Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | // This file contains the functions that initialize SELinux during boot as well as helper functions |
| 18 | // for SELinux operation for init. |
| 19 | |
| 20 | // When the system boots, there is no SEPolicy present and init is running in the kernel domain. |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 21 | // Init loads the SEPolicy from the file system, restores the context of /system/bin/init based on |
| 22 | // this SEPolicy, and finally exec()'s itself to run in the proper domain. |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 23 | |
| 24 | // The SEPolicy on Android comes in two variants: monolithic and split. |
| 25 | |
| 26 | // The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy |
| 27 | // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem. |
| 28 | |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 29 | // The split policy is for supporting treble devices and updateable apexes. It splits the SEPolicy |
| 30 | // across files on /system/etc/selinux (the 'plat' portion of the policy), /vendor/etc/selinux |
| 31 | // (the 'vendor' portion of the policy), /system_ext/etc/selinux, /product/etc/selinux, |
| 32 | // /odm/etc/selinux, and /dev/selinux (the apex portion of policy). This is necessary to allow |
| 33 | // images to be updated independently of the vendor image, while maintaining contributions from |
| 34 | // multiple partitions in the SEPolicy. This is especially important for VTS testing, where the |
| 35 | // SEPolicy on the Google System Image may not be identical to the system image shipped on a |
| 36 | // vendor's device. |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 37 | |
| 38 | // The split SEPolicy is loaded as described below: |
Tri Vo | c8137f9 | 2019-01-22 18:22:25 -0800 | [diff] [blame] | 39 | // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or |
| 40 | // /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 41 | // are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext, /product, and apex |
| 42 | // that were used to compile this precompiled policy. The system partition contains a similar |
| 43 | // sha256 of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext, |
| 44 | // product, and apex contain sha256 hashes of their SEPolicy. Init loads this |
Bowgo Tsai | f016f25 | 2019-08-28 17:56:51 +0800 | [diff] [blame] | 45 | // precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 46 | // /vendor or /odm match the hashes for system, system_ext, product, and apex SEPolicy, |
| 47 | // respectively. |
| 48 | // 2) If these hashes do not match, then either /system or /system_ext /product, or apex (or some of |
| 49 | // them) have been updated out of sync with /vendor (or /odm if it is present) and the init needs |
| 50 | // to compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by |
| 51 | // the OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it. |
Bowgo Tsai | f016f25 | 2019-08-28 17:56:51 +0800 | [diff] [blame] | 52 | // That function contains even more documentation with the specific implementation details of how |
| 53 | // the SEPolicy is compiled if needed. |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 54 | |
| 55 | #include "selinux.h" |
| 56 | |
Tom Cherry | 40acb37 | 2018-08-01 13:41:12 -0700 | [diff] [blame] | 57 | #include <android/api-level.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 58 | #include <fcntl.h> |
Tom Cherry | 8180b48 | 2019-08-26 13:57:51 -0700 | [diff] [blame] | 59 | #include <linux/audit.h> |
| 60 | #include <linux/netlink.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 61 | #include <stdlib.h> |
| 62 | #include <sys/wait.h> |
| 63 | #include <unistd.h> |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 64 | #include <fstream> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 65 | |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 66 | #include <CertUtils.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 67 | #include <android-base/chrono_utils.h> |
| 68 | #include <android-base/file.h> |
| 69 | #include <android-base/logging.h> |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 70 | #include <android-base/parseint.h> |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 71 | #include <android-base/result.h> |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 72 | #include <android-base/scopeguard.h> |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 73 | #include <android-base/strings.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 74 | #include <android-base/unique_fd.h> |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 75 | #include <fs_avb/fs_avb.h> |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 76 | #include <fs_mgr.h> |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 77 | #include <fsverity_init.h> |
Bowgo Tsai | 196cc58 | 2020-01-20 18:03:58 +0800 | [diff] [blame] | 78 | #include <libgsi/libgsi.h> |
Yifan Hong | d91998f | 2020-02-20 17:54:57 -0800 | [diff] [blame] | 79 | #include <libsnapshot/snapshot.h> |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 80 | #include <mini_keyctl_utils.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 81 | #include <selinux/android.h> |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 82 | #include <ziparchive/zip_archive.h> |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 83 | |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 84 | #include "block_dev_initializer.h" |
Bowgo Tsai | 30afda7 | 2019-04-11 23:57:24 +0800 | [diff] [blame] | 85 | #include "debug_ramdisk.h" |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 86 | #include "reboot_utils.h" |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 87 | #include "snapuserd_transition.h" |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 88 | #include "util.h" |
| 89 | |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 90 | using namespace std::string_literals; |
| 91 | |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 92 | using android::base::ParseInt; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 93 | using android::base::Timer; |
| 94 | using android::base::unique_fd; |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 95 | using android::fs_mgr::AvbHandle; |
Yifan Hong | d91998f | 2020-02-20 17:54:57 -0800 | [diff] [blame] | 96 | using android::snapshot::SnapshotManager; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 97 | |
| 98 | namespace android { |
| 99 | namespace init { |
| 100 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 101 | namespace { |
| 102 | |
| 103 | enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING }; |
| 104 | |
