1 /*
2 * Copyright (C) 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 // This file contains the functions that initialize SELinux during boot as well as helper functions
18 // for SELinux operation for init.
19
20 // When the system boots, there is no SEPolicy present and init is running in the kernel domain.
21 // Init loads the SEPolicy from the file system, restores the context of /system/bin/init based on
22 // this SEPolicy, and finally exec()'s itself to run in the proper domain.
23
24 // The SEPolicy on Android comes in two variants: monolithic and split.
25
26 // The monolithic policy variant is for legacy non-treble devices that contain a single SEPolicy
27 // file located at /sepolicy and is directly loaded into the kernel SELinux subsystem.
28
29 // The split policy is for supporting treble devices. It splits the SEPolicy across files on
30 // /system/etc/selinux (the 'plat' portion of the policy) and /vendor/etc/selinux (the 'nonplat'
31 // portion of the policy). This is necessary to allow the system image to be updated independently
32 // of the vendor image, while maintaining contributions from both partitions in the SEPolicy. This
33 // is especially important for VTS testing, where the SEPolicy on the Google System Image may not be
34 // identical to the system image shipped on a vendor's device.
35
36 // The split SEPolicy is loaded as described below:
37 // 1) There is a precompiled SEPolicy located at either /vendor/etc/selinux/precompiled_sepolicy or
38 // /odm/etc/selinux/precompiled_sepolicy if odm parition is present. Stored along with this file
39 // are the sha256 hashes of the parts of the SEPolicy on /system, /system_ext and /product that
40 // were used to compile this precompiled policy. The system partition contains a similar sha256
41 // of the parts of the SEPolicy that it currently contains. Symmetrically, system_ext and
42 // product paritition contain sha256 hashes of their SEPolicy. The init loads this
43 // precompiled_sepolicy directly if and only if the hashes along with the precompiled SEPolicy on
44 // /vendor or /odm match the hashes for system, system_ext and product SEPolicy, respectively.
45 // 2) If these hashes do not match, then either /system or /system_ext or /product (or some of them)
46 // have been updated out of sync with /vendor (or /odm if it is present) and the init needs to
47 // compile the SEPolicy. /system contains the SEPolicy compiler, secilc, and it is used by the
48 // OpenSplitPolicy() function below to compile the SEPolicy to a temp directory and load it.
49 // That function contains even more documentation with the specific implementation details of how
50 // the SEPolicy is compiled if needed.
51
52 #include "selinux.h"
53
54 #include <android/api-level.h>
55 #include <fcntl.h>
56 #include <linux/audit.h>
57 #include <linux/netlink.h>
58 #include <stdlib.h>
59 #include <sys/wait.h>
60 #include <unistd.h>
61
62 #include <android-base/chrono_utils.h>
63 #include <android-base/file.h>
64 #include <android-base/logging.h>
65 #include <android-base/parseint.h>
66 #include <android-base/result.h>
67 #include <android-base/strings.h>
68 #include <android-base/unique_fd.h>
69 #include <fs_avb/fs_avb.h>
70 #include <fs_mgr.h>
71 #include <libgsi/libgsi.h>
72 #include <libsnapshot/snapshot.h>
73 #include <selinux/android.h>
74
75 #include "block_dev_initializer.h"
76 #include "debug_ramdisk.h"
77 #include "reboot_utils.h"
78 #include "snapuserd_transition.h"
79 #include "util.h"
80
81 using namespace std::string_literals;
82
83 using android::base::ParseInt;
84 using android::base::Timer;
85 using android::base::unique_fd;
86 using android::fs_mgr::AvbHandle;
87 using android::snapshot::SnapshotManager;
88
89 namespace android {
90 namespace init {
91
92 namespace {
93
94 enum EnforcingStatus { SELINUX_PERMISSIVE, SELINUX_ENFORCING };
95
StatusFromProperty()96 EnforcingStatus StatusFromProperty() {
97 EnforcingStatus status = SELINUX_ENFORCING;
98
99 ImportKernelCmdline([&](const std::string& key, const std::string& value) {
100 if (key == "androidboot.selinux" && value == "permissive") {
101 status = SELINUX_PERMISSIVE;
102 }
103 });
104
105 if (status == SELINUX_ENFORCING) {
106 ImportBootconfig([&](const std::string& key, const std::string& value) {
107 if (key == "androidboot.selinux" && value == "permissive") {
108 status = SELINUX_PERMISSIVE;
109 }
110 });
111 }
112
113 return status;
114 }
115
IsEnforcing()116 bool IsEnforcing() {
117 if (ALLOW_PERMISSIVE_SELINUX) {
118 return StatusFromProperty() == SELINUX_ENFORCING;
119 }
120 return true;
121 }
122
123 // Forks, executes the provided program in the child, and waits for the completion in the parent.
