diff options
| author | Nick Kralevich <nnk@google.com> | 2019-04-04 15:54:58 -0700 |
|---|---|---|
| committer | Nick Kralevich <nnk@google.com> | 2019-04-05 09:50:58 -0700 |
| commit | d88acc95ab7b74979b123f0d4523bb2c4eec2880 (patch) | |
| tree | 3b84339c75d276d632ae23aa394534ffc003c173 /tools/aapt2/java/JavaClassGenerator_test.cpp | |
| parent | 960c4f06ae93a6102cee0c3312791c8455a8d597 (diff) | |
Don't set sehash when calling restoreconRecursive
restorecon_recursive updates the SELinux label of the files in the
filesystem, and then attempts to write the xattr "security.sehash" as an
optimization for future restorecons. Writing security.* extended
attributes requires CAP_SYS_ADMIN, which system_server doesn't have (and
shouldn't have).
Suppress the computation and writing of the hash value. It's not
needed.
This bug has been around for a long time, but due to the fix for
bug 62302954, the error message is being generated more frequently
now.
TODO: It would be better if the default for restorecon was to suppress
the hash computation, since otherwise it encourages programs to be
overprivileged with CAP_SYS_ADMIN. I'll plan on doing that in a followup
commit.
Bugs where this error message has been called out:
Bug: 129766333
Bug: 129271240
Bug: 128700692
Bug: 129925723
Test: install an APK and ensure that no "SELinux: setxattr failed"
error messages are generated.
(cherry picked from commit cb1dddad27b86e675f7141ca429e9bb8ab8ac410)
Change-Id: Ifc5be24d14029cb616d5564366fc10a0b93c9939
Diffstat (limited to 'tools/aapt2/java/JavaClassGenerator_test.cpp')
0 files changed, 0 insertions, 0 deletions