Alistair Delva | 63594a4 | 2021-03-09 11:04:23 -0800 | [diff] [blame] | 105 | EnforcingStatus StatusFromProperty() { |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 106 | EnforcingStatus status = SELINUX_ENFORCING; |
| 107 | |
Tom Cherry | c88d8f9 | 2019-08-19 15:21:25 -0700 | [diff] [blame] | 108 | ImportKernelCmdline([&](const std::string& key, const std::string& value) { |
| 109 | if (key == "androidboot.selinux" && value == "permissive") { |
| 110 | status = SELINUX_PERMISSIVE; |
| 111 | } |
| 112 | }); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 113 | |
Alistair Delva | 63594a4 | 2021-03-09 11:04:23 -0800 | [diff] [blame] | 114 | if (status == SELINUX_ENFORCING) { |
| 115 | ImportBootconfig([&](const std::string& key, const std::string& value) { |
| 116 | if (key == "androidboot.selinux" && value == "permissive") { |
| 117 | status = SELINUX_PERMISSIVE; |
| 118 | } |
| 119 | }); |
| 120 | } |
| 121 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 122 | return status; |
| 123 | } |
| 124 | |
| 125 | bool IsEnforcing() { |
| 126 | if (ALLOW_PERMISSIVE_SELINUX) { |
Alistair Delva | 63594a4 | 2021-03-09 11:04:23 -0800 | [diff] [blame] | 127 | return StatusFromProperty() == SELINUX_ENFORCING; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 128 | } |
| 129 | return true; |
| 130 | } |
| 131 | |
| 132 | // Forks, executes the provided program in the child, and waits for the completion in the parent. |
| 133 | // Child's stderr is captured and logged using LOG(ERROR). |
| 134 | bool ForkExecveAndWaitForCompletion(const char* filename, char* const argv[]) { |
| 135 | // Create a pipe used for redirecting child process's output. |
| 136 | // * pipe_fds[0] is the FD the parent will use for reading. |
| 137 | // * pipe_fds[1] is the FD the child will use for writing. |
| 138 | int pipe_fds[2]; |
| 139 | if (pipe(pipe_fds) == -1) { |
| 140 | PLOG(ERROR) << "Failed to create pipe"; |
| 141 | return false; |
| 142 | } |
| 143 | |
| 144 | pid_t child_pid = fork(); |
| 145 | if (child_pid == -1) { |
| 146 | PLOG(ERROR) << "Failed to fork for " << filename; |
| 147 | return false; |
| 148 | } |
| 149 | |
| 150 | if (child_pid == 0) { |
| 151 | // fork succeeded -- this is executing in the child process |
| 152 | |
| 153 | // Close the pipe FD not used by this process |
Nick Kralevich | 3d118e7 | 2017-10-24 10:45:48 -0700 | [diff] [blame] | 154 | close(pipe_fds[0]); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 155 | |
| 156 | // Redirect stderr to the pipe FD provided by the parent |
| 157 | if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) { |
| 158 | PLOG(ERROR) << "Failed to redirect stderr of " << filename; |
| 159 | _exit(127); |
| 160 | return false; |
| 161 | } |
Nick Kralevich | 3d118e7 | 2017-10-24 10:45:48 -0700 | [diff] [blame] | 162 | close(pipe_fds[1]); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 163 | |
Tom Cherry | 6de21f1 | 2017-08-22 15:41:03 -0700 | [diff] [blame] | 164 | if (execv(filename, argv) == -1) { |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 165 | PLOG(ERROR) << "Failed to execve " << filename; |
| 166 | return false; |
| 167 | } |
| 168 | // Unreachable because execve will have succeeded and replaced this code |
| 169 | // with child process's code. |
| 170 | _exit(127); |
| 171 | return false; |
| 172 | } else { |
| 173 | // fork succeeded -- this is executing in the original/parent process |
| 174 | |
| 175 | // Close the pipe FD not used by this process |
Nick Kralevich | 3d118e7 | 2017-10-24 10:45:48 -0700 | [diff] [blame] | 176 | close(pipe_fds[1]); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 177 | |
| 178 | // Log the redirected output of the child process. |
| 179 | // It's unfortunate that there's no standard way to obtain an istream for a file descriptor. |
| 180 | // As a result, we're buffering all output and logging it in one go at the end of the |
| 181 | // invocation, instead of logging it as it comes in. |
| 182 | const int child_out_fd = pipe_fds[0]; |
| 183 | std::string child_output; |
| 184 | if (!android::base::ReadFdToString(child_out_fd, &child_output)) { |
| 185 | PLOG(ERROR) << "Failed to capture full output of " << filename; |
| 186 | } |
Nick Kralevich | 3d118e7 | 2017-10-24 10:45:48 -0700 | [diff] [blame] | 187 | close(child_out_fd); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 188 | if (!child_output.empty()) { |
| 189 | // Log captured output, line by line, because LOG expects to be invoked for each line |
| 190 | std::istringstream in(child_output); |
| 191 | std::string line; |
| 192 | while (std::getline(in, line)) { |
| 193 | LOG(ERROR) << filename << ": " << line; |
| 194 | } |
| 195 | } |
| 196 | |
| 197 | // Wait for child to terminate |
| 198 | int status; |
| 199 | if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) { |
| 200 | PLOG(ERROR) << "Failed to wait for " << filename; |
| 201 | return false; |
| 202 | } |
| 203 | |
| 204 | if (WIFEXITED(status)) { |
| 205 | int status_code = WEXITSTATUS(status); |
| 206 | if (status_code == 0) { |
| 207 | return true; |
| 208 | } else { |
| 209 | LOG(ERROR) << filename << " exited with status " << status_code; |
| 210 | } |
| 211 | } else if (WIFSIGNALED(status)) { |
| 212 | LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status); |
| 213 | } else if (WIFSTOPPED(status)) { |
| 214 | LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status); |
| 215 | } else { |
| 216 | LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status; |
| 217 | } |
| 218 | |
| 219 | return false; |
| 220 | } |
| 221 | } |
| 222 | |
| 223 | bool ReadFirstLine(const char* file, std::string* line) { |
| 224 | line->clear(); |
| 225 | |
| 226 | std::string contents; |
| 227 | if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) { |
| 228 | return false; |
| 229 | } |
| 230 | std::istringstream in(contents); |
| 231 | std::getline(in, *line); |
| 232 | return true; |
| 233 | } |
| 234 | |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 235 | Result<std::string> FindPrecompiledSplitPolicy() { |
| 236 | std::string precompiled_sepolicy; |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 237 | // If there is an odm partition, precompiled_sepolicy will be in |
| 238 | // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux. |
| 239 | static constexpr const char vendor_precompiled_sepolicy[] = |
| 240 | "/vendor/etc/selinux/precompiled_sepolicy"; |
| 241 | static constexpr const char odm_precompiled_sepolicy[] = |
| 242 | "/odm/etc/selinux/precompiled_sepolicy"; |