124 // Child's stderr is captured and logged using LOG(ERROR).
ForkExecveAndWaitForCompletion(const char * filename,char * const argv[])125 bool ForkExecveAndWaitForCompletion(const char* filename, char* const argv[]) {
126 // Create a pipe used for redirecting child process's output.
127 // * pipe_fds[0] is the FD the parent will use for reading.
128 // * pipe_fds[1] is the FD the child will use for writing.
129 int pipe_fds[2];
130 if (pipe(pipe_fds) == -1) {
131 PLOG(ERROR) << "Failed to create pipe";
132 return false;
133 }
134
135 pid_t child_pid = fork();
136 if (child_pid == -1) {
137 PLOG(ERROR) << "Failed to fork for " << filename;
138 return false;
139 }
140
141 if (child_pid == 0) {
142 // fork succeeded -- this is executing in the child process
143
144 // Close the pipe FD not used by this process
145 close(pipe_fds[0]);
146
147 // Redirect stderr to the pipe FD provided by the parent
148 if (TEMP_FAILURE_RETRY(dup2(pipe_fds[1], STDERR_FILENO)) == -1) {
149 PLOG(ERROR) << "Failed to redirect stderr of " << filename;
150 _exit(127);
151 return false;
152 }
153 close(pipe_fds[1]);
154
155 if (execv(filename, argv) == -1) {
156 PLOG(ERROR) << "Failed to execve " << filename;
157 return false;
158 }
159 // Unreachable because execve will have succeeded and replaced this code
160 // with child process's code.
161 _exit(127);
162 return false;
163 } else {
164 // fork succeeded -- this is executing in the original/parent process
165
166 // Close the pipe FD not used by this process
167 close(pipe_fds[1]);
168
169 // Log the redirected output of the child process.
170 // It's unfortunate that there's no standard way to obtain an istream for a file descriptor.
171 // As a result, we're buffering all output and logging it in one go at the end of the
172 // invocation, instead of logging it as it comes in.
173 const int child_out_fd = pipe_fds[0];
174 std::string child_output;
175 if (!android::base::ReadFdToString(child_out_fd, &child_output)) {
176 PLOG(ERROR) << "Failed to capture full output of " << filename;
177 }
178 close(child_out_fd);
179 if (!child_output.empty()) {
180 // Log captured output, line by line, because LOG expects to be invoked for each line
181 std::istringstream in(child_output);
182 std::string line;
183 while (std::getline(in, line)) {
184 LOG(ERROR) << filename << ": " << line;
185 }
186 }
187
188 // Wait for child to terminate
189 int status;
190 if (TEMP_FAILURE_RETRY(waitpid(child_pid, &status, 0)) != child_pid) {
191 PLOG(ERROR) << "Failed to wait for " << filename;
192 return false;
193 }
194
195 if (WIFEXITED(status)) {
196 int status_code = WEXITSTATUS(status);
197 if (status_code == 0) {
198 return true;
199 } else {
200 LOG(ERROR) << filename << " exited with status " << status_code;
201 }
202 } else if (WIFSIGNALED(status)) {
203 LOG(ERROR) << filename << " killed by signal " << WTERMSIG(status);
204 } else if (WIFSTOPPED(status)) {
205 LOG(ERROR) << filename << " stopped by signal " << WSTOPSIG(status);
206 } else {
207 LOG(ERROR) << "waitpid for " << filename << " returned unexpected status: " << status;
208 }
209
210 return false;
211 }
212 }
213
ReadFirstLine(const char * file,std::string * line)214 bool ReadFirstLine(const char* file, std::string* line) {
215 line->clear();
216
217 std::string contents;
218 if (!android::base::ReadFileToString(file, &contents, true /* follow symlinks */)) {
219 return false;
220 }
221 std::istringstream in(contents);
222 std::getline(in, *line);
223 return true;
224 }
225
FindPrecompiledSplitPolicy()226 Result<std::string> FindPrecompiledSplitPolicy() {
227 std::string precompiled_sepolicy;
228 // If there is an odm partition, precompiled_sepolicy will be in
229 // odm/etc/selinux. Otherwise it will be in vendor/etc/selinux.
