Merge "Modify installd to set the SELinux security context on package directories."

2012-06-08 12:27:41 -07:00
parent 7b2d056342 0b58e6a1a9
commit 60b3d59d7f
2 changed files with 45 additions and 1 deletions
--- a/cmds/installd/Android.mk
+++ b/cmds/installd/Android.mk
@@ -34,6 +34,12 @@ LOCAL_SHARED_LIBRARIES := \
 LOCAL_STATIC_LIBRARIES := \
    libdiskusage

+ifeq ($(HAVE_SELINUX),true)
+LOCAL_C_INCLUDES += external/libselinux/include
+LOCAL_SHARED_LIBRARIES += libselinux
+LOCAL_CFLAGS := -DHAVE_SELINUX
+endif # HAVE_SELINUX
+
 LOCAL_MODULE := installd

 LOCAL_MODULE_TAGS := optional
--- a/cmds/installd/commands.c
+++ b/cmds/installd/commands.c
@@ -17,6 +17,10 @@
 #include "installd.h"
 #include <diskusage/dirsize.h>

+#ifdef HAVE_SELINUX
+#include <selinux/android.h>
+#endif
+
 /* Directory records that are used in execution of commands. */
 dir_rec_t android_data_dir;
 dir_rec_t android_asec_dir;
@@ -58,6 +62,15 @@ int install(const char *pkgname, uid_t uid, gid_t gid)
        unlink(pkgdir);
        return -errno;
    }
+
+#ifdef HAVE_SELINUX
+    if (selinux_android_setfilecon(pkgdir, pkgname, uid) < 0) {
+        LOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
+        unlink(pkgdir);
+        return -errno;
+    }
+#endif
+
    if (mkdir(libdir, 0755) < 0) {
        ALOGE("cannot create dir '%s': %s\n", libdir, strerror(errno));
        unlink(pkgdir);
@@ -75,6 +88,16 @@ int install(const char *pkgname, uid_t uid, gid_t gid)
        unlink(pkgdir);
        return -errno;
    }
+
+#ifdef HAVE_SELINUX
+    if (selinux_android_setfilecon(libdir, pkgname, AID_SYSTEM) < 0) {
+        LOGE("cannot setfilecon dir '%s': %s\n", libdir, strerror(errno));
+        unlink(libdir);
+        unlink(pkgdir);
+        return -errno;
+    }
+#endif
+
    return 0;
 }

@@ -135,6 +158,15 @@ int make_user_data(const char *pkgname, uid_t uid, uid_t persona)
        unlink(pkgdir);
        return -errno;
    }
+
+#ifdef HAVE_SELINUX
+    if (selinux_android_setfilecon(pkgdir, pkgname, uid) < 0) {
+        LOGE("cannot setfilecon dir '%s': %s\n", pkgdir, strerror(errno));
+        unlink(pkgdir);
+        return -errno;
+    }
+#endif
+
    return 0;
 }

@@ -284,12 +316,18 @@ int protect(char *pkgname, gid_t gid)
        ALOGE("failed to chgrp '%s': %s\n", pkgpath, strerror(errno));
        return -1;
    }
-
    if (chmod(pkgpath, S_IRUSR|S_IWUSR|S_IRGRP) < 0) {
        ALOGE("failed to chmod '%s': %s\n", pkgpath, strerror(errno));
        return -1;
    }

+#ifdef HAVE_SELINUX
+    if (selinux_android_setfilecon(pkgpath, pkgname, s.st_uid) < 0) {
+        LOGE("cannot setfilecon dir '%s': %s\n", pkgpath, strerror(errno));
+        return -1;
+    }
+#endif
+
    return 0;
 }