| 243 | if (access(odm_precompiled_sepolicy, R_OK) == 0) { |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 244 | precompiled_sepolicy = odm_precompiled_sepolicy; |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 245 | } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) { |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 246 | precompiled_sepolicy = vendor_precompiled_sepolicy; |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 247 | } else { |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 248 | return ErrnoError() << "No precompiled sepolicy at " << vendor_precompiled_sepolicy; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 249 | } |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 250 | |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 251 | // Use precompiled sepolicy only when all corresponding hashes are equal. |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 252 | std::vector<std::pair<std::string, std::string>> sepolicy_hashes{ |
| 253 | {"/system/etc/selinux/plat_sepolicy_and_mapping.sha256", |
| 254 | precompiled_sepolicy + ".plat_sepolicy_and_mapping.sha256"}, |
Inseob Kim | 28fdb67 | 2021-04-29 19:48:27 +0900 | [diff] [blame] | 255 | {"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256", |
| 256 | precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"}, |
| 257 | {"/product/etc/selinux/product_sepolicy_and_mapping.sha256", |
| 258 | precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"}, |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 259 | {"/dev/selinux/apex_sepolicy.sha256", precompiled_sepolicy + ".apex_sepolicy.sha256"}, |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 260 | }; |
| 261 | |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 262 | for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) { |
Inseob Kim | 28fdb67 | 2021-04-29 19:48:27 +0900 | [diff] [blame] | 263 | // Both of them should exist or both of them shouldn't exist. |
| 264 | if (access(actual_id_path.c_str(), R_OK) != 0) { |
| 265 | if (access(precompiled_id_path.c_str(), R_OK) == 0) { |
| 266 | return Error() << precompiled_id_path << " exists but " << actual_id_path |
| 267 | << " doesn't"; |
| 268 | } |
| 269 | continue; |
| 270 | } |
| 271 | |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 272 | std::string actual_id; |
| 273 | if (!ReadFirstLine(actual_id_path.c_str(), &actual_id)) { |
| 274 | return ErrnoError() << "Failed to read " << actual_id_path; |
| 275 | } |
| 276 | |
| 277 | std::string precompiled_id; |
| 278 | if (!ReadFirstLine(precompiled_id_path.c_str(), &precompiled_id)) { |
| 279 | return ErrnoError() << "Failed to read " << precompiled_id_path; |
| 280 | } |
| 281 | |
| 282 | if (actual_id.empty() || actual_id != precompiled_id) { |
| 283 | return Error() << actual_id_path << " and " << precompiled_id_path << " differ"; |
| 284 | } |
Tri Vo | c8137f9 | 2019-01-22 18:22:25 -0800 | [diff] [blame] | 285 | } |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 286 | |
| 287 | return precompiled_sepolicy; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 288 | } |
| 289 | |
| 290 | bool GetVendorMappingVersion(std::string* plat_vers) { |
| 291 | if (!ReadFirstLine("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) { |
| 292 | PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt"; |
| 293 | return false; |
| 294 | } |
| 295 | if (plat_vers->empty()) { |
| 296 | LOG(ERROR) << "No version present in plat_sepolicy_vers.txt"; |
| 297 | return false; |
| 298 | } |
| 299 | return true; |
| 300 | } |
| 301 | |
| 302 | constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil"; |
| 303 | |
| 304 | bool IsSplitPolicyDevice() { |
| 305 | return access(plat_policy_cil_file, R_OK) != -1; |
| 306 | } |
| 307 | |
Yi-Yo Chiang | bb77c54 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 308 | std::optional<const char*> GetUserdebugPlatformPolicyFile() { |
| 309 | // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. |
| 310 | const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); |
| 311 | if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) { |
| 312 | const std::vector<const char*> debug_policy_candidates = { |
| 313 | #if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1 |
| 314 | "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil", |
| 315 | #endif |
| 316 | kDebugRamdiskSEPolicy, |
| 317 | }; |
| 318 | for (const char* debug_policy : debug_policy_candidates) { |
| 319 | if (access(debug_policy, F_OK) == 0) { |
| 320 | return debug_policy; |
| 321 | } |
| 322 | } |
| 323 | } |
| 324 | return std::nullopt; |
| 325 | } |
| 326 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 327 | struct PolicyFile { |
| 328 | unique_fd fd; |
| 329 | std::string path; |
| 330 | }; |
| 331 | |
| 332 | bool OpenSplitPolicy(PolicyFile* policy_file) { |
Jeff Vander Stoep | 5effda4 | 2021-11-05 09:03:11 +0100 | [diff] [blame] | 333 | // IMPLEMENTATION NOTE: Split policy consists of three or more CIL files: |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 334 | // * platform -- policy needed due to logic contained in the system image, |
Jeff Vander Stoep | 5effda4 | 2021-11-05 09:03:11 +0100 | [diff] [blame] | 335 | // * vendor -- policy needed due to logic contained in the vendor image, |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 336 | // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy |
| 337 | // with newer versions of platform policy. |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 338 | // * (optional) policy needed due to logic on product, system_ext, odm, or apex. |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 339 | // secilc is invoked to compile the above three policy files into a single monolithic policy |
| 340 | // file. This file is then loaded into the kernel. |
| 341 | |
Yi-Yo Chiang | bb77c54 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 342 | const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile(); |
| 343 | const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value(); |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 344 | if (use_userdebug_policy) { |
Yi-Yo Chiang | bb77c54 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 345 | LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy; |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 346 | } |
| 347 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 348 | // Load precompiled policy from vendor image, if a matching policy is found there. The policy |
| 349 | // must match the platform policy on the system image. |
Bowgo Tsai | 1dacd42 | 2019-03-04 17:53:34 +0800 | [diff] [blame] | 350 | // use_userdebug_policy requires compiling sepolicy with userdebug_plat_sepolicy.cil. |
| 351 | // Thus it cannot use the precompiled policy from vendor image. |
Inseob Kim | d99d977 | 2021-03-11 17:58:26 +0900 | [diff] [blame] | 352 | if (!use_userdebug_policy) { |
| 353 | if (auto res = FindPrecompiledSplitPolicy(); res.ok()) { |
| 354 | unique_fd fd(open(res->c_str(), O_RDONLY | O_CLOEXEC | O_BINARY)); |
| 355 | if (fd != -1) { |