230 static constexpr const char vendor_precompiled_sepolicy[] =
231 "/vendor/etc/selinux/precompiled_sepolicy";
232 static constexpr const char odm_precompiled_sepolicy[] =
233 "/odm/etc/selinux/precompiled_sepolicy";
234 if (access(odm_precompiled_sepolicy, R_OK) == 0) {
235 precompiled_sepolicy = odm_precompiled_sepolicy;
236 } else if (access(vendor_precompiled_sepolicy, R_OK) == 0) {
237 precompiled_sepolicy = vendor_precompiled_sepolicy;
238 } else {
239 return ErrnoError() << "No precompiled sepolicy at " << vendor_precompiled_sepolicy;
240 }
241
242 // Use precompiled sepolicy only when all corresponding hashes are equal.
243 std::vector<std::pair<std::string, std::string>> sepolicy_hashes{
244 {"/system/etc/selinux/plat_sepolicy_and_mapping.sha256",
245 precompiled_sepolicy + ".plat_sepolicy_and_mapping.sha256"},
246 {"/system_ext/etc/selinux/system_ext_sepolicy_and_mapping.sha256",
247 precompiled_sepolicy + ".system_ext_sepolicy_and_mapping.sha256"},
248 {"/product/etc/selinux/product_sepolicy_and_mapping.sha256",
249 precompiled_sepolicy + ".product_sepolicy_and_mapping.sha256"},
250 };
251
252 for (const auto& [actual_id_path, precompiled_id_path] : sepolicy_hashes) {
253 // Both of them should exist or both of them shouldn't exist.
254 if (access(actual_id_path.c_str(), R_OK) != 0) {
255 if (access(precompiled_id_path.c_str(), R_OK) == 0) {
256 return Error() << precompiled_id_path << " exists but " << actual_id_path
257 << " doesn't";
258 }
259 continue;
260 }
261
262 std::string actual_id;
263 if (!ReadFirstLine(actual_id_path.c_str(), &actual_id)) {
264 return ErrnoError() << "Failed to read " << actual_id_path;
265 }
266
267 std::string precompiled_id;
268 if (!ReadFirstLine(precompiled_id_path.c_str(), &precompiled_id)) {
269 return ErrnoError() << "Failed to read " << precompiled_id_path;
270 }
271
272 if (actual_id.empty() || actual_id != precompiled_id) {
273 return Error() << actual_id_path << " and " << precompiled_id_path << " differ";
274 }
275 }
276
277 return precompiled_sepolicy;
278 }
279
GetVendorMappingVersion(std::string * plat_vers)280 bool GetVendorMappingVersion(std::string* plat_vers) {
281 if (!ReadFirstLine("/vendor/etc/selinux/plat_sepolicy_vers.txt", plat_vers)) {
282 PLOG(ERROR) << "Failed to read /vendor/etc/selinux/plat_sepolicy_vers.txt";
283 return false;
284 }
285 if (plat_vers->empty()) {
286 LOG(ERROR) << "No version present in plat_sepolicy_vers.txt";
287 return false;
288 }
289 return true;
290 }
291
292 constexpr const char plat_policy_cil_file[] = "/system/etc/selinux/plat_sepolicy.cil";
293
IsSplitPolicyDevice()294 bool IsSplitPolicyDevice() {
295 return access(plat_policy_cil_file, R_OK) != -1;
296 }
297
298 struct PolicyFile {
299 unique_fd fd;
300 std::string path;
301 };
302
OpenSplitPolicy(PolicyFile * policy_file)303 bool OpenSplitPolicy(PolicyFile* policy_file) {
304 // IMPLEMENTATION NOTE: Split policy consists of three CIL files:
305 // * platform -- policy needed due to logic contained in the system image,
306 // * non-platform -- policy needed due to logic contained in the vendor image,
307 // * mapping -- mapping policy which helps preserve forward-compatibility of non-platform policy
308 // with newer versions of platform policy.
