commit 4a7762afb4fa8495e711fcc2da322fc388e700bc
author Alex Vakulenko <avakulenko@google.com> Mon May 01 17:54:24 2017 -0700
committer Alex Vakulenko <avakulenko@google.com> Wed May 10 08:59:01 2017 -0700
tree 3c96a98be5d7f8a511aa9a291b2d611caf8913df
parent 5aab4176932de5e899c03876f64cb6f09a999337

Apply correct SELinux labels to PDX endpoint and channel sockets.

Bug: 37646189
Test: Compiled for sailfish-eng
      Device booted, normal 2D UI works as before
      Was able to run Daydream app and CubeSea (before O1 VR rendering
      path was disabled by recent change in HW composer).

Change-Id: I1f7040324992d3c784f072ea6b64a65fa7ed0589

libs/vr/libpdx_uds/Android.bp

diff --git a/libs/vr/libpdx_uds/Android.bp b/libs/vr/libpdx_uds/Android.bp
index cfc2022..82a5ea7 100644
--- a/libs/vr/libpdx_uds/Android.bp
+++ b/libs/vr/libpdx_uds/Android.bp
@@ -24,6 +24,9 @@
         "libbase",
         "libpdx",
     ],
+    whole_static_libs: [
+        "libselinux",
+    ],
 }
 
 cc_test {

libs/vr/libpdx_uds/service_endpoint.cpp

diff --git a/libs/vr/libpdx_uds/service_endpoint.cpp b/libs/vr/libpdx_uds/service_endpoint.cpp
index d96eeff..27a56f9 100644
--- a/libs/vr/libpdx_uds/service_endpoint.cpp
+++ b/libs/vr/libpdx_uds/service_endpoint.cpp
@@ -11,6 +11,7 @@
 #include <android-base/strings.h>
 #include <cutils/sockets.h>
 #include <pdx/service.h>
+#include <selinux/selinux.h>
 #include <uds/channel_manager.h>
 #include <uds/client_channel_factory.h>
 #include <uds/ipc_helper.h>
@@ -364,6 +365,36 @@
 Status<void> Endpoint::CreateChannelSocketPair(LocalHandle* local_socket,
                                                LocalHandle* remote_socket) {
   Status<void> status;
+  char* endpoint_context = nullptr;
+  // Make sure the channel socket has the correct SELinux label applied.
+  // Here we get the label from the endpoint file descriptor, which should be
+  // something like "u:object_r:pdx_service_endpoint_socket:s0" and replace
+  // "endpoint" with "channel" to produce the channel label such as this:
+  // "u:object_r:pdx_service_channel_socket:s0".
+  if (fgetfilecon_raw(socket_fd_.Get(), &endpoint_context) > 0) {
+    std::string channel_context = endpoint_context;
+    freecon(endpoint_context);
+    const std::string suffix = "_endpoint_socket";
+    auto pos = channel_context.find(suffix);
+    if (pos != std::string::npos) {
+      channel_context.replace(pos, suffix.size(), "_channel_socket");
+    } else {
+      ALOGW(
+          "Endpoint::CreateChannelSocketPair: Endpoint security context '%s' "
+          "does not contain expected substring '%s'",
+          channel_context.c_str(), suffix.c_str());
+    }
+    ALOGE_IF(setsockcreatecon_raw(channel_context.c_str()) == -1,
+             "Endpoint::CreateChannelSocketPair: Failed to set channel socket "
+             "security context: %s",
+             strerror(errno));
+  } else {
+    ALOGE(
+        "Endpoint::CreateChannelSocketPair: Failed to obtain the endpoint "
+        "socket's security context: %s",
+        strerror(errno));
+  }
+
   int channel_pair[2] = {};
   if (socketpair(AF_UNIX, SOCK_STREAM | SOCK_CLOEXEC, 0, channel_pair) == -1) {
     ALOGE("Endpoint::CreateChannelSocketPair: Failed to create socket pair: %s",
@@ -372,6 +403,8 @@
     return status;
   }
 
+  setsockcreatecon_raw(nullptr);
+
   local_socket->Reset(channel_pair[0]);
   remote_socket->Reset(channel_pair[1]);
 

services/surfaceflinger/surfaceflinger.rc

diff --git a/services/surfaceflinger/surfaceflinger.rc b/services/surfaceflinger/surfaceflinger.rc
index ff6be81..aea602b 100644
--- a/services/surfaceflinger/surfaceflinger.rc
+++ b/services/surfaceflinger/surfaceflinger.rc
@@ -4,6 +4,6 @@
     group graphics drmrpc readproc
     onrestart restart zygote
     writepid /dev/stune/foreground/tasks
-    socket pdx/system/vr/display/client stream 0666 system graphics
-    socket pdx/system/vr/display/manager stream 0666 system graphics
-    socket pdx/system/vr/display/vsync stream 0666 system graphics
+    socket pdx/system/vr/display/client     stream 0666 system graphics u:object_r:pdx_display_client_endpoint_socket:s0
+    socket pdx/system/vr/display/manager    stream 0666 system graphics u:object_r:pdx_display_manager_endpoint_socket:s0
+    socket pdx/system/vr/display/vsync      stream 0666 system graphics u:object_r:pdx_display_vsync_endpoint_socket:s0

services/vr/bufferhubd/bufferhubd.rc

diff --git a/services/vr/bufferhubd/bufferhubd.rc b/services/vr/bufferhubd/bufferhubd.rc
index 8d57723..46fe5f9 100644
--- a/services/vr/bufferhubd/bufferhubd.rc
+++ b/services/vr/bufferhubd/bufferhubd.rc
@@ -3,4 +3,4 @@
   user system
   group system
   writepid /dev/cpuset/tasks
-  socket pdx/system/buffer_hub/client stream 0660 system system
+  socket pdx/system/buffer_hub/client stream 0660 system system u:object_r:pdx_bufferhub_client_endpoint_socket:s0

services/vr/performanced/performanced.rc

diff --git a/services/vr/performanced/performanced.rc b/services/vr/performanced/performanced.rc
index 6283f37..2605a47 100644
--- a/services/vr/performanced/performanced.rc
+++ b/services/vr/performanced/performanced.rc
@@ -3,4 +3,4 @@
   user root
   group system readproc
   writepid /dev/cpuset/tasks
-  socket pdx/system/performance/client stream 0666 system system
+  socket pdx/system/performance/client stream 0666 system system u:object_r:pdx_performance_client_endpoint_socket:s0