| 356 | policy_file->fd = std::move(fd); |
| 357 | policy_file->path = std::move(*res); |
| 358 | return true; |
| 359 | } |
| 360 | } else { |
| 361 | LOG(INFO) << res.error(); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 362 | } |
| 363 | } |
| 364 | // No suitable precompiled policy could be loaded |
| 365 | |
| 366 | LOG(INFO) << "Compiling SELinux policy"; |
| 367 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 368 | // We store the output of the compilation on /dev because this is the most convenient tmpfs |
| 369 | // storage mount available this early in the boot sequence. |
| 370 | char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX"; |
| 371 | unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC)); |
| 372 | if (compiled_sepolicy_fd < 0) { |
| 373 | PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy; |
| 374 | return false; |
| 375 | } |
| 376 | |
| 377 | // Determine which mapping file to include |
| 378 | std::string vend_plat_vers; |
| 379 | if (!GetVendorMappingVersion(&vend_plat_vers)) { |
| 380 | return false; |
| 381 | } |
Tri Vo | 503f185 | 2019-01-16 11:57:19 -0800 | [diff] [blame] | 382 | std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil"); |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 383 | |
Jeff Vander Stoep | 0ac51cf | 2019-05-02 14:05:18 -0700 | [diff] [blame] | 384 | std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers + |
| 385 | ".compat.cil"); |
| 386 | if (access(plat_compat_cil_file.c_str(), F_OK) == -1) { |
| 387 | plat_compat_cil_file.clear(); |
| 388 | } |
| 389 | |
Bowgo Tsai | f016f25 | 2019-08-28 17:56:51 +0800 | [diff] [blame] | 390 | std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil"); |
| 391 | if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) { |
| 392 | system_ext_policy_cil_file.clear(); |
| 393 | } |
| 394 | |
| 395 | std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers + |
| 396 | ".cil"); |
| 397 | if (access(system_ext_mapping_file.c_str(), F_OK) == -1) { |
| 398 | system_ext_mapping_file.clear(); |
| 399 | } |
| 400 | |
Yi-Yo Chiang | 731d247 | 2021-03-23 22:11:13 +0800 | [diff] [blame] | 401 | std::string system_ext_compat_cil_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers + |
| 402 | ".compat.cil"); |
| 403 | if (access(system_ext_compat_cil_file.c_str(), F_OK) == -1) { |
| 404 | system_ext_compat_cil_file.clear(); |
| 405 | } |
| 406 | |
Tri Vo | d3518cf | 2018-12-14 14:25:08 -0800 | [diff] [blame] | 407 | std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil"); |
| 408 | if (access(product_policy_cil_file.c_str(), F_OK) == -1) { |
| 409 | product_policy_cil_file.clear(); |
| 410 | } |
| 411 | |
Tri Vo | 503f185 | 2019-01-16 11:57:19 -0800 | [diff] [blame] | 412 | std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil"); |
| 413 | if (access(product_mapping_file.c_str(), F_OK) == -1) { |
| 414 | product_mapping_file.clear(); |
| 415 | } |
| 416 | |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 417 | std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil"); |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 418 | if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) { |
Jeff Vander Stoep | 5effda4 | 2021-11-05 09:03:11 +0100 | [diff] [blame] | 419 | LOG(ERROR) << "Missing " << vendor_policy_cil_file; |
| 420 | return false; |
| 421 | } |
| 422 | |
| 423 | std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil"); |
| 424 | if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) { |
Bowgo Tsai | 069ab5b | 2017-10-18 17:03:20 +0800 | [diff] [blame] | 425 | LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file; |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 426 | return false; |
| 427 | } |
| 428 | |
| 429 | // odm_sepolicy.cil is default but optional. |
| 430 | std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil"); |
| 431 | if (access(odm_policy_cil_file.c_str(), F_OK) == -1) { |
| 432 | odm_policy_cil_file.clear(); |
| 433 | } |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 434 | |
| 435 | // apex_sepolicy.cil is default but optional. |
| 436 | std::string apex_policy_cil_file("/dev/selinux/apex_sepolicy.cil"); |
| 437 | if (access(apex_policy_cil_file.c_str(), F_OK) == -1) { |
| 438 | apex_policy_cil_file.clear(); |
| 439 | } |
Jeff Vander Stoep | 724eda5 | 2019-02-15 12:13:38 -0800 | [diff] [blame] | 440 | const std::string version_as_string = std::to_string(SEPOLICY_VERSION); |
Andreas Huber | c41b838 | 2017-08-18 14:43:52 -0700 | [diff] [blame] | 441 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 442 | // clang-format off |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 443 | std::vector<const char*> compile_args { |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 444 | "/system/bin/secilc", |
Yi-Yo Chiang | bb77c54 | 2021-09-23 14:14:16 +0000 | [diff] [blame] | 445 | use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file, |
Jeff Vander Stoep | 5e9ba3c | 2017-10-06 17:03:45 -0700 | [diff] [blame] | 446 | "-m", "-M", "true", "-G", "-N", |
Andreas Huber | c41b838 | 2017-08-18 14:43:52 -0700 | [diff] [blame] | 447 | "-c", version_as_string.c_str(), |
Tri Vo | 503f185 | 2019-01-16 11:57:19 -0800 | [diff] [blame] | 448 | plat_mapping_file.c_str(), |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 449 | "-o", compiled_sepolicy, |
| 450 | // We don't care about file_contexts output by the compiler |
| 451 | "-f", "/sys/fs/selinux/null", // /dev/null is not yet available |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 452 | }; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 453 | // clang-format on |
| 454 | |
Jeff Vander Stoep | 0ac51cf | 2019-05-02 14:05:18 -0700 | [diff] [blame] | 455 | if (!plat_compat_cil_file.empty()) { |
| 456 | compile_args.push_back(plat_compat_cil_file.c_str()); |
| 457 | } |
Bowgo Tsai | f016f25 | 2019-08-28 17:56:51 +0800 | [diff] [blame] | 458 | if (!system_ext_policy_cil_file.empty()) { |
| 459 | compile_args.push_back(system_ext_policy_cil_file.c_str()); |
| 460 | } |
| 461 | if (!system_ext_mapping_file.empty()) { |
| 462 | compile_args.push_back(system_ext_mapping_file.c_str()); |
| 463 | } |
Yi-Yo Chiang | 731d247 | 2021-03-23 22:11:13 +0800 | [diff] [blame] | 464 | if (!system_ext_compat_cil_file.empty()) { |
| 465 | compile_args.push_back(system_ext_compat_cil_file.c_str()); |
| 466 | } |
Tri Vo | d3518cf | 2018-12-14 14:25:08 -0800 | [diff] [blame] | 467 | if (!product_policy_cil_file.empty()) { |
| 468 | compile_args.push_back(product_policy_cil_file.c_str()); |
| 469 | } |
Tri Vo | 503f185 | 2019-01-16 11:57:19 -0800 | [diff] [blame] | 470 | if (!product_mapping_file.empty()) { |
| 471 | compile_args.push_back(product_mapping_file.c_str()); |
| 472 | } |