309 //
310 // secilc is invoked to compile the above three policy files into a single monolithic policy
311 // file. This file is then loaded into the kernel.
312
313 // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil.
314 const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE");
315 bool use_userdebug_policy =
316 ((force_debuggable_env && "true"s == force_debuggable_env) &&
317 AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0);
318 if (use_userdebug_policy) {
319 LOG(WARNING) << "Using userdebug system sepolicy";
320 }
321
322 // Load precompiled policy from vendor image, if a matching policy is found there. The policy
323 // must match the platform policy on the system image.
324 // use_userdebug_policy requires compiling sepolicy with userdebug_plat_sepolicy.cil.
325 // Thus it cannot use the precompiled policy from vendor image.
326 if (!use_userdebug_policy) {
327 if (auto res = FindPrecompiledSplitPolicy(); res.ok()) {
328 unique_fd fd(open(res->c_str(), O_RDONLY | O_CLOEXEC | O_BINARY));
329 if (fd != -1) {
330 policy_file->fd = std::move(fd);
331 policy_file->path = std::move(*res);
332 return true;
333 }
334 } else {
335 LOG(INFO) << res.error();
336 }
337 }
338 // No suitable precompiled policy could be loaded
339
340 LOG(INFO) << "Compiling SELinux policy";
341
342 // We store the output of the compilation on /dev because this is the most convenient tmpfs
343 // storage mount available this early in the boot sequence.
344 char compiled_sepolicy[] = "/dev/sepolicy.XXXXXX";
345 unique_fd compiled_sepolicy_fd(mkostemp(compiled_sepolicy, O_CLOEXEC));
346 if (compiled_sepolicy_fd < 0) {
347 PLOG(ERROR) << "Failed to create temporary file " << compiled_sepolicy;
348 return false;
349 }
350
351 // Determine which mapping file to include
352 std::string vend_plat_vers;
353 if (!GetVendorMappingVersion(&vend_plat_vers)) {
354 return false;
355 }
356 std::string plat_mapping_file("/system/etc/selinux/mapping/" + vend_plat_vers + ".cil");
357
358 std::string plat_compat_cil_file("/system/etc/selinux/mapping/" + vend_plat_vers +
359 ".compat.cil");
360 if (access(plat_compat_cil_file.c_str(), F_OK) == -1) {
361 plat_compat_cil_file.clear();
362 }
363
364 std::string system_ext_policy_cil_file("/system_ext/etc/selinux/system_ext_sepolicy.cil");
365 if (access(system_ext_policy_cil_file.c_str(), F_OK) == -1) {
366 system_ext_policy_cil_file.clear();
367 }
368
369 std::string system_ext_mapping_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
370 ".cil");
371 if (access(system_ext_mapping_file.c_str(), F_OK) == -1) {
372 system_ext_mapping_file.clear();
373 }
374
375 std::string system_ext_compat_cil_file("/system_ext/etc/selinux/mapping/" + vend_plat_vers +
376 ".compat.cil");
377 if (access(system_ext_compat_cil_file.c_str(), F_OK) == -1) {
378 system_ext_compat_cil_file.clear();
379 }
380
381 std::string product_policy_cil_file("/product/etc/selinux/product_sepolicy.cil");
382 if (access(product_policy_cil_file.c_str(), F_OK) == -1) {
383 product_policy_cil_file.clear();
384 }
385
386 std::string product_mapping_file("/product/etc/selinux/mapping/" + vend_plat_vers + ".cil");
387 if (access(product_mapping_file.c_str(), F_OK) == -1) {
388 product_mapping_file.clear();
389 }
390
391 // vendor_sepolicy.cil and plat_pub_versioned.cil are the new design to replace
392 // nonplat_sepolicy.cil.
