ueventd fixup_sys_perms: fixup SELinux labels unconditionally
Currently, the fixup code in fixup_sys_perms() scans through all
entries in uevent*.rc. If it finds a match, then it performs a fixup.
If there's no match in that file, no fixup is performed.
SELinux file labels are independently stored in /file_contexts,
with no relationship to the files in /ueventd.rc. Even when no
entries exist in ueventd.rc, we still want to fixup the SELinux
file label in /sys when a uevent message occurs.
Change-Id: I0ccb5395ec0be9282095b844a5022e8c0d8903ac
diff --git a/init/devices.c b/init/devices.c
index 58b2704..e27c311 100644
--- a/init/devices.c
+++ b/init/devices.c
@@ -134,11 +134,10 @@
char buf[512];
struct listnode *node;
struct perms_ *dp;
- char *secontext;
- /* upaths omit the "/sys" that paths in this list
- * contain, so we add 4 when comparing...
- */
+ /* upaths omit the "/sys" that paths in this list
+ * contain, so we add 4 when comparing...
+ */
list_for_each(node, &sys_perms) {
dp = &(node_to_item(node, struct perm_node, plist))->dp;
if (dp->prefix) {
@@ -153,20 +152,23 @@
}
if ((strlen(upath) + strlen(dp->attr) + 6) > sizeof(buf))
- return;
+ break;
sprintf(buf,"/sys%s/%s", upath, dp->attr);
INFO("fixup %s %d %d 0%o\n", buf, dp->uid, dp->gid, dp->perm);
chown(buf, dp->uid, dp->gid);
chmod(buf, dp->perm);
- if (sehandle) {
- secontext = NULL;
- selabel_lookup(sehandle, &secontext, buf, 0);
- if (secontext) {
- setfilecon(buf, secontext);
- freecon(secontext);
- }
- }
+ }
+
+ // Now fixup SELinux file labels
+ int len = snprintf(buf, sizeof(buf), "/sys%s", upath);
+ if ((len < 0) || ((size_t) len >= sizeof(buf))) {
+ // Overflow
+ return;
+ }
+ if (access(buf, F_OK) == 0) {
+ INFO("restorecon_recursive: %s\n", buf);
+ restorecon_recursive(buf);
}
}