Check and restorecon cache/code_cache directories.android-cts_7.1_r1 android-cts-7.1_r1 android-7.1.1_r6 android-7.1.1_r4 android-7.1.1_r3 android-7.1.1_r2 android-7.1.1_r1

To speed up boot times, we recently relaxed SELinux restorecon logic to only consider relabeling app storage when the top level SELinux label changed. However, if an app manually deletes either their cache or code_cache directories, installd will helpfully recreate those directories at the next boot, but they'll be stuck with incorrect SELinux labels which an app can't fix. (Our historically aggressive restorecons had relabeled them, which is why we didn't observe until now.) This change checks the labels of the cache/code_cache directories, and runs a restorecon if needed, fixing the issue above. Test: delete cache and verify recreated with correct label Bug: 32504081 Change-Id: I0114ae4129223e5909b1075d56a9b1145ebc5ef4 (cherry picked from commit 397ec266753a675e6891c479971e6506491b1b44)
author: Jeff Sharkey <jsharkey@android.com> 2016-10-31 11:22:19 -0600
committer: gitbuildkicker <android-build@google.com> 2016-10-31 18:14:15 -0700
commit: f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 (patch)
tree: e2a4c7ca37ef773863beee22646383acbd503a7d
parent: 822312b8dc9137c3d289359304a4a0aa076fde8d (diff)
download: native-f14208e0390d8ee20ee4a5d7605d614e8b1abaf1.tar.gz
1 files changed, 14 insertions, 7 deletions
diff --git a/cmds/installd/commands.cpp b/cmds/installd/commands.cpp
index 4ed8997fcb..271c75ba4e 100644
--- a/cmds/installd/commands.cpp
+++ b/cmds/installd/commands.cpp
@@ -104,7 +104,7 @@ static std::string create_primary_profile(const std::string& profile_dir) {
  * if the label of that top-level file actually changed.  This can save us
  * significant time by avoiding no-op traversals of large filesystem trees.
  */
-static int restorecon_app_data_lazy(const char* path, const char* seinfo, uid_t uid) {
+static int restorecon_app_data_lazy(const std::string& path, const char* seinfo, uid_t uid) {
     int res = 0;
     char* before = nullptr;
     char* after = nullptr;
@@ -112,15 +112,15 @@ static int restorecon_app_data_lazy(const char* path, const char* seinfo, uid_t
     // Note that SELINUX_ANDROID_RESTORECON_DATADATA flag is set by
     // libselinux. Not needed here.
 
-    if (lgetfilecon(path, &before) < 0) {
+    if (lgetfilecon(path.c_str(), &before) < 0) {
         PLOG(ERROR) << "Failed before getfilecon for " << path;
         goto fail;
     }
-    if (selinux_android_restorecon_pkgdir(path, seinfo, uid, 0) < 0) {
+    if (selinux_android_restorecon_pkgdir(path.c_str(), seinfo, uid, 0) < 0) {
         PLOG(ERROR) << "Failed top-level restorecon for " << path;
         goto fail;
     }
-    if (lgetfilecon(path, &after) < 0) {
+    if (lgetfilecon(path.c_str(), &after) < 0) {
         PLOG(ERROR) << "Failed after getfilecon for " << path;
         goto fail;
     }
@@ -130,7 +130,7 @@ static int restorecon_app_data_lazy(const char* path, const char* seinfo, uid_t
     if (strcmp(before, after)) {
         LOG(DEBUG) << "Detected label change from " << before << " to " << after << " at " << path
                 << "; running recursive restorecon";
-        if (selinux_android_restorecon_pkgdir(path, seinfo, uid,
+        if (selinux_android_restorecon_pkgdir(path.c_str(), seinfo, uid,
                 SELINUX_ANDROID_RESTORECON_RECURSE) < 0) {
             PLOG(ERROR) << "Failed recursive restorecon for " << path;
             goto fail;
@@ -146,6 +146,11 @@ done:
     return res;
 }
 
+static int restorecon_app_data_lazy(const std::string& parent, const char* name, const char* seinfo,
+        uid_t uid) {
+    return restorecon_app_data_lazy(StringPrintf("%s/%s", parent.c_str(), name), seinfo, uid);
+}
+
 static int prepare_app_dir(const std::string& path, mode_t target_mode, uid_t uid) {
     if (fs_prepare_dir_strict(path.c_str(), target_mode, uid, uid) != 0) {
         PLOG(ERROR) << "Failed to prepare " << path;
@@ -172,7 +177,9 @@ int create_app_data(const char *uuid, const char *pkgname, userid_t userid, int
         }
 
         // Consider restorecon over contents if label changed
-        if (restorecon_app_data_lazy(path.c_str(), seinfo, uid)) {
+        if (restorecon_app_data_lazy(path, seinfo, uid) ||
+                restorecon_app_data_lazy(path, "cache", seinfo, uid) ||
+                restorecon_app_data_lazy(path, "code_cache", seinfo, uid)) {
             return -1;
         }
 
@@ -191,7 +198,7 @@ int create_app_data(const char *uuid, const char *pkgname, userid_t userid, int
         }
 
         // Consider restorecon over contents if label changed
-        if (restorecon_app_data_lazy(path.c_str(), seinfo, uid)) {
+        if (restorecon_app_data_lazy(path, seinfo, uid)) {
             return -1;
         }
author	Jeff Sharkey <jsharkey@android.com>	2016-10-31 11:22:19 -0600
committer	gitbuildkicker <android-build@google.com>	2016-10-31 18:14:15 -0700
commit	f14208e0390d8ee20ee4a5d7605d614e8b1abaf1 (patch)
tree	e2a4c7ca37ef773863beee22646383acbd503a7d
parent	822312b8dc9137c3d289359304a4a0aa076fde8d (diff)
download	native-f14208e0390d8ee20ee4a5d7605d614e8b1abaf1.tar.gz