Run restorecon after init creates a symlink or writes to a file.
Init currently sets the SELinux context on a mkdir but not on
other operations. This patch modifies it to do so when creating
symlinks, writing to a file, or copying a file.
Test: Built, flashed, and booted. Added fake init entries and
verified that they received the proper SELinux context.
Change-Id: I836b570fef81d74f3b6c8e7ce0274e94ca7b12d3
diff --git a/init/util.cpp b/init/util.cpp
index a19a6f3..d80cb1e 100644
--- a/init/util.cpp
+++ b/init/util.cpp
@@ -178,9 +178,26 @@
return content;
}
+static int OpenFile(const std::string& path, int flags, mode_t mode) {
+ std::string secontext;
+ if (SelabelLookupFileContext(path, mode, &secontext) && !secontext.empty()) {
+ setfscreatecon(secontext.c_str());
+ }
+
+ int rc = open(path.c_str(), flags, mode);
+
+ if (!secontext.empty()) {
+ int save_errno = errno;
+ setfscreatecon(nullptr);
+ errno = save_errno;
+ }
+
+ return rc;
+}
+
Result<Success> WriteFile(const std::string& path, const std::string& content) {
android::base::unique_fd fd(TEMP_FAILURE_RETRY(
- open(path.c_str(), O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC | O_CLOEXEC, 0600)));
+ OpenFile(path, O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC | O_CLOEXEC, 0600)));
if (fd == -1) {
return ErrnoError() << "open() failed";
}