Extend init and ueventd for SE Android.
Add SE Android support for init and ueventd.
init:
- Load policy at boot.
- Set the security context for service daemons and their sockets.
- New built-in commands: setcon, setenforce, restorecon, setsebool.
- New option for services: seclabel.
ueventd:
- Set the security context for device directories and nodes.
Change-Id: I98ed752cde503c94d99dfa5b5a47e3c33db16aac
diff --git a/init/util.c b/init/util.c
index 13c9ca2..3a4b10b 100755
--- a/init/util.c
+++ b/init/util.c
@@ -23,6 +23,10 @@
#include <errno.h>
#include <time.h>
+#ifdef HAVE_SELINUX
+#include <selinux/label.h>
+#endif
+
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/socket.h>
@@ -33,6 +37,7 @@
#include <private/android_filesystem_config.h>
+#include "init.h"
#include "log.h"
#include "util.h"
@@ -84,6 +89,9 @@
{
struct sockaddr_un addr;
int fd, ret;
+#ifdef HAVE_SELINUX
+ char *secon;
+#endif
fd = socket(PF_UNIX, type, 0);
if (fd < 0) {
@@ -102,12 +110,26 @@
goto out_close;
}
+#ifdef HAVE_SELINUX
+ secon = NULL;
+ if (sehandle) {
+ ret = selabel_lookup(sehandle, &secon, addr.sun_path, S_IFSOCK);
+ if (ret == 0)
+ setfscreatecon(secon);
+ }
+#endif
+
ret = bind(fd, (struct sockaddr *) &addr, sizeof (addr));
if (ret) {
ERROR("Failed to bind socket '%s': %s\n", name, strerror(errno));
goto out_unlink;
}
+#ifdef HAVE_SELINUX
+ setfscreatecon(NULL);
+ freecon(secon);
+#endif
+
chown(addr.sun_path, uid, gid);
chmod(addr.sun_path, perm);