize];
538 } request = {};
539
540 request.hdr.nlmsg_flags = NLM_F_REQUEST;
541 request.hdr.nlmsg_type = AUDIT_USER_AVC;
542 request.hdr.nlmsg_len = sizeof(request);
543 strlcpy(request.buf, buf, sizeof(request.buf));
544
545 auto fd = unique_fd{socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT)};
546 if (!fd.ok()) {
547 return;
548 }
549
550 TEMP_FAILURE_RETRY(send(fd, &request, sizeof(request), 0));
551 }
552
553 } // namespace
554
SelinuxRestoreContext()555 void SelinuxRestoreContext() {
556 LOG(INFO) << "Running restorecon...";
557 selinux_android_restorecon("/dev", 0);
558 selinux_android_restorecon("/dev/kmsg", 0);
559 if constexpr (WORLD_WRITABLE_KMSG) {
560 selinux_android_restorecon("/dev/kmsg_debug", 0);
561 }
562 selinux_android_restorecon("/dev/null", 0);
563 selinux_android_restorecon("/dev/ptmx", 0);
564 selinux_android_restorecon("/dev/socket", 0);
565 selinux_android_restorecon("/dev/random", 0);
566 selinux_android_restorecon("/dev/urandom", 0);
567 selinux_android_restorecon("/dev/__properties__", 0);
568
569 selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
570 selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE);
571 selinux_android_restorecon("/dev/device-mapper", 0);
572
573 selinux_android_restorecon("/apex", 0);
574
575 selinux_android_restorecon("/linkerconfig", 0);
576
577 // adb remount, snapshot-based updates, and DSUs all create files during
578 // first-stage init.
579 selinux_android_restorecon(SnapshotManager::GetGlobalRollbackIndicatorPath().c_str(), 0);
580 selinux_android_restorecon("/metadata/gsi", SELINUX_ANDROID_RESTORECON_RECURSE |
581 SELINUX_ANDROID_RESTORECON_SKIP_SEHASH);
582 }
583
SelinuxKlogCallback(int type,const char * fmt,...)584 int SelinuxKlogCallback(int type, const char* fmt, ...) {
585 android::base::LogSeverity severity = android::base::ERROR;
586 if (type == SELINUX_WARNING) {
587 severity = android::base::WARNING;
588 } else if (type == SELINUX_INFO) {
589 severity = android::base::INFO;
590 }
591 char buf[kKlogMessageSize];
592 va_list ap;
593 va_start(ap, fmt);
594 int length_written = vsnprintf(buf, sizeof(buf), fmt, ap);
595 va_end(ap);
596 if (length_written <= 0) {
597 return 0;
598 }
599 if (type == SELINUX_AVC) {
600 SelinuxAvcLog(buf, sizeof(buf));
601 } else {
602 android::base::KernelLogger(android::base::MAIN, severity, "selinux", nullptr, 0, buf);
603 }
604 return 0;
605 }
606
SelinuxSetupKernelLogging()607 void SelinuxSetupKernelLogging() {
608 selinux_callback cb;
609 cb.func_log = SelinuxKlogCallback;
610 selinux_set_callback(SELINUX_CB_LOG, cb);
611 }
612
SelinuxGetVendorAndroidVersion()613 int SelinuxGetVendorAndroidVersion() {
614 static int vendor_android_version = [] {
615 if (!IsSplitPolicyDevice()) {
616 // If this device does not split sepolicy files, it's not a Treble device and therefore,
617 // we assume it's always on the latest platform.
618 return __ANDROID_API_FUTURE__;
619 }
620
621 std::string version;
622 if (!GetVendorMappingVersion(&version)) {
623 LOG(FATAL) << "Could not read vendor SELinux version";
624 }
625
626 int major_version;
627 std::string major_version_str(version, 0, version.find('.'));
628 if (!ParseInt(major_version_str, &major_version)) {
629 PLOG(FATAL) << "Failed to parse the vendor sepolicy major version "
630 << major_version_str;
631 }
632
633 return major_version;
634 }();
635 return vendor_android_version;
636 }
637
638 // This is for R system.img/system_ext.img to work on old vendor.img as system_ext.img
639 // is introduced in R. We mount system_ext in second stage init because the first-stage
640 // init in boot.img won't be updated in the system-only OTA scenario.
MountMissingSystemPartitions()641 void MountMissingSystemPartitions() {
642 android::fs_mgr::Fstab fstab;
643 if (!ReadDefaultFstab(&fstab)) {
644 LOG(ERROR) << "Could not read default fstab";
645 }
646
647 android::fs_mgr::Fstab mounts;
648 if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
649 LOG(ERROR) << "Could not read /proc/mounts";
650 }
651
652 static const std::vector<std::string> kPartitionNames = {"system_ext", "product"};
653
654 android::fs_mgr::Fstab extra_fstab;
655 for (const auto& name : kPartitionNames) {
656 if (GetEntryForMountPoint(&mounts, "/"s + name)) {
657 // The partition is already mounted.
