diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-03-23 10:12:14 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-03-23 10:12:14 +0000 |
| commit | 38191dc6b7f795cb9a96e418f47ee0de0b0a8d13 (patch) | |
| tree | 0ebec0729083e0de6d9544751372bdc238b8b717 /init/selinux.cpp | |
| parent | dfab2cef81678d45d673d5e2e8c7ac4af8064a83 (diff) | |
| parent | cb706d277b521508bdd037b78379c1c6a635f6e6 (diff) | |
Snap for 8343869 from cb706d277b521508bdd037b78379c1c6a635f6e6 to s-keystone-qcom-release
Change-Id: I08154d17257bd4f2a43fb55017a7f6b06d2cb2aa
Diffstat (limited to 'init/selinux.cpp')
| -rw-r--r-- | init/selinux.cpp | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/init/selinux.cpp b/init/selinux.cpp index 42d302324..29c0ff3ba 100644 --- a/init/selinux.cpp +++ b/init/selinux.cpp @@ -295,6 +295,25 @@ bool IsSplitPolicyDevice() { return access(plat_policy_cil_file, R_OK) != -1; } +std::optional<const char*> GetUserdebugPlatformPolicyFile() { + // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. + const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); + if (force_debuggable_env && "true"s == force_debuggable_env && AvbHandle::IsDeviceUnlocked()) { + const std::vector<const char*> debug_policy_candidates = { +#if INSTALL_DEBUG_POLICY_TO_SYSTEM_EXT == 1 + "/system_ext/etc/selinux/userdebug_plat_sepolicy.cil", +#endif + kDebugRamdiskSEPolicy, + }; + for (const char* debug_policy : debug_policy_candidates) { + if (access(debug_policy, F_OK) == 0) { + return debug_policy; + } + } + } + return std::nullopt; +} + struct PolicyFile { unique_fd fd; std::string path; @@ -310,13 +329,10 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // secilc is invoked to compile the above three policy files into a single monolithic policy // file. This file is then loaded into the kernel. - // See if we need to load userdebug_plat_sepolicy.cil instead of plat_sepolicy.cil. - const char* force_debuggable_env = getenv("INIT_FORCE_DEBUGGABLE"); - bool use_userdebug_policy = - ((force_debuggable_env && "true"s == force_debuggable_env) && - AvbHandle::IsDeviceUnlocked() && access(kDebugRamdiskSEPolicy, F_OK) == 0); + const auto userdebug_plat_sepolicy = GetUserdebugPlatformPolicyFile(); + const bool use_userdebug_policy = userdebug_plat_sepolicy.has_value(); if (use_userdebug_policy) { - LOG(WARNING) << "Using userdebug system sepolicy"; + LOG(INFO) << "Using userdebug system sepolicy " << *userdebug_plat_sepolicy; } // Load precompiled policy from vendor image, if a matching policy is found there. The policy @@ -413,7 +429,7 @@ bool OpenSplitPolicy(PolicyFile* policy_file) { // clang-format off std::vector<const char*> compile_args { "/system/bin/secilc", - use_userdebug_policy ? kDebugRamdiskSEPolicy: plat_policy_cil_file, + use_userdebug_policy ? *userdebug_plat_sepolicy : plat_policy_cil_file, "-m", "-M", "true", "-G", "-N", "-c", version_as_string.c_str(), plat_mapping_file.c_str(), |