Do not try to set restorecon_last on /sys entries.

There is no benefit to setting restorecon_last on /sys entries
since they are re-created on each boot and doing so triggers
sys_admin denials.   Also, apply the same partial matching
optimization to restorecon_recursive on subdirectories of /sys
as we apply on the top-level restorecon_recursive /sys.

Change-Id: I90ea143e189db44bf8dc6c93c08d794e80d5539f
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

src/android.c

@@ -1174,6 +1174,9 @@ err:
     goto out;
 }
 
+#define SYS_PATH "/sys"
+#define SYS_PREFIX SYS_PATH "/"
+
 static int selinux_android_restorecon_common(const char* pathname,
                                              const char *seinfo,
                                              uid_t uid,
@@ -1184,7 +1187,7 @@ static int selinux_android_restorecon_common(const char* pathname,
     bool recurse = (flags & SELINUX_ANDROID_RESTORECON_RECURSE) ? true : false;
     bool force = (flags & SELINUX_ANDROID_RESTORECON_FORCE) ? true : false;
     bool datadata = (flags & SELINUX_ANDROID_RESTORECON_DATADATA) ? true : false;
-    bool issys = strcmp(pathname, "/sys") == 0 ? true : false;
+    bool issys = (!strcmp(pathname, SYS_PATH) || !strncmp(pathname, SYS_PREFIX, sizeof(SYS_PREFIX)-1)) ? true : false;
     bool setrestoreconlast = true;
     struct stat sb;
     FTS *fts;
@@ -1220,6 +1223,10 @@ static int selinux_android_restorecon_common(const char* pathname,
         !strncmp(pathname, DATA_USER_PREFIX, sizeof(DATA_USER_PREFIX)-1))
         setrestoreconlast = false;
 
+    /* Also ignore on /sys since it is regenerated on each boot regardless. */
+    if (issys)
+        setrestoreconlast = false;
+
     if (setrestoreconlast) {
         size = getxattr(pathname, RESTORECON_LAST, xattr_value, sizeof fc_digest);
         if (!force && size == sizeof fc_digest && memcmp(fc_digest, xattr_value, sizeof fc_digest) == 0) {