Bowgo Tsai | 069ab5b | 2017-10-18 17:03:20 +0800 | [diff] [blame] | 473 | if (!plat_pub_versioned_cil_file.empty()) { |
| 474 | compile_args.push_back(plat_pub_versioned_cil_file.c_str()); |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 475 | } |
| 476 | if (!vendor_policy_cil_file.empty()) { |
| 477 | compile_args.push_back(vendor_policy_cil_file.c_str()); |
| 478 | } |
| 479 | if (!odm_policy_cil_file.empty()) { |
| 480 | compile_args.push_back(odm_policy_cil_file.c_str()); |
| 481 | } |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 482 | if (!apex_policy_cil_file.empty()) { |
| 483 | compile_args.push_back(apex_policy_cil_file.c_str()); |
| 484 | } |
kaichieh | eef4cd7 | 2017-08-31 22:07:19 +0800 | [diff] [blame] | 485 | compile_args.push_back(nullptr); |
| 486 | |
| 487 | if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) { |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 488 | unlink(compiled_sepolicy); |
| 489 | return false; |
| 490 | } |
| 491 | unlink(compiled_sepolicy); |
| 492 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 493 | policy_file->fd = std::move(compiled_sepolicy_fd); |
| 494 | policy_file->path = compiled_sepolicy; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 495 | return true; |
| 496 | } |
| 497 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 498 | bool OpenMonolithicPolicy(PolicyFile* policy_file) { |
| 499 | static constexpr char kSepolicyFile[] = "/sepolicy"; |
| 500 | |
| 501 | LOG(VERBOSE) << "Opening SELinux policy from monolithic file"; |
| 502 | policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW)); |
| 503 | if (policy_file->fd < 0) { |
| 504 | PLOG(ERROR) << "Failed to open monolithic SELinux policy"; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 505 | return false; |
| 506 | } |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 507 | policy_file->path = kSepolicyFile; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 508 | return true; |
| 509 | } |
| 510 | |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 511 | constexpr const char* kSigningCertRelease = |
| 512 | "/system/etc/selinux/com.android.sepolicy.cert-release.der"; |
| 513 | constexpr const char* kFsVerityProcPath = "/proc/sys/fs/verity"; |
| 514 | const std::string kSepolicyApexMetadataDir = "/metadata/sepolicy/"; |
| 515 | const std::string kSepolicyApexSystemDir = "/system/etc/selinux/apex/"; |
| 516 | const std::string kSepolicyZip = "SEPolicy.zip"; |
| 517 | const std::string kSepolicySignature = "SEPolicy.zip.sig"; |
| 518 | |
| 519 | const std::string kTmpfsDir = "/dev/selinux/"; |
| 520 | |
| 521 | // Files that are deleted after policy is compiled/loaded. |
| 522 | const std::vector<std::string> kApexSepolicyTmp{"apex_sepolicy.cil", "apex_sepolicy.sha256"}; |
| 523 | // Files that need to persist because they are used by userspace processes. |
| 524 | const std::vector<std::string> kApexSepolicy{"apex_file_contexts", "apex_property_contexts", |
| 525 | "apex_service_contexts", "apex_seapp_contexts", |
| 526 | "apex_test"}; |
| 527 | |
| 528 | Result<void> PutFileInTmpfs(ZipArchiveHandle archive, const std::string& fileName) { |
| 529 | ZipEntry entry; |
| 530 | std::string dstPath = kTmpfsDir + fileName; |
| 531 | |
| 532 | int ret = FindEntry(archive, fileName, &entry); |
| 533 | if (ret != 0) { |
| 534 | // All files are optional. If a file doesn't exist, return without error. |
| 535 | return {}; |
| 536 | } |
| 537 | |
| 538 | unique_fd fd(TEMP_FAILURE_RETRY( |
| 539 | open(dstPath.c_str(), O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR))); |
| 540 | if (fd == -1) { |
| 541 | return Error() << "Failed to open " << dstPath; |
| 542 | } |
| 543 | |
| 544 | ret = ExtractEntryToFile(archive, &entry, fd); |
| 545 | if (ret != 0) { |
| 546 | return Error() << "Failed to extract entry \"" << fileName << "\" (" |
| 547 | << entry.uncompressed_length << " bytes) to \"" << dstPath |
| 548 | << "\": " << ErrorCodeString(ret); |
| 549 | } |
| 550 | |
| 551 | return {}; |
| 552 | } |
| 553 | |
| 554 | Result<void> GetPolicyFromApex(const std::string& dir) { |
| 555 | LOG(INFO) << "Loading APEX Sepolicy from " << dir + kSepolicyZip; |
| 556 | unique_fd fd(open((dir + kSepolicyZip).c_str(), O_RDONLY | O_BINARY | O_CLOEXEC)); |
| 557 | if (fd < 0) { |
| 558 | return ErrnoError() << "Failed to open package " << dir + kSepolicyZip; |
| 559 | } |
| 560 | |
| 561 | ZipArchiveHandle handle; |
| 562 | int ret = OpenArchiveFd(fd.get(), (dir + kSepolicyZip).c_str(), &handle, |
| 563 | /*assume_ownership=*/false); |
| 564 | if (ret < 0) { |
| 565 | return Error() << "Failed to open package " << dir + kSepolicyZip << ": " |
| 566 | << ErrorCodeString(ret); |
| 567 | } |
| 568 | |
| 569 | auto handle_guard = android::base::make_scope_guard([&handle] { CloseArchive(handle); }); |
| 570 | |
| 571 | for (const auto& file : kApexSepolicy) { |
| 572 | auto extract = PutFileInTmpfs(handle, file); |
| 573 | if (!extract.ok()) { |
| 574 | return extract.error(); |
| 575 | } |
| 576 | } |
| 577 | for (const auto& file : kApexSepolicyTmp) { |
| 578 | auto extract = PutFileInTmpfs(handle, file); |
| 579 | if (!extract.ok()) { |
| 580 | return extract.error(); |
| 581 | } |
| 582 | } |
| 583 | return {}; |
| 584 | } |
| 585 | |
| 586 | Result<void> LoadSepolicyApexCerts() { |
| 587 | key_serial_t keyring_id = android::GetKeyringId(".fs-verity"); |
| 588 | if (keyring_id < 0) { |
| 589 | return Error() << "Failed to find .fs-verity keyring id"; |
| 590 | } |
| 591 | |
| 592 | // TODO(b/199914227) the release key should always exist. Once it's checked in, start |
| 593 | // throwing an error here if it doesn't exist. |
| 594 | if (access(kSigningCertRelease, F_OK) == 0) { |
| 595 | LoadKeyFromFile(keyring_id, "fsv_sepolicy_apex_release", kSigningCertRelease); |
| 596 | } |
| 597 | return {}; |
| 598 | } |
| 599 | |
| 600 | Result<void> SepolicyFsVerityCheck() { |
| 601 | return Error() << "TODO implementent support for fsverity SEPolicy."; |
| 602 | } |
| 603 | |
| 604 | Result<void> SepolicyCheckSignature(const std::string& dir) { |
| 605 | std::string signature; |
| 606 | if (!android::base::ReadFileToString(dir + kSepolicySignature, &signature)) { |
| 607 | return ErrnoError() << "Failed to read " << kSepolicySignature; |
| 608 | } |
| 609 | |
| 610 | std::fstream sepolicyZip(dir + kSepolicyZip, std::ios::in | std::ios::binary); |
| 611 | if (!sepolicyZip) { |
| 612 | return Error() << "Failed to open " << kSepolicyZip; |
| 613 | } |
| 614 | sepolicyZip.seekg(0); |
| 615 | std::string sepolicyStr((std::istreambuf_iterator<char>(sepolicyZip)), |
| 616 | std::istreambuf_iterator<char>()); |
| 617 | |
| 618 | auto releaseKey = extractPublicKeyFromX509(kSigningCertRelease); |
| 619 | if (!releaseKey.ok()) { |
| 620 | return releaseKey.error(); |