393 std::string plat_pub_versioned_cil_file("/vendor/etc/selinux/plat_pub_versioned.cil");
394 std::string vendor_policy_cil_file("/vendor/etc/selinux/vendor_sepolicy.cil");
395
396 if (access(vendor_policy_cil_file.c_str(), F_OK) == -1) {
397 // For backward compatibility.
398 // TODO: remove this after no device is using nonplat_sepolicy.cil.
399 vendor_policy_cil_file = "/vendor/etc/selinux/nonplat_sepolicy.cil";
400 plat_pub_versioned_cil_file.clear();
401 } else if (access(plat_pub_versioned_cil_file.c_str(), F_OK) == -1) {
402 LOG(ERROR) << "Missing " << plat_pub_versioned_cil_file;
403 return false;
404 }
405
406 // odm_sepolicy.cil is default but optional.
407 std::string odm_policy_cil_file("/odm/etc/selinux/odm_sepolicy.cil");
408 if (access(odm_policy_cil_file.c_str(), F_OK) == -1) {
409 odm_policy_cil_file.clear();
410 }
411 const std::string version_as_string = std::to_string(SEPOLICY_VERSION);
412
413 // clang-format off
414 std::vector<const char*> compile_args {
415 "/system/bin/secilc",
416 use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file,
417 "-m", "-M", "true", "-G", "-N",
418 "-c", version_as_string.c_str(),
419 plat_mapping_file.c_str(),
420 "-o", compiled_sepolicy,
421 // We don't care about file_contexts output by the compiler
422 "-f", "/sys/fs/selinux/null", // /dev/null is not yet available
423 };
424 // clang-format on
425
426 if (!plat_compat_cil_file.empty()) {
427 compile_args.push_back(plat_compat_cil_file.c_str());
428 }
429 if (!system_ext_policy_cil_file.empty()) {
430 compile_args.push_back(system_ext_policy_cil_file.c_str());
431 }
432 if (!system_ext_mapping_file.empty()) {
433 compile_args.push_back(system_ext_mapping_file.c_str());
434 }
435 if (!system_ext_compat_cil_file.empty()) {
436 compile_args.push_back(system_ext_compat_cil_file.c_str());
437 }
438 if (!product_policy_cil_file.empty()) {
439 compile_args.push_back(product_policy_cil_file.c_str());
440 }
441 if (!product_mapping_file.empty()) {
442 compile_args.push_back(product_mapping_file.c_str());
443 }
444 if (!plat_pub_versioned_cil_file.empty()) {
445 compile_args.push_back(plat_pub_versioned_cil_file.c_str());
446 }
447 if (!vendor_policy_cil_file.empty()) {
448 compile_args.push_back(vendor_policy_cil_file.c_str());
449 }
450 if (!odm_policy_cil_file.empty()) {
451 compile_args.push_back(odm_policy_cil_file.c_str());
452 }
453 compile_args.push_back(nullptr);
454
455 if (!ForkExecveAndWaitForCompletion(compile_args[0], (char**)compile_args.data())) {
456 unlink(compiled_sepolicy);
457 return false;
458 }
459 unlink(compiled_sepolicy);
460
461 policy_file->fd = std::move(compiled_sepolicy_fd);
462 policy_file->path = compiled_sepolicy;
463 return true;
464 }
465
OpenMonolithicPolicy(PolicyFile * policy_file)466 bool OpenMonolithicPolicy(PolicyFile* policy_file) {
467 static constexpr char kSepolicyFile[] = "/sepolicy";
468
469 LOG(VERBOSE) << "Opening SELinux policy from monolithic file";
470 policy_file->fd.reset(open(kSepolicyFile, O_RDONLY | O_CLOEXEC | O_NOFOLLOW));