658 continue;
659 }
660
661 auto system_entry = GetEntryForMountPoint(&fstab, "/system");
662 if (!system_entry) {
663 LOG(ERROR) << "Could not find mount entry for /system";
664 break;
665 }
666 if (!system_entry->fs_mgr_flags.logical) {
667 LOG(INFO) << "Skipping mount of " << name << ", system is not dynamic.";
668 break;
669 }
670
671 auto entry = *system_entry;
672 auto partition_name = name + fs_mgr_get_slot_suffix();
673 auto replace_name = "system"s + fs_mgr_get_slot_suffix();
674
675 entry.mount_point = "/"s + name;
676 entry.blk_device =
677 android::base::StringReplace(entry.blk_device, replace_name, partition_name, false);
678 if (!fs_mgr_update_logical_partition(&entry)) {
679 LOG(ERROR) << "Could not update logical partition";
680 continue;
681 }
682
683 extra_fstab.emplace_back(std::move(entry));
684 }
685
686 SkipMountingPartitions(&extra_fstab, true /* verbose */);
687 if (extra_fstab.empty()) {
688 return;
689 }
690
691 BlockDevInitializer block_dev_init;
692 for (auto& entry : extra_fstab) {
693 if (access(entry.blk_device.c_str(), F_OK) != 0) {
694 auto block_dev = android::base::Basename(entry.blk_device);
695 if (!block_dev_init.InitDmDevice(block_dev)) {
696 LOG(ERROR) << "Failed to find device-mapper node: " << block_dev;
697 continue;
698 }
699 }
700 if (fs_mgr_do_mount_one(entry)) {
701 LOG(ERROR) << "Could not mount " << entry.mount_point;
702 }
703 }
704 }
705
LoadSelinuxPolicy(std::string & policy)706 static void LoadSelinuxPolicy(std::string& policy) {
707 LOG(INFO) << "Loading SELinux policy";
708
709 set_selinuxmnt("/sys/fs/selinux");
710 if (security_load_policy(policy.data(), policy.size()) < 0) {
711 PLOG(FATAL) << "SELinux: Could not load policy";
712 }
713 }
714
715 // The SELinux setup process is carefully orchestrated around snapuserd. Policy
716 // must be loaded off dynamic partitions, and during an OTA, those partitions
717 // cannot be read without snapuserd. But, with kernel-privileged snapuserd
718 // running, loading the policy will immediately trigger audits.
719 //
720 // We use a five-step process to address this:
721 // (1) Read the policy into a string, with snapuserd running.
722 // (2) Rewrite the snapshot device-mapper tables, to generate new dm-user
723 // devices and to flush I/O.
724 // (3) Kill snapuserd, which no longer has any dm-user devices to attach to.
725 // (4) Load the sepolicy and issue critical restorecons in /dev, carefully
726 // avoiding anything that would read from /system.
727 // (5) Re-launch snapuserd and attach it to the dm-user devices from step (2).
728 //
729 // After this sequence, it is safe to enable enforcing mode and continue booting.
SetupSelinux(char ** argv)730 int SetupSelinux(char** argv) {
731 SetStdioToDevNull(argv);
732 InitKernelLogging(argv);
733
734 if (REBOOT_BOOTLOADER_ON_PANIC) {
735 InstallRebootSignalHandlers();
736 }
737
738 boot_clock::time_point start_time = boot_clock::now();
739
740 MountMissingSystemPartitions();
741
742 SelinuxSetupKernelLogging();
743
744 LOG(INFO) << "Opening SELinux policy";
745
746 // Read the policy before potentially killing snapuserd.
747 std::string policy;
748 ReadPolicy(&policy);
749
750 auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
751 if (snapuserd_helper) {
752 // Kill the old snapused to avoid audit messages. After this we cannot
753 // read from /system (or other dynamic partitions) until we call
754 // FinishTransition().
755 snapuserd_helper->StartTransition();
756 }
757
758 LoadSelinuxPolicy(policy);
759
760 if (snapuserd_helper) {
761 // Before enforcing, finish the pending snapuserd transition.
762 snapuserd_helper->FinishTransition();
763 snapuserd_helper = nullptr;
764 }
765
766 SelinuxSetEnforcement();
767
768 // We're in the kernel domain and want to transition to the init domain. File systems that
769 // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
770 // but other file systems do. In particular, this is needed for ramdisks such as the
771 // recovery image for A/B devices.
772 if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
773 PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
774 }
775
776 setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
777
778 const char* path = "/system/bin/init";
779 const char* args[] = {path, "second_stage", nullptr};
780 execv(path, const_cast<char**>(args));
781
782 // execv() only returns if an error happened, in which case we
783 // panic and never return from this function.
784 PLOG(FATAL) << "execv(\"" << path << "\") failed";
785
786 return 1;
787 }
788
789 } // namespace init
790 } // namespace android
791