| 621 | } |
| 622 | |
| 623 | return verifySignature(sepolicyStr, signature, *releaseKey); |
| 624 | } |
| 625 | |
| 626 | Result<void> SepolicyVerify(const std::string& dir, bool supportsFsVerity) { |
| 627 | if (supportsFsVerity) { |
| 628 | auto fsVerityCheck = SepolicyFsVerityCheck(); |
| 629 | if (fsVerityCheck.ok()) { |
| 630 | return fsVerityCheck; |
| 631 | } |
| 632 | // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail to |
| 633 | // boot and not carry on. For now, fallback to a signature checkuntil the fsverity |
| 634 | // logic is implemented. |
| 635 | LOG(INFO) << "Falling back to standard signature check. " << fsVerityCheck.error(); |
| 636 | } |
| 637 | |
| 638 | auto sepolicySignature = SepolicyCheckSignature(dir); |
| 639 | if (!sepolicySignature.ok()) { |
| 640 | return Error() << "Apex SEPolicy failed signature check"; |
| 641 | } |
| 642 | return {}; |
| 643 | } |
| 644 | |
| 645 | void CleanupApexSepolicy() { |
| 646 | for (const auto& file : kApexSepolicyTmp) { |
| 647 | std::string path = kTmpfsDir + file; |
| 648 | unlink(path.c_str()); |
| 649 | } |
| 650 | } |
| 651 | |
| 652 | // Updatable sepolicy is shipped within an zip within an APEX. Because |
| 653 | // it needs to be available before Apexes are mounted, apexd copies |
| 654 | // the zip from the APEX and stores it in /metadata/sepolicy. If there is |
| 655 | // no updatable sepolicy in /metadata/sepolicy, then the updatable policy is |
| 656 | // loaded from /system/etc/selinux/apex. Init performs the following |
| 657 | // steps on boot: |
| 658 | // |
| 659 | // 1. Validates the zip by checking its signature against a public key that is |
| 660 | // stored in /system/etc/selinux. |
| 661 | // 2. Extracts files from zip and stores them in /dev/selinux. |
| 662 | // 3. Checks if the apex_sepolicy.sha256 matches the sha256 of precompiled_sepolicy. |
| 663 | // if so, the precompiled sepolicy is used. Otherwise, an on-device compile of the policy |
| 664 | // is used. This is the same flow as on-device compilation of policy for Treble. |
| 665 | // 4. Cleans up files in /dev/selinux which are no longer needed. |
| 666 | // 5. Restorecons the remaining files in /dev/selinux. |
| 667 | // 6. Sets selinux into enforcing mode and continues normal booting. |
| 668 | // |
| 669 | void PrepareApexSepolicy() { |
| 670 | bool supportsFsVerity = access(kFsVerityProcPath, F_OK) == 0; |
| 671 | if (supportsFsVerity) { |
| 672 | auto loadSepolicyApexCerts = LoadSepolicyApexCerts(); |
| 673 | if (!loadSepolicyApexCerts.ok()) { |
| 674 | // TODO(b/199914227) If the device supports fsverity, but we fail here, we should fail |
| 675 | // to boot and not carry on. For now, fallback to a signature checkuntil the fsverity |
| 676 | // logic is implemented. |
| 677 | LOG(INFO) << loadSepolicyApexCerts.error(); |
| 678 | } |
| 679 | } |
| 680 | // If apex sepolicy zip exists in /metadata/sepolicy, use that, otherwise use version on |
| 681 | // /system. |
| 682 | auto dir = (access((kSepolicyApexMetadataDir + kSepolicyZip).c_str(), F_OK) == 0) |
| 683 | ? kSepolicyApexMetadataDir |
| 684 | : kSepolicyApexSystemDir; |
| 685 | |
| 686 | auto sepolicyVerify = SepolicyVerify(dir, supportsFsVerity); |
| 687 | if (!sepolicyVerify.ok()) { |
| 688 | LOG(INFO) << "Error: " << sepolicyVerify.error(); |
| 689 | // If signature verification fails, fall back to version on /system. |
| 690 | // This file doesn't need to be verified because it lives on the system partition which |
| 691 | // is signed and protected by verified boot. |
| 692 | dir = kSepolicyApexSystemDir; |
| 693 | } |
| 694 | |
| 695 | auto apex = GetPolicyFromApex(dir); |
| 696 | if (!apex.ok()) { |
| 697 | // TODO(b/199914227) Make failure fatal. For now continue booting with non-apex sepolicy. |
| 698 | LOG(ERROR) << apex.error(); |
| 699 | } |
| 700 | } |
| 701 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 702 | void ReadPolicy(std::string* policy) { |
| 703 | PolicyFile policy_file; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 704 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 705 | bool ok = IsSplitPolicyDevice() ? OpenSplitPolicy(&policy_file) |
| 706 | : OpenMonolithicPolicy(&policy_file); |
| 707 | if (!ok) { |
| 708 | LOG(FATAL) << "Unable to open SELinux policy"; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 709 | } |
| 710 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 711 | if (!android::base::ReadFdToString(policy_file.fd, policy)) { |
| 712 | PLOG(FATAL) << "Failed to read policy file: " << policy_file.path; |
| 713 | } |
| 714 | } |
| 715 | |
| 716 | void SelinuxSetEnforcement() { |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 717 | bool kernel_enforcing = (security_getenforce() == 1); |
| 718 | bool is_enforcing = IsEnforcing(); |
| 719 | if (kernel_enforcing != is_enforcing) { |
| 720 | if (security_setenforce(is_enforcing)) { |
Paul Lawrence | b2c2d69 | 2019-08-30 11:11:44 -0700 | [diff] [blame] | 721 | PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false") |
| 722 | << ") failed"; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 723 | } |
| 724 | } |
| 725 | |
Bernie Innocenti | cecebbb | 2020-02-06 03:49:33 +0900 | [diff] [blame] | 726 | if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) { |
Tom Cherry | d8db7ab | 2017-08-17 17:28:30 -0700 | [diff] [blame] | 727 | LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error(); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 728 | } |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 729 | } |
| 730 | |
Tom Cherry | 8180b48 | 2019-08-26 13:57:51 -0700 | [diff] [blame] | 731 | constexpr size_t kKlogMessageSize = 1024; |
| 732 | |
| 733 | void SelinuxAvcLog(char* buf, size_t buf_len) { |
| 734 | CHECK_GT(buf_len, 0u); |
| 735 | |
| 736 | size_t str_len = strnlen(buf, buf_len); |
| 737 | // trim newline at end of string |
| 738 | if (buf[str_len - 1] == '\n') { |
| 739 | buf[str_len - 1] = '\0'; |
| 740 | } |
| 741 | |
| 742 | struct NetlinkMessage { |
| 743 | nlmsghdr hdr; |
| 744 | char buf[kKlogMessageSize]; |
| 745 | } request = {}; |
| 746 | |
| 747 | request.hdr.nlmsg_flags = NLM_F_REQUEST; |
| 748 | request.hdr.nlmsg_type = AUDIT_USER_AVC; |
| 749 | request.hdr.nlmsg_len = sizeof(request); |
| 750 | strlcpy(request.buf, buf, sizeof(request.buf)); |
| 751 | |
| 752 | auto fd = unique_fd{socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT)}; |
| 753 | if (!fd.ok()) { |
| 754 | return; |
| 755 | } |
| 756 | |
| 757 | TEMP_FAILURE_RETRY(send(fd, &request, sizeof(request), 0)); |
| 758 | } |
| 759 | |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 760 | } // namespace |
| 761 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 762 | void SelinuxRestoreContext() { |