471 if (policy_file->fd < 0) {
472 PLOG(ERROR) << "Failed to open monolithic SELinux policy";
473 return false;
474 }
475 policy_file->path = kSepolicyFile;
476 return true;
477 }
478
ReadPolicy(std::string * policy)479 void ReadPolicy(std::string* policy) {
480 PolicyFile policy_file;
481
482 bool ok = IsSplitPolicyDevice() ? OpenSplitPolicy(&policy_file)
483 : OpenMonolithicPolicy(&policy_file);
484 if (!ok) {
485 LOG(FATAL) << "Unable to open SELinux policy";
486 }
487
488 if (!android::base::ReadFdToString(policy_file.fd, policy)) {
489 PLOG(FATAL) << "Failed to read policy file: " << policy_file.path;
490 }
491 }
492
SelinuxSetEnforcement()493 void SelinuxSetEnforcement() {
494 bool kernel_enforcing = (security_getenforce() == 1);
495 bool is_enforcing = IsEnforcing();
496 if (kernel_enforcing != is_enforcing) {
497 if (security_setenforce(is_enforcing)) {
498 PLOG(FATAL) << "security_setenforce(" << (is_enforcing ? "true" : "false")
499 << ") failed";
500 }
501 }
502
503 if (auto result = WriteFile("/sys/fs/selinux/checkreqprot", "0"); !result.ok()) {
504 LOG(FATAL) << "Unable to write to /sys/fs/selinux/checkreqprot: " << result.error();
505 }
506 }
507
508 constexpr size_t kKlogMessageSize = 1024;
509
SelinuxAvcLog(char * buf,size_t buf_len)510 void SelinuxAvcLog(char* buf, size_t buf_len) {
511 CHECK_GT(buf_len, 0u);
512
513 size_t str_len = strnlen(buf, buf_len);
514 // trim newline at end of string
515 if (buf[str_len - 1] == '\n') {
516 buf[str_len - 1] = '\0';
517 }
518
519 struct NetlinkMessage {
520 nlmsghdr hdr;
521 char buf[kKlogMessageSize];
522 } request = {};
523
524 request.hdr.nlmsg_flags = NLM_F_REQUEST;
525 request.hdr.nlmsg_type = AUDIT_USER_AVC;
526 request.hdr.nlmsg_len = sizeof(request);
527 strlcpy(request.buf, buf, sizeof(request.buf));
528
529 auto fd = unique_fd{socket(PF_NETLINK, SOCK_RAW | SOCK_CLOEXEC, NETLINK_AUDIT)};
530 if (!fd.ok()) {
531 return;
532 }
533
534 TEMP_FAILURE_RETRY(send(fd, &request, sizeof(request), 0));
535 }
536
537 } // namespace
538
SelinuxRestoreContext()539 void SelinuxRestoreContext() {
540 LOG(INFO) << "Running restorecon...";
541 selinux_android_restorecon("/dev", 0);
542 selinux_android_restorecon("/dev/kmsg", 0);
543 if constexpr (WORLD_WRITABLE_KMSG) {
544 selinux_android_restorecon("/dev/kmsg_debug", 0);
545 }
546 selinux_android_restorecon("/dev/null", 0);
547 selinux_android_restorecon("/dev/ptmx", 0);
548 selinux_android_restorecon("/dev/socket", 0);
549 selinux_android_restorecon("/dev/random", 0);
550 selinux_android_restorecon("/dev/urandom", 0);
551 selinux_android_restorecon("/dev/__properties__", 0);
552
553 selinux_android_restorecon("/dev/block", SELINUX_ANDROID_RESTORECON_RECURSE);
554 selinux_android_restorecon("/dev/dm-user", SELINUX_ANDROID_RESTORECON_RECURSE);
555 selinux_android_restorecon("/dev/device-mapper", 0);
556
557 selinux_android_restorecon("/apex", 0);
558
559 selinux_android_restorecon("/linkerconfig", 0);
560
561 // adb remount, snapshot-based updates, and DSUs all create files during
562 // first-stage init.
