drgreen/android_frameworks_base
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

am 9b0da58e: Merge "Introduce a restorecon JNI binding."

Browse Source 
* commit '9b0da58e3a30b760de37138cdd51d20f269c383e':
  Introduce a restorecon JNI binding.
This commit is contained in:
Kenny Root
2012-08-16 15:29:41 -07:00
committed by Android Git Automerger
parent 617ccc081f 9b0da58e3a
commit a2e8365cc8
4 changed files with 124 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
core/java/android/os/SELinux.java
View File

@ -1,5 +1,25 @@
/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.os;
import android.util.Slog;
import java.io.IOException;
import java.io.File;
import java.io.FileDescriptor;
/**
@ -9,6 +29,8 @@ import java.io.FileDescriptor;
*/
public class SELinux {
private static final String TAG = "SELinux";
/**
* Determine whether SELinux is disabled or enabled.
* @return a boolean indicating whether SELinux is enabled.
@ -102,4 +124,53 @@ public class SELinux {
* @return a boolean indicating whether permission was granted.
*/
public static final native boolean checkSELinuxAccess(String scon, String tcon, String tclass, String perm);
/**
* Restores a file to its default SELinux security context.
* If the system is not compiled with SELinux, then {@code true}
* is automatically returned.
* If SELinux is compiled in, but disabled, then {@code true} is
* returned.
*
* @param pathname The pathname of the file to be relabeled.
* @return a boolean indicating whether the relabeling succeeded.
* @exception NullPointerException if the pathname is a null object.
*/
public static boolean restorecon(String pathname) throws NullPointerException {
if (pathname == null) { throw new NullPointerException(); }
return native_restorecon(pathname);
}
/**
* Restores a file to its default SELinux security context.
* If the system is not compiled with SELinux, then {@code true}
* is automatically returned.
* If SELinux is compiled in, but disabled, then {@code true} is
* returned.
*
* @param pathname The pathname of the file to be relabeled.
* @return a boolean indicating whether the relabeling succeeded.
*/
private static native boolean native_restorecon(String pathname);
/**
* Restores a file to its default SELinux security context.
* If the system is not compiled with SELinux, then {@code true}
* is automatically returned.
* If SELinux is compiled in, but disabled, then {@code true} is
* returned.
*
* @param file The File object representing the path to be relabeled.
* @return a boolean indicating whether the relabeling succeeded.
* @exception NullPointerException if the file is a null object.
*/
public static boolean restorecon(File file) throws NullPointerException {
try {
return native_restorecon(file.getCanonicalPath());
} catch (IOException e) {
Slog.e(TAG, "Error getting canonical path. Restorecon failed for " +
file.getPath(), e);
return false;
}
}
}

39
core/jni/android_os_SELinux.cpp
View File

@ -1,3 +1,19 @@
/*
* Copyright (C) 2012 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "SELinuxJNI"
#include <utils/Log.h>
@ -6,6 +22,7 @@
#include "android_runtime/AndroidRuntime.h"
#ifdef HAVE_SELINUX
#include "selinux/selinux.h"
#include "selinux/android.h"
#endif
#include <errno.h>
@ -457,6 +474,27 @@ namespace android {
#endif
}
/*
* Function: native_restorecon
* Purpose: restore default SELinux security context
* Parameters: pathname: the pathname for the file to be relabeled
* Returns: boolean: (true) file label successfully restored, (false) otherwise
* Exceptions: none
*/
static jboolean native_restorecon(JNIEnv *env, jobject clazz, jstring pathname) {
#ifdef HAVE_SELINUX
if (isSELinuxDisabled)
return true;
const char *file = const_cast<char *>(env->GetStringUTFChars(pathname, NULL));
int ret = selinux_android_restorecon(file);
env->ReleaseStringUTFChars(pathname, file);
return (ret == 0);
#else
return true;
#endif
}
/*
* JNI registration.
*/
@ -472,6 +510,7 @@ namespace android {
{ "getPidContext" , "(I)Ljava/lang/String;" , (void*)getPidCon },
{ "isSELinuxEnforced" , "()Z" , (void*)isSELinuxEnforced},
{ "isSELinuxEnabled" , "()Z" , (void*)isSELinuxEnabled },
{ "native_restorecon" , "(Ljava/lang/String;)Z" , (void*)native_restorecon},
{ "setBooleanValue" , "(Ljava/lang/String;Z)Z" , (void*)setBooleanValue },
{ "setFileContext" , "(Ljava/lang/String;Ljava/lang/String;)Z" , (void*)setFileCon },
{ "setFSCreateContext" , "(Ljava/lang/String;)Z" , (void*)setFSCreateCon },

7
services/java/com/android/server/WallpaperManagerService.java
View File

@ -45,6 +45,7 @@ import android.os.RemoteException;
import android.os.FileObserver;
import android.os.ParcelFileDescriptor;
import android.os.RemoteCallbackList;
import android.os.SELinux;
import android.os.ServiceManager;
import android.os.SystemClock;
import android.os.UserId;
@ -639,8 +640,12 @@ class WallpaperManagerService extends IWallpaperManager.Stub {
FileUtils.S_IRWXU|FileUtils.S_IRWXG|FileUtils.S_IXOTH,
-1, -1);
}
ParcelFileDescriptor fd = ParcelFileDescriptor.open(new File(dir, WALLPAPER),
File file = new File(dir, WALLPAPER);
ParcelFileDescriptor fd = ParcelFileDescriptor.open(file,
MODE_CREATE|MODE_READ_WRITE);
if (!SELinux.restorecon(file)) {
return null;
}
wallpaper.name = name;
return fd;
} catch (FileNotFoundException e) {

8
services/java/com/android/server/pm/PackageManagerService.java
View File

@ -96,6 +96,7 @@ import android.os.Parcel;
import android.os.ParcelFileDescriptor;
import android.os.Process;
import android.os.RemoteException;
import android.os.SELinux;
import android.os.ServiceManager;
import android.os.SystemClock;
import android.os.SystemProperties;
@ -6418,6 +6419,10 @@ public class PackageManagerService extends IPackageManager.Stub {
return false;
}
if (!SELinux.restorecon(newCodeFile)) {
return false;
}
return true;
}
}
@ -7399,6 +7404,9 @@ public class PackageManagerService extends IPackageManager.Stub {
FileUtils.setPermissions(
tmpPackageFile.getCanonicalPath(), FileUtils.S_IRUSR|FileUtils.S_IWUSR,
-1, -1);
if (!SELinux.restorecon(tmpPackageFile)) {
return null;
}
} catch (IOException e) {
Slog.e(TAG, "Trouble getting the canoncical path for a temp file.");
return null;