| 763 | LOG(INFO) << "Running restorecon..."; |
| 764 | selinux_android_restorecon("/dev", 0); |
Inseob Kim | 89d6913 | 2022-03-22 21:51:07 +0900 | [diff] [blame] | 765 | selinux_android_restorecon("/dev/console", 0); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 766 | selinux_android_restorecon("/dev/kmsg", 0); |
| 767 | if constexpr (WORLD_WRITABLE_KMSG) { |
| 768 | selinux_android_restorecon("/dev/kmsg_debug", 0); |
| 769 | } |
Tom Cherry | 81ae075 | 2018-07-30 16:23:49 -0700 | [diff] [blame] | 770 | selinux_android_restorecon("/dev/null", 0); |
| 771 | selinux_android_restorecon("/dev/ptmx", 0); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 772 | selinux_android_restorecon("/dev/socket", 0); |
| 773 | selinux_android_restorecon("/dev/random", 0); |
| 774 | selinux_android_restorecon("/dev/urandom", 0); |
| 775 | selinux_android_restorecon("/dev/__properties__", 0); |
| 776 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 777 | selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE); |
David Anderson | 1ff7581 | 2020-11-13 00:31:47 -0800 | [diff] [blame] | 778 | selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 779 | selinux_android_restorecon("/dev/device-mapper", 0); |
Jiyong Park | 4ba548d | 2019-02-22 16:04:35 +0900 | [diff] [blame] | 780 | |
| 781 | selinux_android_restorecon("/apex", 0); |
Kiyoung Kim | 99df54b | 2019-11-22 16:14:10 +0900 | [diff] [blame] | 782 | |
| 783 | selinux_android_restorecon("/linkerconfig", 0); |
Bowgo Tsai | 196cc58 | 2020-01-20 18:03:58 +0800 | [diff] [blame] | 784 | |
David Anderson | c991f34 | 2020-02-21 17:11:07 -0800 | [diff] [blame] | 785 | // adb remount, snapshot-based updates, and DSUs all create files during |
| 786 | // first-stage init. |
Yifan Hong | d91998f | 2020-02-20 17:54:57 -0800 | [diff] [blame] | 787 | selinux_android_restorecon(SnapshotManager::GetGlobalRollbackIndicatorPath().c_str(), 0); |
David Anderson | 4bb500f | 2020-03-06 18:14:19 -0800 | [diff] [blame] | 788 | selinux_android_restorecon("/metadata/gsi", SELINUX_ANDROID_RESTORECON_RECURSE | |
| 789 | SELINUX_ANDROID_RESTORECON_SKIP_SEHASH); |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 790 | } |
| 791 | |
Tom Cherry | 74069d1 | 2018-07-20 15:26:25 -0700 | [diff] [blame] | 792 | int SelinuxKlogCallback(int type, const char* fmt, ...) { |
| 793 | android::base::LogSeverity severity = android::base::ERROR; |
| 794 | if (type == SELINUX_WARNING) { |
| 795 | severity = android::base::WARNING; |
| 796 | } else if (type == SELINUX_INFO) { |
| 797 | severity = android::base::INFO; |
| 798 | } |
Tom Cherry | 8180b48 | 2019-08-26 13:57:51 -0700 | [diff] [blame] | 799 | char buf[kKlogMessageSize]; |
Tom Cherry | 74069d1 | 2018-07-20 15:26:25 -0700 | [diff] [blame] | 800 | va_list ap; |
| 801 | va_start(ap, fmt); |
Tom Cherry | 8180b48 | 2019-08-26 13:57:51 -0700 | [diff] [blame] | 802 | int length_written = vsnprintf(buf, sizeof(buf), fmt, ap); |
Tom Cherry | 74069d1 | 2018-07-20 15:26:25 -0700 | [diff] [blame] | 803 | va_end(ap); |
Tom Cherry | 8180b48 | 2019-08-26 13:57:51 -0700 | [diff] [blame] | 804 | if (length_written <= 0) { |
| 805 | return 0; |
| 806 | } |
| 807 | if (type == SELINUX_AVC) { |
| 808 | SelinuxAvcLog(buf, sizeof(buf)); |
| 809 | } else { |
| 810 | android::base::KernelLogger(android::base::MAIN, severity, "selinux", nullptr, 0, buf); |
| 811 | } |
Tom Cherry | 74069d1 | 2018-07-20 15:26:25 -0700 | [diff] [blame] | 812 | return 0; |
| 813 | } |
| 814 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 815 | void SelinuxSetupKernelLogging() { |
| 816 | selinux_callback cb; |
Tom Cherry | 74069d1 | 2018-07-20 15:26:25 -0700 | [diff] [blame] | 817 | cb.func_log = SelinuxKlogCallback; |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 818 | selinux_set_callback(SELINUX_CB_LOG, cb); |
| 819 | } |
| 820 | |
Tom Cherry | 40acb37 | 2018-08-01 13:41:12 -0700 | [diff] [blame] | 821 | int SelinuxGetVendorAndroidVersion() { |
Tom Cherry | c5cf85d | 2019-07-31 13:59:15 -0700 | [diff] [blame] | 822 | static int vendor_android_version = [] { |
| 823 | if (!IsSplitPolicyDevice()) { |
| 824 | // If this device does not split sepolicy files, it's not a Treble device and therefore, |
| 825 | // we assume it's always on the latest platform. |
| 826 | return __ANDROID_API_FUTURE__; |
| 827 | } |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 828 | |
Tom Cherry | c5cf85d | 2019-07-31 13:59:15 -0700 | [diff] [blame] | 829 | std::string version; |
| 830 | if (!GetVendorMappingVersion(&version)) { |
| 831 | LOG(FATAL) << "Could not read vendor SELinux version"; |
| 832 | } |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 833 | |
Tom Cherry | c5cf85d | 2019-07-31 13:59:15 -0700 | [diff] [blame] | 834 | int major_version; |
| 835 | std::string major_version_str(version, 0, version.find('.')); |
| 836 | if (!ParseInt(major_version_str, &major_version)) { |
| 837 | PLOG(FATAL) << "Failed to parse the vendor sepolicy major version " |
| 838 | << major_version_str; |
| 839 | } |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 840 | |
Tom Cherry | c5cf85d | 2019-07-31 13:59:15 -0700 | [diff] [blame] | 841 | return major_version; |
| 842 | }(); |
| 843 | return vendor_android_version; |
Logan Chien | 837b2a4 | 2018-05-03 14:33:52 +0800 | [diff] [blame] | 844 | } |
| 845 | |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 846 | // This is for R system.img/system_ext.img to work on old vendor.img as system_ext.img |
| 847 | // is introduced in R. We mount system_ext in second stage init because the first-stage |
| 848 | // init in boot.img won't be updated in the system-only OTA scenario. |
| 849 | void MountMissingSystemPartitions() { |
| 850 | android::fs_mgr::Fstab fstab; |
| 851 | if (!ReadDefaultFstab(&fstab)) { |
| 852 | LOG(ERROR) << "Could not read default fstab"; |
| 853 | } |
| 854 | |
| 855 | android::fs_mgr::Fstab mounts; |
| 856 | if (!ReadFstabFromFile("/proc/mounts", &mounts)) { |
| 857 | LOG(ERROR) << "Could not read /proc/mounts"; |
| 858 | } |
| 859 | |
| 860 | static const std::vector<std::string> kPartitionNames = {"system_ext", "product"}; |
| 861 | |
| 862 | android::fs_mgr::Fstab extra_fstab; |
| 863 | for (const auto& name : kPartitionNames) { |
| 864 | if (GetEntryForMountPoint(&mounts, "/"s + name)) { |
| 865 | // The partition is already mounted. |
| 866 | continue; |
| 867 | } |
| 868 | |
| 869 | auto system_entry = GetEntryForMountPoint(&fstab, "/system"); |
| 870 | if (!system_entry) { |
| 871 | LOG(ERROR) << "Could not find mount entry for /system"; |
| 872 | break; |
| 873 | } |
| 874 | if (!system_entry->fs_mgr_flags.logical) { |
| 875 | LOG(INFO) << "Skipping mount of " << name << ", system is not dynamic."; |
| 876 | break; |
| 877 | } |
| 878 | |
| 879 | auto entry = *system_entry; |
