Allow /postinstall files to have custom contexts
We were mounting /postinstall with a 'context=...' option. This forces
all files within /postinstall to have a single selinux context,
limiting the possible granularity of our policies. Here we change it
to simply default to the 'postinstall_file' context for the 'system'
partition but allow individual files to have their own custom contexts
defined by /system/sepolicy. Other partitions retain the single
'postinstall_file' context.
The sample_images were updated to manually add a selinux label for
testing FS contexts.
Test: Manual OTA of blueline
Test: atest update_engine_unittests
Bug: 181182967
Change-Id: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
Merged-In: I0b8c2b2228fa08afecb64da9c276737eb9ae3631
diff --git a/aosp/hardware_android.cc b/aosp/hardware_android.cc
index 0ac82d6..624cfc9 100644
--- a/aosp/hardware_android.cc
+++ b/aosp/hardware_android.cc
@@ -346,4 +346,30 @@
return error_code;
}
+// Mount options for non-system partitions. This option causes selinux treat
+// every file in the mounted filesystem as having the 'postinstall_file'
+// context, regardless of what the filesystem itself records. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kDefaultPostinstallMountOptions =
+ "context=u:object_r:postinstall_file:s0";
+
+// Mount options for system partitions. This option causes selinux to use the
+// 'postinstall_file' context as a fallback if there are no other selinux
+// contexts associated with the file in the mounted partition. See "SELinux
+// User's and Administrator's Guide" for more information on this option.
+constexpr const char* kSystemPostinstallMountOptions =
+ "defcontext=u:object_r:postinstall_file:s0";
+
+// Name of the system-partition
+constexpr std::string_view kSystemPartitionName = "system";
+
+const char* HardwareAndroid::GetPartitionMountOptions(
+ const std::string& partition_name) const {
+ if (partition_name == kSystemPartitionName) {
+ return kSystemPostinstallMountOptions;
+ } else {
+ return kDefaultPostinstallMountOptions;
+ }
+}
+
} // namespace chromeos_update_engine
diff --git a/aosp/hardware_android.h b/aosp/hardware_android.h
index 78f056e..d20e8df 100644
--- a/aosp/hardware_android.h
+++ b/aosp/hardware_android.h
@@ -64,6 +64,8 @@
[[nodiscard]] ErrorCode IsPartitionUpdateValid(
const std::string& partition_name,
const std::string& new_version) const override;
+ [[nodiscard]] const char* GetPartitionMountOptions(
+ const std::string& partition_name) const override;
private:
DISALLOW_COPY_AND_ASSIGN(HardwareAndroid);
diff --git a/aosp/platform_constants_android.cc b/aosp/platform_constants_android.cc
index f468c3b..a0a2a5e 100644
--- a/aosp/platform_constants_android.cc
+++ b/aosp/platform_constants_android.cc
@@ -31,8 +31,6 @@
// No deadline file API support on Android.
const char kOmahaResponseDeadlineFile[] = "";
const char kNonVolatileDirectory[] = "/data/misc/update_engine";
-const char kPostinstallMountOptions[] =
- "context=u:object_r:postinstall_file:s0";
} // namespace constants
} // namespace chromeos_update_engine