Skip to content

GitLab

Switch branch/tag
  1. 29 May, 2014 3 commits
  3. 28 May, 2014 3 commits
  5. 19 May, 2014 2 commits
  7. 17 May, 2014 1 commit
    • Nick Kralevich's avatar
      Ensure labeling of /data/data and /data/user · 4b130cc0
      Nick Kralevich authored 
      On an upgrade, the *contents* of the /data/data and /data/user
directories are not labeled by init, because their labels are
managed by installd.

However, the /data/data and /data/user directories themselves are
never labeled, neither by init nor installd.

On an upgrade from an Android 4.2 system, it's possible for these
two directories to remain unlabeled, causing anything created
within these directories to also be unlabeled.

Make sure we label /data/data and /data/user (but not their contents)
from init's restorecon_recursive.

Change-Id: I65dcfa8e77a63cb61551a1010358f0e45956dbbf
      4b130cc0
  9. 05 May, 2014 3 commits
  11. 30 Apr, 2014 1 commit
  13. 29 Apr, 2014 1 commit
  15. 04 Apr, 2014 2 commits
    • Stephen Smalley's avatar
      am 13319cfa: Improve error handling for seapp_contexts. · 3857f130
      Stephen Smalley authored 
      * commit '13319cfa':
  Improve error handling for seapp_contexts.
      3857f130
    • Stephen Smalley's avatar
      Improve error handling for seapp_contexts. · 13319cfa
      Stephen Smalley authored 
      
Detect and reject configurations that specify name= without
seinfo= or with seinfo=default.

On any error during loading the configuration, drop the entire
configuration.  This will prevent system_server or any apps
from being started by zygote at all.  Previously we could be
left with a partially loaded, unsorted configuration which could
lead to partial startup but mislabeled processes.

On the error path, do not try to report the (name, value) pair for
the invalid entry as they are not always set (or meaningful) on all
code paths and we already have check_seapp to check and report the
same errors at build time.

Provide common helpers for freeing the configuration entries and
ensure that we always do it on any error during loading.

Change-Id: I2b238e90c9cc07a410e08a96a10d7699b608b3df
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      13319cfa
  17. 31 Mar, 2014 1 commit
  19. 27 Mar, 2014 1 commit
    • Stephen Smalley's avatar
      Add a new API for relabeling package directories. · 1d66afb5
      Stephen Smalley authored 
      
Add a new selinux_android_restorecon_pkgdir() API for
relabeling package directories that explicitly takes the
seinfo and uid information from the caller.  This is similar
to the selinux_android_setfilecon() API used by installd to
label newly created package directories but can be used to
recursively restorecon existing package directories.  By
passing the seinfo and uid information directly, we avoid the
need to rely upon packages.list for this purpose and can
perform the relabeling on a per-directory basis before each app
is loaded.

Also if we are not provided with a seinfo value and we cannot
lookup the package name in packages.list, log a warning and
return an error condition rather than silently ignoring the failure.
This avoids mislabeling the file by restorecon and provides a warning
if any future bugs arise in this area.

Change-Id: Ie440cba2c96f0907458086348197e1506d31c1b6
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      1d66afb5
  21. 14 Mar, 2014 3 commits
  23. 13 Mar, 2014 2 commits
  25. 12 Mar, 2014 2 commits
  27. 11 Mar, 2014 1 commit
  29. 07 Mar, 2014 9 commits
  31. 06 Mar, 2014 1 commit
  33. 04 Mar, 2014 3 commits
  35. 28 Feb, 2014 1 commit