| 880 | auto partition_name = name + fs_mgr_get_slot_suffix(); |
| 881 | auto replace_name = "system"s + fs_mgr_get_slot_suffix(); |
| 882 | |
| 883 | entry.mount_point = "/"s + name; |
| 884 | entry.blk_device = |
| 885 | android::base::StringReplace(entry.blk_device, replace_name, partition_name, false); |
| 886 | if (!fs_mgr_update_logical_partition(&entry)) { |
| 887 | LOG(ERROR) << "Could not update logical partition"; |
| 888 | continue; |
| 889 | } |
| 890 | |
| 891 | extra_fstab.emplace_back(std::move(entry)); |
| 892 | } |
| 893 | |
Yi-Yo Chiang | 2057901 | 2021-04-01 20:14:54 +0800 | [diff] [blame] | 894 | SkipMountingPartitions(&extra_fstab, true /* verbose */); |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 895 | if (extra_fstab.empty()) { |
| 896 | return; |
| 897 | } |
| 898 | |
| 899 | BlockDevInitializer block_dev_init; |
| 900 | for (auto& entry : extra_fstab) { |
| 901 | if (access(entry.blk_device.c_str(), F_OK) != 0) { |
| 902 | auto block_dev = android::base::Basename(entry.blk_device); |
| 903 | if (!block_dev_init.InitDmDevice(block_dev)) { |
| 904 | LOG(ERROR) << "Failed to find device-mapper node: " << block_dev; |
| 905 | continue; |
| 906 | } |
| 907 | } |
| 908 | if (fs_mgr_do_mount_one(entry)) { |
| 909 | LOG(ERROR) << "Could not mount " << entry.mount_point; |
| 910 | } |
| 911 | } |
| 912 | } |
| 913 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 914 | static void LoadSelinuxPolicy(std::string& policy) { |
| 915 | LOG(INFO) << "Loading SELinux policy"; |
| 916 | |
| 917 | set_selinuxmnt("/sys/fs/selinux"); |
| 918 | if (security_load_policy(policy.data(), policy.size()) < 0) { |
| 919 | PLOG(FATAL) << "SELinux: Could not load policy"; |
| 920 | } |
| 921 | } |
| 922 | |
| 923 | // The SELinux setup process is carefully orchestrated around snapuserd. Policy |
| 924 | // must be loaded off dynamic partitions, and during an OTA, those partitions |
| 925 | // cannot be read without snapuserd. But, with kernel-privileged snapuserd |
| 926 | // running, loading the policy will immediately trigger audits. |
| 927 | // |
| 928 | // We use a five-step process to address this: |
| 929 | // (1) Read the policy into a string, with snapuserd running. |
| 930 | // (2) Rewrite the snapshot device-mapper tables, to generate new dm-user |
| 931 | // devices and to flush I/O. |
| 932 | // (3) Kill snapuserd, which no longer has any dm-user devices to attach to. |
| 933 | // (4) Load the sepolicy and issue critical restorecons in /dev, carefully |
| 934 | // avoiding anything that would read from /system. |
| 935 | // (5) Re-launch snapuserd and attach it to the dm-user devices from step (2). |
| 936 | // |
| 937 | // After this sequence, it is safe to enable enforcing mode and continue booting. |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 938 | int SetupSelinux(char** argv) { |
Mark Salyzyn | beb6abe | 2019-07-29 09:35:18 -0700 | [diff] [blame] | 939 | SetStdioToDevNull(argv); |
Tom Cherry | 59656fb | 2019-05-28 10:19:44 -0700 | [diff] [blame] | 940 | InitKernelLogging(argv); |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 941 | |
| 942 | if (REBOOT_BOOTLOADER_ON_PANIC) { |
| 943 | InstallRebootSignalHandlers(); |
| 944 | } |
| 945 | |
Mark Salyzyn | 10377df | 2019-03-27 08:10:41 -0700 | [diff] [blame] | 946 | boot_clock::time_point start_time = boot_clock::now(); |
| 947 | |
David Anderson | d0ce530 | 2020-03-20 21:47:10 -0700 | [diff] [blame] | 948 | MountMissingSystemPartitions(); |
| 949 | |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 950 | SelinuxSetupKernelLogging(); |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 951 | |
| 952 | LOG(INFO) << "Opening SELinux policy"; |
| 953 | |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 954 | PrepareApexSepolicy(); |
| 955 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 956 | // Read the policy before potentially killing snapuserd. |
| 957 | std::string policy; |
| 958 | ReadPolicy(&policy); |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 959 | CleanupApexSepolicy(); |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 960 | |
| 961 | auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded(); |
| 962 | if (snapuserd_helper) { |
| 963 | // Kill the old snapused to avoid audit messages. After this we cannot |
| 964 | // read from /system (or other dynamic partitions) until we call |
| 965 | // FinishTransition(). |
| 966 | snapuserd_helper->StartTransition(); |
| 967 | } |
| 968 | |
| 969 | LoadSelinuxPolicy(policy); |
| 970 | |
| 971 | if (snapuserd_helper) { |
| 972 | // Before enforcing, finish the pending snapuserd transition. |
| 973 | snapuserd_helper->FinishTransition(); |
| 974 | snapuserd_helper = nullptr; |
| 975 | } |
| 976 | |
Jeffrey Vander Stoep | baeece6 | 2022-02-08 12:42:33 +0000 | [diff] [blame] | 977 | // This restorecon is intentionally done before SelinuxSetEnforcement because the permissions |
| 978 | // needed to transition files from tmpfs to *_contexts_file context should not be granted to |
| 979 | // any process after selinux is set into enforcing mode. |
| 980 | if (selinux_android_restorecon("/dev/selinux/", SELINUX_ANDROID_RESTORECON_RECURSE) == -1) { |
| 981 | PLOG(FATAL) << "restorecon failed of /dev/selinux failed"; |
| 982 | } |
| 983 | |
David Anderson | 491e4da | 2020-12-08 00:21:20 -0800 | [diff] [blame] | 984 | SelinuxSetEnforcement(); |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 985 | |
| 986 | // We're in the kernel domain and want to transition to the init domain. File systems that |
| 987 | // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here, |
| 988 | // but other file systems do. In particular, this is needed for ramdisks such as the |
| 989 | // recovery image for A/B devices. |
| 990 | if (selinux_android_restorecon("/system/bin/init", 0) == -1) { |
| 991 | PLOG(FATAL) << "restorecon failed of /system/bin/init failed"; |
| 992 | } |
| 993 | |
Mark Salyzyn | 44505ec | 2019-05-08 12:44:50 -0700 | [diff] [blame] | 994 | setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1); |
Mark Salyzyn | 10377df | 2019-03-27 08:10:41 -0700 | [diff] [blame] | 995 | |
Tom Cherry | 7bfea3d | 2018-11-06 14:12:05 -0800 | [diff] [blame] | 996 | const char* path = "/system/bin/init"; |
| 997 | const char* args[] = {path, "second_stage", nullptr}; |
| 998 | execv(path, const_cast<char**>(args)); |
| 999 | |
| 1000 | // execv() only returns if an error happened, in which case we |
| 1001 | // panic and never return from this function. |
| 1002 | PLOG(FATAL) << "execv(\"" << path << "\") failed"; |
| 1003 | |
| 1004 | return 1; |
| 1005 | } |
| 1006 | |
Tom Cherry | c317009 | 2017-08-10 12:22:44 -0700 | [diff] [blame] | 1007 | } // namespace init |
| 1008 | } // namespace android |