563 selinux_android_restorecon(SnapshotManager::GetGlobalRollbackIndicatorPath().c_str(), 0);
564 selinux_android_restorecon("/metadata/gsi", SELINUX_ANDROID_RESTORECON_RECURSE |
565 SELINUX_ANDROID_RESTORECON_SKIP_SEHASH);
566 }
567
SelinuxKlogCallback(int type,const char * fmt,...)568 int SelinuxKlogCallback(int type, const char* fmt, ...) {
569 android::base::LogSeverity severity = android::base::ERROR;
570 if (type == SELINUX_WARNING) {
571 severity = android::base::WARNING;
572 } else if (type == SELINUX_INFO) {
573 severity = android::base::INFO;
574 }
575 char buf[kKlogMessageSize];
576 va_list ap;
577 va_start(ap, fmt);
578 int length_written = vsnprintf(buf, sizeof(buf), fmt, ap);
579 va_end(ap);
580 if (length_written <= 0) {
581 return 0;
582 }
583 if (type == SELINUX_AVC) {
584 SelinuxAvcLog(buf, sizeof(buf));
585 } else {
586 android::base::KernelLogger(android::base::MAIN, severity, "selinux", nullptr, 0, buf);
587 }
588 return 0;
589 }
590
SelinuxSetupKernelLogging()591 void SelinuxSetupKernelLogging() {
592 selinux_callback cb;
593 cb.func_log = SelinuxKlogCallback;
594 selinux_set_callback(SELINUX_CB_LOG, cb);
595 }
596
SelinuxGetVendorAndroidVersion()597 int SelinuxGetVendorAndroidVersion() {
598 static int vendor_android_version = [] {
599 if (!IsSplitPolicyDevice()) {
600 // If this device does not split sepolicy files, it's not a Treble device and therefore,
601 // we assume it's always on the latest platform.
602 return __ANDROID_API_FUTURE__;
603 }
604
605 std::string version;
606 if (!GetVendorMappingVersion(&version)) {
607 LOG(FATAL) << "Could not read vendor SELinux version";
608 }
609
610 int major_version;
611 std::string major_version_str(version, 0, version.find('.'));
612 if (!ParseInt(major_version_str, &major_version)) {
613 PLOG(FATAL) << "Failed to parse the vendor sepolicy major version "
614 << major_version_str;
615 }
616
617 return major_version;
618 }();
619 return vendor_android_version;
620 }
621
622 // This is for R system.img/system_ext.img to work on old vendor.img as system_ext.img
623 // is introduced in R. We mount system_ext in second stage init because the first-stage
624 // init in boot.img won't be updated in the system-only OTA scenario.
MountMissingSystemPartitions()625 void MountMissingSystemPartitions() {
626 android::fs_mgr::Fstab fstab;
627 if (!ReadDefaultFstab(&fstab)) {
628 LOG(ERROR) << "Could not read default fstab";
629 }
630
631 android::fs_mgr::Fstab mounts;
632 if (!ReadFstabFromFile("/proc/mounts", &mounts)) {
633 LOG(ERROR) << "Could not read /proc/mounts";
634 }
635
636 static const std::vector<std::string> kPartitionNames = {"system_ext", "product"};
637
638 android::fs_mgr::Fstab extra_fstab;
639 for (const auto& name : kPartitionNames) {
640 if (GetEntryForMountPoint(&mounts, "/"s + name)) {
641 // The partition is already mounted.
642 continue;
643 }
644
645 auto system_entry = GetEntryForMountPoint(&fstab, "/system");
646 if (!system_entry) {
647 LOG(ERROR) << "Could not find mount entry for /system";
648 break;
649 }
650 if (!system_entry->fs_mgr_flags.logical) {
651 LOG(INFO) << "Skipping mount of " << name << ", system is not dynamic.";
652 break;
653 }
654
655 auto entry = *system_entry;
656 auto partition_name = name + fs_mgr_get_slot_suffix();
657 auto replace_name = "system"s + fs_mgr_get_slot_suffix();
658
659 entry.mount_point = "/"s + name;
660 entry.blk_device =
661 android::base::StringReplace(entry.blk_device, replace_name, partition_name, false);
662 if (!fs_mgr_update_logical_partition(&entry)) {
663 LOG(ERROR) << "Could not update logical partition";
664 continue;
665 }
666
667 extra_fstab.emplace_back(std::move(entry));
668 }
669
670 SkipMountingPartitions(&extra_fstab, true /* verbose */);
671 if (extra_fstab.empty()) {
672 return;
673 }
674
675 BlockDevInitializer block_dev_init;
676 for (auto& entry : extra_fstab) {
677 if (access(entry.blk_device.c_str(), F_OK) != 0) {
678 auto block_dev = android::base::Basename(entry.blk_device);
679 if (!block_dev_init.InitDmDevice(block_dev)) {
680 LOG(ERROR) << "Failed to find device-mapper node: " << block_dev;
681 continue;
682 }
683 }
684 if (fs_mgr_do_mount_one(entry)) {
685 LOG(ERROR) << "Could not mount " << entry.mount_point;
686 }
687 }
688 }
689
LoadSelinuxPolicy(std::string & policy)690 static void LoadSelinuxPolicy(std::string& policy) {
691 LOG(INFO) << "Loading SELinux policy";
692
693 set_selinuxmnt("/sys/fs/selinux");
694 if (security_load_policy(policy.data(), policy.size()) < 0) {
695 PLOG(FATAL) << "SELinux: Could not load policy";
696 }
697 }
698
699 // The SELinux setup process is carefully orchestrated around snapuserd. Policy
700 // must be loaded off dynamic partitions, and during an OTA, those partitions
701 // cannot be read without snapuserd. But, with kernel-privileged snapuserd
702 // running, loading the policy will immediately trigger audits.
703 //
704 // We use a five-step process to address this:
705 // (1) Read the policy into a string, with snapuserd running.
706 // (2) Rewrite the snapshot device-mapper tables, to generate new dm-user
707 // devices and to flush I/O.
708 // (3) Kill snapuserd, which no longer has any dm-user devices to attach to.
709 // (4) Load the sepolicy and issue critical restorecons in /dev, carefully
710 // avoiding anything that would read from /system.
711 // (5) Re-launch snapuserd and attach it to the dm-user devices from step (2).
712 //
713 // After this sequence, it is safe to enable enforcing mode and continue booting.
SetupSelinux(char ** argv)714 int SetupSelinux(char** argv) {
715 SetStdioToDevNull(argv);
716 InitKernelLogging(argv);
717
718 if (REBOOT_BOOTLOADER_ON_PANIC) {
719 InstallRebootSignalHandlers();
720 }
721
722 boot_clock::time_point start_time = boot_clock::now();
723
724 MountMissingSystemPartitions();
725
726 SelinuxSetupKernelLogging();
727
728 LOG(INFO) << "Opening SELinux policy";
729
730 // Read the policy before potentially killing snapuserd.
731 std::string policy;
732 ReadPolicy(&policy);
733
734 auto snapuserd_helper = SnapuserdSelinuxHelper::CreateIfNeeded();
735 if (snapuserd_helper) {
736 // Kill the old snapused to avoid audit messages. After this we cannot
737 // read from /system (or other dynamic partitions) until we call
738 // FinishTransition().
739 snapuserd_helper->StartTransition();
740 }
741
742 LoadSelinuxPolicy(policy);
743
744 if (snapuserd_helper) {
745 // Before enforcing, finish the pending snapuserd transition.
746 snapuserd_helper->FinishTransition();
747 snapuserd_helper = nullptr;
748 }
749
750 SelinuxSetEnforcement();
751
752 // We're in the kernel domain and want to transition to the init domain. File systems that
753 // store SELabels in their xattrs, such as ext4 do not need an explicit restorecon here,
754 // but other file systems do. In particular, this is needed for ramdisks such as the
755 // recovery image for A/B devices.
756 if (selinux_android_restorecon("/system/bin/init", 0) == -1) {
757 PLOG(FATAL) << "restorecon failed of /system/bin/init failed";
758 }
759
760 setenv(kEnvSelinuxStartedAt, std::to_string(start_time.time_since_epoch().count()).c_str(), 1);
761
762 const char* path = "/system/bin/init";
763 const char* args[] = {path, "second_stage", nullptr};
764 execv(path, const_cast<char**>(args));
765
766 // execv() only returns if an error happened, in which case we
767 // panic and never return from this function.
768 PLOG(FATAL) << "execv(\"" << path << "\") failed";
769
770 return 1;
771 }
772
773 } // namespace init
774 } // namespace android
775